sast: remove JWT, and time-safe secret comparisons
Observable timing discrepancy
The application was found executing string comparisons using one of ===
, !==
, ==
or !=
against security sensitive values. String comparisons like this are not constant time, meaning
the first character found not to match in the two strings will immediately exit the conditional
statement. This allows an adversary to calculate or observe small timing differences depending
on the strings passed to this comparison. This potentially allows an adversary the ability to
brute force a string that will match the expected value by monitoring different character
values.
Found at:
- src/modules/mailman/mailman-auth.guard.ts:14
- src/modules/mailman/mailman-auth.guard.ts:17
- src/modules/auth/jwt-auth.guard.ts:20
For more information on constant time comparison see: