Skip to content

🛡️ Sentinel: Harden equality checks against timing-based length leakage#56

Open
SuvenSeo wants to merge 1 commit into
masterfrom
sentinel-harden-equality-checks-2039664027867004474
Open

🛡️ Sentinel: Harden equality checks against timing-based length leakage#56
SuvenSeo wants to merge 1 commit into
masterfrom
sentinel-harden-equality-checks-2039664027867004474

Conversation

@SuvenSeo
Copy link
Copy Markdown
Owner

@SuvenSeo SuvenSeo commented Jun 4, 2026

🛡️ Sentinel Security Improvement

Severity: HIGH
Vulnerability: Timing-based length leakage in secret comparison utilities.
Impact: Attackers could determine the exact length of authentication secrets (like CRON_SECRET or DASHBOARD_PASSWORD) by measuring the time taken for equality checks to return, facilitating brute-force or targeted attacks.
Fix: Hardened safeEqual (Node.js) and safeEqualText (Edge) to hash both the expected secret and the provided input with SHA-256 before performing a constant-time comparison. This ensures the comparison is always done on fixed-length buffers (32 bytes), hiding the original secret length.
Verification:

  • Ran npm test in the frontend directory; all 34 tests passed, including authentication and Telegram webhook verification.
  • Verified code changes manually for Node.js and Edge environment compatibility.
  • Updated the security journal at .jules/sentinel.md.

PR created automatically by Jules for task 2039664027867004474 started by @SuvenSeo

@google-labs-jules @SuvenSeo
🛡️ Sentinel: Harden equality checks against timing-based length leakage
e234ff2 
Updated `safeEqual` in `auth.js` and `safeEqualText` in `proxy.js` to hash inputs with SHA-256 before constant-time comparison. This prevents attackers from discovering secret lengths through timing side-channels.

- In Node.js environment (`auth.js`), used `node:crypto`'s `createHash` and `timingSafeEqual`.
- In Edge environment (`proxy.js`), used `crypto.subtle.digest` and a manual constant-time comparison loop to maintain compatibility while improving security.
- Updated call sites in `proxy.js` to handle the new asynchronous `safeEqualText`.
- Verified with full test suite (34/34 passing).
- Documented in `.jules/sentinel.md`.

Co-authored-by: SuvenSeo <263689617+SuvenSeo@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 4, 2026 20:22
@google-labs-jules
Copy link
Copy Markdown

google-labs-jules Bot commented Jun 4, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 4, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
seo-os-agent Ready Ready Preview, Comment Jun 4, 2026 8:23pm

Copilot AI reviewed Jun 4, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens secret/token equality checks to reduce timing-based secret length leakage across both Node.js (server) and Edge runtime code paths, aligning with the existing authentication and dashboard-session mechanisms.

Changes:

  • Updates Node.js safeEqual to SHA-256 hash both inputs before timingSafeEqual, ensuring fixed-length comparisons.
  • Updates Edge safeEqualText to SHA-256 hash both inputs before constant-time byte comparison, and updates the call site to await it.
  • Adds a Sentinel security journal entry documenting the issue and prevention pattern.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
frontend/src/proxy.js Makes Edge-side equality checking hash-based and async to compare fixed-length digests.
frontend/src/lib/middleware/auth.js Makes server-side secret comparisons hash-based before timingSafeEqual to avoid length-based short-circuiting.
.jules/sentinel.md Documents the vulnerability and mitigation approach in the security journal.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread frontend/src/lib/middleware/auth.js
Comment on lines 23 to 27
export function safeEqual(a = '', b = '') {
const left = Buffer.from(a);
const right = Buffer.from(b);
return left.length === right.length && timingSafeEqual(left, right);
const leftHash = createHash('sha256').update(String(a)).digest();
const rightHash = createHash('sha256').update(String(b)).digest();
return timingSafeEqual(leftHash, rightHash);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SuvenSeo