From f16de4db01c0496205635a3203a44098e7908453 Mon Sep 17 00:00:00 2001
From: Tomi Turtiainen <10324676+tomi@users.noreply.github.com>
Date: Tue, 3 Dec 2024 12:29:36 +0200
Subject: [PATCH] fix(Telegram Trigger Node): Fix header secret check (#12018)

---
 packages/nodes-base/nodes/Telegram/TelegramTrigger.node.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/packages/nodes-base/nodes/Telegram/TelegramTrigger.node.ts b/packages/nodes-base/nodes/Telegram/TelegramTrigger.node.ts
index 199492f88d451..69d037c79c617 100644
--- a/packages/nodes-base/nodes/Telegram/TelegramTrigger.node.ts
+++ b/packages/nodes-base/nodes/Telegram/TelegramTrigger.node.ts
@@ -238,7 +238,10 @@ export class TelegramTrigger implements INodeType {
 			const headerSecretBuffer = Buffer.from(
 				String(headerData['x-telegram-bot-api-secret-token'] ?? ''),
 			);
-			if (!crypto.timingSafeEqual(secretBuffer, headerSecretBuffer)) {
+			if (
+				secretBuffer.byteLength !== headerSecretBuffer.byteLength ||
+				!crypto.timingSafeEqual(secretBuffer, headerSecretBuffer)
+			) {
 				const res = this.getResponseObject();
 				res.status(403).json({ message: 'Provided secret is not valid' });
 				return {