fix[faustwp]: (#2310) use hash_equals for secret key comparison (#2312)

latenighthackathon · web-flow · commit 5d73ec86b4af · 2026-05-13T16:13:42.000Z
Replace timing-vulnerable === comparisons with hash_equals() for the shared secret key in rest_authorize_permission_callback(), wpac_authorize_permission_callback(), and filter_introspection(). The codebase already uses hash_equals() for HMAC validation in auth/functions.php — these three spots were missed. Also sanitize the $_SERVER['HTTP_X_FAUST_SECRET'] superglobal with wp_unslash() and sanitize_text_field() per WordPress coding standards before passing to hash_equals(). Split out from #2312 per @josephfusco review feedback — the blockset cleanup half moves to a separate PR so each half can be reviewed and reverted independently. Co-authored-by: latenighthackathon <latenighthackathon@users.noreply.github.com>
diff --git a/.changeset/hash-equals-secret-comparison.md b/.changeset/hash-equals-secret-comparison.md
@@ -0,0 +1,5 @@
+---
+"@faustwp/wordpress-plugin": patch
+---
+
+fix[faustwp]: use hash_equals() for constant-time secret key comparison in REST and GraphQL permission callbacks
diff --git a/plugins/faustwp/includes/graphql/callbacks.php b/plugins/faustwp/includes/graphql/callbacks.php
@@ -66,8 +66,9 @@ function filter_introspection( $value, $default_value, $option_name, $section_fi
 		return $value;
 	}
 
-	$secret_key = get_secret_key();
-	if ( $secret_key !== $_SERVER['HTTP_X_FAUST_SECRET'] ) {
+	$secret_key   = get_secret_key();
+	$faust_secret = sanitize_text_field( wp_unslash( $_SERVER['HTTP_X_FAUST_SECRET'] ) );
+	if ( ! hash_equals( $secret_key, $faust_secret ) ) {
 		return $value;
 	}
 
diff --git a/plugins/faustwp/includes/rest/callbacks.php b/plugins/faustwp/includes/rest/callbacks.php
@@ -419,7 +419,7 @@ function rest_authorize_permission_callback( \WP_REST_Request $request ) {
 	$header_key = $request->get_header( 'x-faustwp-secret' );
 
 	if ( $secret_key && $header_key ) {
-		return $secret_key === $header_key;
+		return hash_equals( $secret_key, $header_key );
 	}
 
 	return false;
@@ -444,7 +444,7 @@ function wpac_authorize_permission_callback( \WP_REST_Request $request ) {
 	$header_key = $request->get_header( 'x-wpe-headless-secret' );
 
 	if ( $secret_key && $header_key ) {
-		return $secret_key === $header_key;
+		return hash_equals( $secret_key, $header_key );
 	}
 
 	return false;

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@faustwp/wordpress-plugin": patch
 +---
++
 +fix[faustwp]: use hash_equals() for constant-time secret key comparison in REST and GraphQL permission callbacks
Original file line number	Diff line number	Diff line change
`@@ -66,8 +66,9 @@ function filter_introspection( $value, $default_value, $option_name, $section_fi`
`66`	`66`	`return $value;`
`67`	`67`	`}`
`68`	`68`
`69`		`- $secret_key = get_secret_key();`
`70`		`- if ( $secret_key !== $_SERVER['HTTP_X_FAUST_SECRET'] ) {`
	`69`	`+ $secret_key = get_secret_key();`
	`70`	`+ $faust_secret = sanitize_text_field( wp_unslash( $_SERVER['HTTP_X_FAUST_SECRET'] ) );`
	`71`	`+ if ( ! hash_equals( $secret_key, $faust_secret ) ) {`
`71`	`72`	`return $value;`
`72`	`73`	`}`
`73`	`74`
Original file line number	Diff line number	Diff line change
`@@ -419,7 +419,7 @@ function rest_authorize_permission_callback( \WP_REST_Request $request ) {`
`419`	`419`	`$header_key = $request->get_header( 'x-faustwp-secret' );`
`420`	`420`
`421`	`421`	`if ( $secret_key && $header_key ) {`
`422`		`- return $secret_key === $header_key;`
	`422`	`+ return hash_equals( $secret_key, $header_key );`
`423`	`423`	`}`
`424`	`424`
`425`	`425`	`return false;`
`@@ -444,7 +444,7 @@ function wpac_authorize_permission_callback( \WP_REST_Request $request ) {`
`444`	`444`	`$header_key = $request->get_header( 'x-wpe-headless-secret' );`
`445`	`445`
`446`	`446`	`if ( $secret_key && $header_key ) {`
`447`		`- return $secret_key === $header_key;`
	`447`	`+ return hash_equals( $secret_key, $header_key );`
`448`	`448`	`}`
`449`	`449`
`450`	`450`	`return false;`