From c1e05c1024873a40fab2083fb1b24fcac8533a80 Mon Sep 17 00:00:00 2001 From: EffortlessSteven <15812269+EffortlessSteven@users.noreply.github.com> Date: Tue, 23 Jun 2026 01:55:20 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20Fix=20Compi?= =?UTF-8?q?ler=20Optimization=20Vulnerability=20in=20Constant-Time=20Equal?= =?UTF-8?q?ity?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Cargo.lock | 1 + crates/http-auth-verifier/Cargo.toml | 1 + crates/http-auth-verifier/src/lib.rs | 4 +++- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Cargo.lock b/Cargo.lock index d5ec3b61..13cda80a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1809,6 +1809,7 @@ dependencies = [ "proptest", "serde", "serde_json", + "subtle", "tracing", ] diff --git a/crates/http-auth-verifier/Cargo.toml b/crates/http-auth-verifier/Cargo.toml index ef6a8612..2961b07f 100644 --- a/crates/http-auth-verifier/Cargo.toml +++ b/crates/http-auth-verifier/Cargo.toml @@ -1,6 +1,7 @@ [dependencies] jsonwebtoken = { version = "10.2.0", features = ["rust_crypto"] } serde.workspace = true +subtle = "2.6.1" tracing.workspace = true [dev-dependencies] diff --git a/crates/http-auth-verifier/src/lib.rs b/crates/http-auth-verifier/src/lib.rs index bc6c71fb..a639ba05 100644 --- a/crates/http-auth-verifier/src/lib.rs +++ b/crates/http-auth-verifier/src/lib.rs @@ -4,6 +4,8 @@ #![forbid(unsafe_code)] +use subtle::ConstantTimeEq; + use jsonwebtoken::{Algorithm, DecodingKey, Validation, decode}; #[cfg(test)] use jsonwebtoken::{EncodingKey, Header, encode}; @@ -93,7 +95,7 @@ pub fn constant_time_eq(left: &str, right: &str) -> bool { return false; } - left.bytes().zip(right.bytes()).fold(0_u8, |acc, (x, y)| acc | (x ^ y)) == 0 + left.as_bytes().ct_eq(right.as_bytes()).into() } #[cfg(test)]