fix for issue #7

flint-bot · Apr 13, 2017 · 2ca296f · 2ca296f
1 parent 8842a59
commit 2ca296f
Showing 1 changed file with 26 additions and 1 deletion.
diff --git a/lib/res/webhooks.js b/lib/res/webhooks.js
@@ -10,6 +10,30 @@ const xor = function(a,b) {
   return (a || b) && !(a && b);
 };
 
+// timing safe string compare
+const cryptoTimingSafeEqualStr = function(a,b) {
+  if(typeof a === 'string' && typeof b === 'string') {
+    let buf_a;
+    let buf_b;
+
+    // check for Buffer.from() function (nodejs v5.10.0+)
+    if(typeof Buffer.from === 'function') {
+      buf_a = Buffer.from(a);
+      buf_b = Buffer.from(b);
+    }
+
+    // else, fall back to deprecated Buffer constructor method
+    else {
+      buf_a = new Buffer(a);
+      buf_b = new Buffer(b);
+    }
+
+    return crypto.timingSafeEqual(buf_a, buf_b);
+  } else {
+    return false;
+  }
+}
+
 /**
  * Webhook Object
  *
@@ -210,7 +234,8 @@ module.exports = function(Spark) {
       return when(strPayload)
         .then(pl => {
           hmac.update(pl);
-          if(sig === hmac.digest('hex')) {
+
+          if(cryptoTimingSafeEqualStr(sig, hmac.digest('hex'))) {
             return when(payload);
           } else {
             return when.reject(new Error('received an invalid payload'));