Skip to content

fix: remove early length exit from timingSafeEqStr#81

Open
bmersereau wants to merge 3 commits into
willchen96:mainfrom
bmersereau:fix/72-timing-safe-eq
Open

fix: remove early length exit from timingSafeEqStr#81
bmersereau wants to merge 3 commits into
willchen96:mainfrom
bmersereau:fix/72-timing-safe-eq

Conversation

@bmersereau
Copy link
Copy Markdown

@bmersereau bmersereau commented May 13, 2026

Summary

  • timingSafeEqStr returned false immediately when string lengths differed, before calling crypto.timingSafeEqual — violating the constant-time contract and creating a theoretical timing oracle
  • Fixed by always running the constant-time comparison first (on zero-padded buffers), then checking length equality afterward
  • In practice, all SHA-256 base64url signatures are 43 characters so this gap has no real exploit path for standard tokens; this is a defense-in-depth fix for the pattern

Closes #72

Changes

  • backend/src/lib/downloadTokens.ts — early length check removed; timingSafeEqStr now pads the shorter buffer and runs timingSafeEqual unconditionally before length verification; exported for testability
  • backend/src/lib/__tests__/timingSafeEq.test.ts — 5 unit tests

Test plan

  • Unit tests: equal strings, same-length mismatch, different-length mismatch, empty strings
  • Build and typecheck pass

Dshamir added a commit to Dshamir/AI-Legal that referenced this pull request May 24, 2026
@Dshamir @claude
fix(security): timing-safe HMAC, HKDF per-row salt, case-insensitive …
52f47ba 
…email

- downloadTokens: pad buffers to equal length before timingSafeEqual
  to eliminate length-oracle side channel (PR willchen96#81)
- keyRotation: add HKDF key derivation with random 16-byte per-row
  salt; existing rows without salt decrypt via legacy SHA-256 path;
  all new encryptions use HKDF (PR willchen96#76)
- projects: use case-insensitive comparison for shared_with email
  in GET /projects/:projectId, matching access.ts pattern (PR willchen96#79)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Dshamir added a commit to Dshamir/AI-Legal that referenced this pull request May 24, 2026
@Dshamir @claude
docs: update CHANGELOG, ROADMAP, CLAUDE.md, README for upstream PR in…
060a980 
…tegration

- CHANGELOG: add security hardening and feature entries for PRs willchen96#158,
  willchen96#81, willchen96#76, willchen96#79, willchen96#145, willchen96#112, willchen96#111, willchen96#110, willchen96#155, willchen96#157, willchen96#59
- ROADMAP: mark 12 new items as completed
- CLAUDE.md: add sanitize.ts, streamTimeout.ts, credits.ts to lib index,
  update test count to 40
- README: update API endpoints table (chat pagination, workflow export),
  security row (HKDF, RLS, prompt defense), encryption row

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security][Low] Timing oracle in download token verification — early length exit before constant-time compare

1 participant

@bmersereau