Merge pull request #1539 from danhofer/master

use hmac compare instead of direct compare
howdyai · Dec 14, 2018 · 60de572 · 60de572
2 parents aab39e8 + ee7b1b0
commit 60de572
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/lib/SlackBot.js b/lib/SlackBot.js
@@ -246,8 +246,20 @@ function Slackbot(configuration) {
                 .update(basestring)
                 .digest('hex');
             let retrievedSignature = req.header('X-Slack-Signature');
+
+            // Compare the hash of the computed signature with the retrieved signature with a secure hmac compare function
+            const validSignature = () => {
+
+                const crypto = require('crypto');
 
-            if (hash !== retrievedSignature) {
+                const slackSigBuffer = new Buffer(retrievedSignature);
+                const compSigBuffer = new Buffer(hash);
+
+                return crypto.timingSafeEqual(slackSigBuffer, compSigBuffer);
+            }
+
+            // replace direct compare with the hmac result
+            if (!validSignature()) {
                 slack_botkit.debug('Signature verification failed, Ignoring message');
                 res.status(401);
                 return;