@octokit/webhooks - npm Package Compare versions

Comparing version 3.0.0 to 3.0.1

package.json

@@ -1,1 +0,1 @@
-{"name":"@octokit/webhooks","version":"3.0.0","publishConfig":{"access":"public"},"description":"GitHub webhook events toolset for Node.js","main":"index.js","directories":{"lib":"lib","test":"test"},"dependencies":{},"devDependencies":{"axios":"^0.17.1","coveralls":"^3.0.0","debug":"^3.1.0","get-port":"^3.2.0","pify":"^3.0.0","semantic-release":"^9.1.1","simple-mock":"^0.8.0","standard":"^10.0.3","tap":"^10.7.3"},"scripts":{"coverage":"tap --coverage-report=html && open coverage/lcov-report/index.html","coverage:upload":"tap --coverage-report=text-lcov | coveralls","pretest":"standard","test":"tap --100 --coverage 'test/**/*-test.js'","semantic-release":"semantic-release"},"repository":{"type":"git","url":"https://github.com/octokit/webhooks.js.git"},"keywords":[],"author":"Gregor Martynus (https://twitter.com/gr2m)","license":"MIT"}
+{"name":"@octokit/webhooks","version":"3.0.1","publishConfig":{"access":"public"},"description":"GitHub webhook events toolset for Node.js","main":"index.js","directories":{"lib":"lib","test":"test"},"dependencies":{"buffer-equal-constant-time":"^1.0.1"},"devDependencies":{"axios":"^0.17.1","coveralls":"^3.0.0","debug":"^3.1.0","get-port":"^3.2.0","pify":"^3.0.0","semantic-release":"^9.1.1","simple-mock":"^0.8.0","standard":"^10.0.3","tap":"^11.0.0"},"scripts":{"coverage":"tap --coverage-report=html && open coverage/lcov-report/index.html","coverage:upload":"tap --coverage-report=text-lcov | coveralls","pretest":"standard","test":"tap --100 --coverage 'test/**/*-test.js'","semantic-release":"semantic-release"},"repository":{"type":"git","url":"https://github.com/octokit/webhooks.js.git"},"keywords":[],"author":"Gregor Martynus (https://twitter.com/gr2m)","license":"MIT"}

verify/index.js

 module.exports = verify
 
+const crypto = require('crypto')
 const Buffer = require('buffer').Buffer
 
+const timingSafeEqualPolyfill = require('buffer-equal-constant-time')
+
 const sign = require('../sign')
@@ -12,6 +15,21 @@
 
-  return Buffer.compare(
-    Buffer.from(signature),
-    Buffer.from(sign(secret, eventPayload))
-  ) === 0
+  const signatureBuffer = Buffer.from(signature)
+  const verificationBuffer = Buffer.from(sign(secret, eventPayload))
+
+  if (signatureBuffer.length !== verificationBuffer.length) {
+    return false
+  }
+
+  return timingSafeEqual(signatureBuffer, verificationBuffer)
 }
+
+/* istanbul ignore next */
+function timingSafeEqual (signatureBuffer, verificationBuffer) {
+  // crypto.verificationBuffer was added in Node 6.6
+  // https://nodejs.org/docs/latest-v6.x/api/crypto.html#crypto_crypto_timingsafeequal_a_b
+  if ('timingSafeEqual' in crypto) {
+    return crypto.timingSafeEqual(signatureBuffer, verificationBuffer)
+  }
+
+  return timingSafeEqualPolyfill(signatureBuffer, verificationBuffer)
+}

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

62116

increased by1.17%

Lines of code

1114

increased by1.18%

Worsened metrics

Dependency count

1

increased byInfinity%

Dependency changes

• + Addedbuffer-equal-constant-time@^1.0.1

• + Addedbuffer-equal-constant-time@1.0.1(transitive)