Bug: Bridge API admin key comparison is timing-unsafe (key != expected)

[508704820]

Bug: Timing-unsafe admin key comparison in bridge API

Severity: MEDIUM (CWE-208: Observable Timing Discrepancy)

Description

bridge/bridge_api.py uses a direct string comparison for admin key authentication:

def _require_admin(fn):
    @wraps(fn)
    def wrapper(*args, **kwargs):
        key = request.headers.get("X-Admin-Key", "")
        if not BRIDGE_ADMIN_KEY:
            return jsonify({"error": "admin key not configured on server"}), 500
        if key != BRIDGE_ADMIN_KEY:  # ← TIMING-UNSAFE!
            return jsonify({"error": "unauthorized"}), 403

Impact

1. Timing attack: The != comparison returns early at the first differing character, enabling an attacker to determine the key character-by-character by measuring response times
2. Key recovery: With enough requests, the entire admin key can be reconstructed
3. 500 error info leak: Returning 500 when key not configured reveals server configuration to attackers

Suggested Fix

import hmac

if not hmac.compare_digest(key, BRIDGE_ADMIN_KEY):
    return jsonify({"error": "unauthorized"}), 403

Wallet: RTC9d7caca3039130d3b26d41f7343d8f4ef4592360

[BossChaos]

Bounty Claim

I'd like to claim this bug bounty.

Analysis:

• Reviewed the vulnerability description and affected code paths
• Identified the root cause and potential exploitation vectors

Planned Fix:

1. Replace unsafe data types/comparisons with secure alternatives
2. Implement input sanitization and validation
3. Add test coverage to prevent regression

Wallet: RTC6d1f27d28961279f1034d9561c2403697eb55602

[weilixiong]

Bounty claim: PR #5177 (fix #5000 — bridge API timing-safe key comparison) has been merged by @Scottcjn.

Wallet: GyZXdm8YdZ3ZKCfEUfK7tcuHji5mkv46spYJgU8AvsRg