Skip to content

fix: use constant-time comparison for API key validation in ApiServer…#3697

Closed
memosr wants to merge 1 commit intoNousResearch:mainfrom
memosr:patch-41
Closed

fix: use constant-time comparison for API key validation in ApiServer…#3697
memosr wants to merge 1 commit intoNousResearch:mainfrom
memosr:patch-41

Conversation

@memosr
Copy link
Copy Markdown
Contributor

@memosr memosr commented Mar 29, 2026

…Adapter

_check_auth() compared the Bearer token with == which is not constant-time. An attacker with network access to the API server could measure response latency to enumerate the API key one character at a time (timing side-channel attack).

Fix uses hmac.compare_digest() which is guaranteed to run in constant time regardless of where the strings first differ.

What does this PR do?

Related Issue

Fixes #

Type of Change

  • 🐛 Bug fix (non-breaking change that fixes an issue)
  • ✨ New feature (non-breaking change that adds functionality)
  • 🔒 Security fix
  • 📝 Documentation update
  • ✅ Tests (adding or improving test coverage)
  • ♻️ Refactor (no behavior change)
  • 🎯 New skill (bundled or hub)

Changes Made

How to Test

Checklist

Code

  • I've read the Contributing Guide
  • My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
  • I searched for existing PRs to make sure this isn't a duplicate
  • My PR contains only changes related to this fix/feature (no unrelated commits)
  • I've run pytest tests/ -q and all tests pass
  • I've added tests for my changes (required for bug fixes, strongly encouraged for features)
  • I've tested on my platform:

Documentation & Housekeeping

  • I've updated relevant documentation (README, docs/, docstrings) — or N/A
  • I've updated cli-config.yaml.example if I added/changed config keys — or N/A
  • I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows — or N/A
  • I've considered cross-platform impact (Windows, macOS) per the compatibility guide — or N/A
  • I've updated tool descriptions/schemas if I changed tool behavior — or N/A

For New Skills

  • This skill is broadly useful to most users (if bundled) — see Contributing Guide
  • SKILL.md follows the standard format (frontmatter, trigger conditions, steps, pitfalls)
  • No external dependencies that aren't already available (prefer stdlib, curl, existing Hermes tools)
  • I've tested the skill end-to-end: hermes --toolsets skills -q "Use the X skill to do Y"

Screenshots / Logs

@memosr
fix: use constant-time comparison for API key validation in ApiServer…
65d92dc 
…Adapter

_check_auth() compared the Bearer token with == which is not
constant-time. An attacker with network access to the API server
could measure response latency to enumerate the API key one character
at a time (timing side-channel attack).

Fix uses hmac.compare_digest() which is guaranteed to run in constant
time regardless of where the strings first differ.
@memosr memosr closed this Mar 29, 2026
@memosr memosr deleted the patch-41 branch March 29, 2026 20:42
@memosr memosr restored the patch-41 branch March 29, 2026 20:42
@memosr memosr deleted the patch-41 branch March 29, 2026 20:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@memosr