Skip to content

Commit 672b564

Browse files
rvaggrvagg
committed
more robust use of crypto.timingSafeEqual()
1 parent cff31d7 commit 672b564

1 file changed

Lines changed: 6 additions & 1 deletion

File tree

github-webhook-handler.js

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,12 @@ function create (initOptions) {
5656
}
5757

5858
function verify (signature, data) {
59-
return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(sign(data)))
59+
const sig = Buffer.from(signature)
60+
const signed = Buffer.from(sign(data))
61+
if (sig.length !== signed.length) {
62+
return false
63+
}
64+
return crypto.timingSafeEqual(sig, signed)
6065
}
6166

6267
function handler (req, res, callback) {

0 commit comments

Comments
 (0)