Skip to content

🔒 [security] Fix timing attack vulnerabilities in IPFS upload and admin routes#96

Open
scobru wants to merge 1 commit into
mainfrom
fix-timing-attack-ipfs-upload-6069315999008562488
Open

🔒 [security] Fix timing attack vulnerabilities in IPFS upload and admin routes#96
scobru wants to merge 1 commit into
mainfrom
fix-timing-attack-ipfs-upload-6069315999008562488

Conversation

@scobru
Copy link
Copy Markdown
Owner

@scobru scobru commented Apr 22, 2026

🎯 What: The vulnerability fixed is a timing attack vulnerability in various authentication checks for the relay server's admin password.

⚠️ Risk: Left unfixed, an attacker could measure the time taken for authentication requests to determine how many characters of their guess match the actual ADMIN_PASSWORD, allowing them to brute-force the password in linear time (O(N)) instead of exponential time (O(CHARSET^N)). This would grant them full administrative access to the relay.

🛡️ Solution: The fix replaces all direct string comparisons of the admin password with a timing-safe pattern:

  1. Both the user-provided token and the actual admin password are hashed using SHA-256. This ensures both inputs have the same length (64 characters in hex) and masks the true length of the password.
  2. The hashes are compared using secureCompare (which uses crypto.timingSafeEqual), ensuring the comparison takes the same amount of time regardless of how many characters match.

This pattern was applied to the IPFS upload routes, the GunDB message validation, the static route protection middleware, and the IPFS API proxy authentication. All modified files now import secureCompare and hashToken from relay/src/utils/security.ts.

PR created automatically by Jules for task 6069315999008562488 started by @scobru

@google-labs-jules @scobru
security: Fix timing attack vulnerabilities in IPFS upload and admin …
08fba34 
…routes

Replaced direct string comparisons (===) with timing-safe comparison logic using hashing and crypto.timingSafeEqual. This prevents attackers from brute-forcing the admin password by measuring response times.

Modified files:
- relay/src/routes/ipfs/upload.ts
- relay/src/routes/ipfs/upload-directory.ts
- relay/src/utils/relay-user.ts
- relay/src/index.ts
- relay/src/routes/index.ts

Co-authored-by: scobru <1079164+scobru@users.noreply.github.com>
@google-labs-jules
Copy link
Copy Markdown
Contributor

google-labs-jules Bot commented Apr 22, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@scobru