Skip to content

fix: use constant-time comparison for auth token (CWE-208)#310

Open
spidershield-contrib wants to merge 1 commit intodjyde:masterfrom
spidershield-contrib:fix/cwe-208-timing-safe-comparison
Open

fix: use constant-time comparison for auth token (CWE-208)#310
spidershield-contrib wants to merge 1 commit intodjyde:masterfrom
spidershield-contrib:fix/cwe-208-timing-safe-comparison

Conversation

@spidershield-contrib
Copy link
Copy Markdown

@spidershield-contrib spidershield-contrib commented Apr 3, 2026

Summary

Fixes #306 — replaces timing-vulnerable === comparison with constant-time timingSafeEqual.

Changes

  • Replace direct string comparison with constant-time comparison for admin password
  • No behavioral change for valid authentication flows

CWE Reference

  • CWE-208: Observable Timing Discrepancy
  • Uses stdlib only (crypto) — no new dependencies

Found by SpiderShield security scanner

@teehooai teehooai mentioned this pull request Apr 3, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: timing attack in auth token comparison (CWE-208)

1 participant

@spidershield-contrib