fix: prevent timing attacks with === [ES-71]

[BobHemphill76]

Support Ticket: https://contentful.atlassian.net/jira/servicedesk/projects/ES/queues/custom/5835/board/7168?selectedIssue=ES-71

Prevents timing attacks by swapping out === for crypto safeString comparison.

Summary by Bito

This PR addresses a security vulnerability by implementing timing-safe string comparison to prevent timing attacks in request verification, as referenced in support ticket ES-71. It replaces the insecure `===` operator with a cryptographically secure constant-time comparison function.

Detailed Changes

• Introduces timingSafeUtf8StringEqual function in timing-safe-string-equal.ts (CryptoModule) for constant-time string comparison to prevent timing attacks.
• Replaces `signature === computedSignature` with timingSafeUtf8StringEqual in verify-request.ts to mitigate timing attack risks.
• Adds comprehensive tests for the new timing-safe function in timing-safe-string-equal.spec.ts.
• Adds test in verify-request.spec.ts to ensure signature length validation occurs before timing-safe comparison.

[bito-code-review]

Code Review Agent Run #b1be85

Actionable Suggestions - 0

Review Details

• Files reviewed - 4 · Commit Range: a582bb4..a582bb4

  • src/requests/timing-safe-string-equal.spec.ts
  • src/requests/timing-safe-string-equal.ts
  • src/requests/verify-request.spec.ts
  • src/requests/verify-request.ts
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • Eslint (Linter) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Default Agent You can customize the agent settings here or contact your Bito workspace admin at jared.jolton@contentful.com.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[bito-code-review]

Changelist by Bito

This pull request implements the following key changes.

Key Change	Files Impacted	Summary
Bug Fix - Implement Timing-Safe String Comparison for Request Verification	timing-safe-string-equal.ts, timing-safe-string-equal.spec.ts, verify-request.ts, verify-request.spec.ts	Introduces a timing-safe string equality function using crypto.timingSafeEqual and replaces insecure === comparison in request verification to prevent timing attacks, with added tests for validation.

[bito-code-review]

Impact Analysis by Bito

Interaction Diagram

sequenceDiagram
    participant API User
participant verifyRequest as verifyRequest<br/>🔄 Updated | ●●○ Medium
participant timingSafeUtf8StringEqual as timingSafeUtf8StringEqual<br/>🟩 Added | ●●● High
participant textEncoder
    participant Crypto Module
Note over verifyRequest: Validate timestamp and compute signature
    API User->>verifyRequest: verifyRequest(secret, request, ttl)
verifyRequest->>verifyRequest: Check if request is expired
verifyRequest->>timingSafeUtf8StringEqual: timingSafeUtf8StringEqual(signature, computedSignature)
timingSafeUtf8StringEqual->>textEncoder: encode(a)
textEncoder-->>timingSafeUtf8StringEqual: aBuf
timingSafeUtf8StringEqual->>textEncoder: encode(b)
textEncoder-->>timingSafeUtf8StringEqual: bBuf
alt aBuf.length !== bBuf.length
timingSafeUtf8StringEqual-->>timingSafeUtf8StringEqual: return false
else
        timingSafeUtf8StringEqual->>Crypto Module: timingSafeEqual(aBuf, bBuf)
        Crypto Module-->>timingSafeUtf8StringEqual: result
    end
timingSafeUtf8StringEqual-->>verifyRequest: result
    verifyRequest-->>API User: verification result

Loading

---

The merge request introduces timing-safe string comparison to enhance security in request verification. It adds the timingSafeUtf8StringEqual function for constant-time UTF-8 string comparison and updates verifyRequest to use this instead of standard equality. This prevents potential timing attacks while maintaining the same API interface.

Cross-Repository Impact Analysis

What Changed	Impact of Change	Suggested Review Actions
Added timing-safe string comparison utility and updated request verification to use constant-time comparison instead of direct string equality.	- Downstream consumers of @contentful/node-apps-toolkit library: Request verification is now timing-attack resistant, improving security without breaking API compatibility.	- Verify that signature verification behavior remains functionally identical (same true/false outcomes) for valid inputs. - Confirm no performance regressions in request verification under load.

Code Paths Analyzed

Impact:
Introduces timing-safe comparison for request signature verification, preventing potential timing attacks by ensuring constant-time string equality checks.

Flow:
Incoming request → header normalization → signature extraction (validated to 64 chars) → compute expected signature → timing-safe comparison → return boolean.

Direct Changes (Diff Files):
• src/requests/timing-safe-string-equal.ts [1-13] — New utility function providing constant-time UTF-8 string comparison using crypto.timingSafeEqual.
• src/requests/timing-safe-string-equal.spec.ts [1-31] — Comprehensive unit tests for the timing-safe comparison function, covering equality, inequality, length differences, and case sensitivity.
• src/requests/verify-request.ts [13,87] — Imported timing-safe utility and replaced direct string equality (signature === computedSignature) with timingSafeUtf8StringEqual for secure comparison.
• src/requests/verify-request.spec.ts [60-68] — Added test case to verify that signatures with incorrect length (not 64) throw an exception before timing-safe comparison.

Repository Impact:
• Request verification module: Enhanced security of signature validation in verifyRequest function without changing public API.

Cross-Repository Dependencies:
• None.

Database/Caching Impact:
• None

API Contract Violations:
• None.

Infrastructure Dependencies:
• None.

Additional Insights:
• Security hardening: Addresses potential timing attack vulnerability in cryptographic signature verification by using constant-time comparison.

Testing Recommendations

Frontend Impact:
• None.

Service Integration:
• Run integration tests for request verification with various signature lengths and values to ensure timing-safe behavior doesn't alter outcomes.
• Test verifyRequest function with malformed signatures to confirm early length validation prevents timing leaks.

Data Serialization:
• None.

Privacy Compliance:
• None.

Backward Compatibility:
• Verify that verifyRequest returns identical boolean results for all valid signature comparisons as before the change.
• Test edge cases like empty strings, unicode characters, and maximum length signatures in timingSafeUtf8StringEqual.

OAuth Functionality:
• None

Reliability Testing:
• None

Additional Insights:
• Execute full test suite (npm run test) to ensure no regressions in existing request verification logic.
• Perform timing analysis tests to confirm constant-time behavior of signature comparison under varying input conditions.

_{Analysis based on known dependency patterns and edges. Actual impact may vary.}

[contentful-automation]

🎉 This PR is included in version 3.16.1 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀