Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@
"https-proxy-agent": "^5.0.0",
"jsonwebtoken": "^9.0.3",
"qs": "^6.14.1",
"scmp": "^2.1.0",
"xmlbuilder": "^13.0.2"
},
"devDependencies": {
Expand Down
20 changes: 17 additions & 3 deletions src/webhooks/webhooks.ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
const scmp = require("scmp");
import crypto from "crypto";
import urllib from "url";
import { IncomingHttpHeaders } from "http2";
Expand Down Expand Up @@ -257,15 +256,30 @@ function validateSignatureWithUrl(
params
);

return scmp(Buffer.from(twilioHeader), Buffer.from(signatureWithoutPort));
return timingSafeEqual(
Buffer.from(twilioHeader),
Buffer.from(signatureWithoutPort)
);
}

export function validateBody(
body: string,
bodyHash: any[] | string | Buffer
): boolean {
var expectedHash = getExpectedBodyHash(body);
return scmp(Buffer.from(bodyHash), Buffer.from(expectedHash));
return timingSafeEqual(Buffer.from(bodyHash), Buffer.from(expectedHash));
}

function timingSafeEqual(userValue: Buffer, secretValue: Buffer) {
// Do not return early when lengths differ — that leaks the secret's
// length through timing. Instead, always perform a constant-time
// comparison: when the lengths match compare directly; otherwise
// compare the user input against itself (always true) and negate.
// Source: https://developers.cloudflare.com/workers/examples/protect-against-timing-attacks/
const lengthsMatch = userValue.length === secretValue.length;
return lengthsMatch
? crypto.timingSafeEqual(userValue, secretValue)
: !crypto.timingSafeEqual(userValue, userValue);
}

/**
Expand Down
Loading