yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: Must check length before passing to timingSafeEqual

Browse Source
This commit is contained in:
Tom Moor
2022-07-09 11:19:40 +02:00
parent 32b7a7df00
commit 2893924e9a
2 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
server/routes/api/cron.ts
View File

@@ -15,6 +15,8 @@ const cronHandler = async (ctx: Context) => {
const { token, limit = 500 } = ctx.body as { token?: string; limit: number }; const { token, limit = 500 } = ctx.body as { token?: string; limit: number };
if ( if (
!token ||
token.length !== env.UTILS_SECRET.length ||
!crypto.timingSafeEqual( !crypto.timingSafeEqual(
Buffer.from(env.UTILS_SECRET), Buffer.from(env.UTILS_SECRET),
Buffer.from(String(token)) Buffer.from(String(token))

1
server/routes/api/hooks.ts
View File

@@ -28,6 +28,7 @@ function verifySlackToken(token: string) {
} }
if ( if (
token.length !== env.SLACK_VERIFICATION_TOKEN.length ||
!crypto.timingSafeEqual( !crypto.timingSafeEqual(
Buffer.from(env.SLACK_VERIFICATION_TOKEN), Buffer.from(env.SLACK_VERIFICATION_TOKEN),
Buffer.from(token) Buffer.from(token)