Skip to content

fix: use constant-time comparison for auth credentials (CWE-208)#788

Open
spidershield-contrib wants to merge 1 commit into
un:mainfrom
spidershield-contrib:fix/cwe-208-timing-safe-comparison
Open

fix: use constant-time comparison for auth credentials (CWE-208)#788
spidershield-contrib wants to merge 1 commit into
un:mainfrom
spidershield-contrib:fix/cwe-208-timing-safe-comparison

Conversation

@spidershield-contrib

@spidershield-contrib spidershield-contrib commented Apr 3, 2026

Copy link
Copy Markdown

Summary

Fixes #787 — replaces timing-vulnerable === comparison with constant-time timingSafeEqual via SHA-256 digest in two service auth checks.

Changes

  • ee/apps/billing/app.ts: Replace authToken === env.BILLING_KEY with safeEqual()
  • apps/mail-bridge/app.ts: Replace authToken === env.MAILBRIDGE_KEY with safeEqual()
  • Add safeEqual() helper using crypto.createHash + crypto.timingSafeEqual
  • No behavioral change for valid authentication flows

CWE Reference

  • CWE-208: Observable Timing Discrepancy
  • Uses stdlib only (crypto) — no new dependencies

Found by SpiderShield security scanner

@spidershield-contrib @claude
fix: use constant-time comparison for auth credentials (CWE-208)
ad3a2e3 
Replace direct === comparison with crypto.timingSafeEqual via SHA-256
digest in billing and mail-bridge auth to prevent timing-based
credential extraction attacks.

- billing/app.ts: BILLING_KEY comparison
- mail-bridge/app.ts: MAILBRIDGE_KEY comparison
- No behavioral change for valid authentication flows
- Uses stdlib only (crypto) — no new dependencies

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: spidershield-contrib <spidershield-contrib@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: timing-vulnerable credential comparison in billing and mail-bridge (CWE-208)

1 participant

@spidershield-contrib