Skip to content

fix[worker]: use constant-time comparison for password verification#92

Open
ignaciojimenez wants to merge 1 commit intoSharzyL:goshujinfrom
ignaciojimenez:fix/timing-safe-password
Open

fix[worker]: use constant-time comparison for password verification#92
ignaciojimenez wants to merge 1 commit intoSharzyL:goshujinfrom
ignaciojimenez:fix/timing-safe-password

Conversation

@ignaciojimenez
Copy link
Copy Markdown
Contributor

@ignaciojimenez ignaciojimenez commented Mar 24, 2026

Summary

  • Add timingSafeEqual() helper to worker/common.ts using crypto.subtle.timingSafeEqual
  • Replace !== string comparisons with the new helper in all three password check locations:
    • worker/handlers/handleDelete.ts — paste deletion
    • worker/handlers/handleMPU.ts — multipart upload update
    • worker/handlers/handleWrite.ts — paste update
  • Prevents timing side-channel attacks that could leak password characters through response time differences
  • Behavior is identical — only the comparison method changes

Test plan

  • All existing password-related tests pass unchanged (basic.spec.ts, uploadOptions.spec.ts, mpu.spec.ts)
  • Correct password still grants access (update/delete)
  • Wrong password still returns 403
  • Missing password still returns 403
  • pnpm test passes

@ignaciojimenez @claude
fix[worker]: use constant-time comparison for password verification
9dd1bcb 
Replace string !== comparisons with crypto.subtle.timingSafeEqual for
paste password checks in delete, update, and MPU handlers. This prevents
timing side-channel attacks that could leak password characters.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ignaciojimenez