sast: remove JWT, and time-safe secret comparisons (!192) · Merge requests · iGEM HQ Tech / iGEM.org Backend

Fabio M requested to merge sast-issues into main Aug 10, 2023

Observable timing discrepancy

The application was found executing string comparisons using one of ===, !==, == or != against security sensitive values. String comparisons like this are not constant time, meaning the first character found not to match in the two strings will immediately exit the conditional statement. This allows an adversary to calculate or observe small timing differences depending on the strings passed to this comparison. This potentially allows an adversary the ability to brute force a string that will match the expected value by monitoring different character values.

Found at:

src/modules/mailman/mailman-auth.guard.ts:14
src/modules/mailman/mailman-auth.guard.ts:17
src/modules/auth/jwt-auth.guard.ts:20

For more information on constant time comparison see:

https://nodejs.org/api/crypto.html#crypto_crypto_timingsafeequal_a_b

Edited Aug 10, 2023 by Fabio M

Admin message

sast: remove JWT, and time-safe secret comparisons

Merge request reports