fix(middleware): use constant-time compare on hmac signature (#47)

A small fix to use a constant-time comparison on the HMAC signatures for the webhook payloads. Using the constant-time compare will help defend against timing attacks.
getsentry · Jul 2, 2024 · 10cf516 · 10cf516
1 parent 592e1fd
commit 10cf516
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/backend-py/src/api/middleware/verify_sentry_signature.py b/backend-py/src/api/middleware/verify_sentry_signature.py
@@ -23,13 +23,19 @@
 def is_correct_sentry_signature(
     body: Mapping[str, Any], key: str, expected: str
 ) -> bool:
+    # expected could be `None` if the header was missing,
+    # in which case we return early as the request is invalid
+    # without a signature
+    if not expected:
+        return False
+
     digest = hmac.new(
         key=key.encode("utf-8"),
         msg=body,
         digestmod=hashlib.sha256,
     ).hexdigest()
 
-    if digest != expected:
+    if not hmac.compare_digest(digest, expected):
         return False
 
     app.logger.info("Authorized: Verified request came from Sentry")