From 2893924e9a9c4d9b33417c10da3203dd7172db23 Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Sat, 9 Jul 2022 11:19:40 +0200
Subject: [PATCH] fix: Must check length before passing to timingSafeEqual

---
 server/routes/api/cron.ts  | 2 ++
 server/routes/api/hooks.ts | 1 +
 2 files changed, 3 insertions(+)

diff --git a/server/routes/api/cron.ts b/server/routes/api/cron.ts
index 1d4a67b40..2b5fc67da 100644
--- a/server/routes/api/cron.ts
+++ b/server/routes/api/cron.ts
@@ -15,6 +15,8 @@ const cronHandler = async (ctx: Context) => {
   const { token, limit = 500 } = ctx.body as { token?: string; limit: number };
 
   if (
+    !token ||
+    token.length !== env.UTILS_SECRET.length ||
     !crypto.timingSafeEqual(
       Buffer.from(env.UTILS_SECRET),
       Buffer.from(String(token))
diff --git a/server/routes/api/hooks.ts b/server/routes/api/hooks.ts
index 28622a034..622714431 100644
--- a/server/routes/api/hooks.ts
+++ b/server/routes/api/hooks.ts
@@ -28,6 +28,7 @@ function verifySlackToken(token: string) {
   }
 
   if (
+    token.length !== env.SLACK_VERIFICATION_TOKEN.length ||
     !crypto.timingSafeEqual(
       Buffer.from(env.SLACK_VERIFICATION_TOKEN),
       Buffer.from(token)