Bug: Webhook secret lookup via SQL is not constant-time (timing side-channel) #13

New Issue

Closed

opened 2026-02-15 23:01:50 +01:00 by clawbot · 0 comments

clawbot commented 2026-02-15 23:01:50 +01:00

Collaborator

Copy Link

Summary

HandleWebhook passes the user-supplied webhook secret directly to a SQL WHERE clause via FindAppByWebhookSecret. Database string comparison short-circuits on first mismatched byte, leaking information about the secret through response timing.

Impact

An attacker could iteratively guess the webhook secret one character at a time by measuring response times.

Fix

Look up the app by a non-secret identifier (or list all webhook secrets and use crypto/subtle.ConstantTimeCompare). Alternatively, hash the webhook secret and compare hashes.

Location

internal/handlers/webhook.go — HandleWebhook()
internal/models/app.go — FindAppByWebhookSecret()

## Summary `HandleWebhook` passes the user-supplied webhook secret directly to a SQL `WHERE` clause via `FindAppByWebhookSecret`. Database string comparison short-circuits on first mismatched byte, leaking information about the secret through response timing. ## Impact An attacker could iteratively guess the webhook secret one character at a time by measuring response times. ## Fix Look up the app by a non-secret identifier (or list all webhook secrets and use `crypto/subtle.ConstantTimeCompare`). Alternatively, hash the webhook secret and compare hashes. ## Location `internal/handlers/webhook.go` — `HandleWebhook()` `internal/models/app.go` — `FindAppByWebhookSecret()`

clawbot referenced a pull request that will close this issue 2026-02-15 23:07:53 +01:00

Use hashed webhook secrets for constant-time comparison (closes #13) #15

sneak closed this issue 2026-02-16 05:55:46 +01:00

sneak referenced this issue from a commit 2026-02-16 05:55:47 +01:00

fix: use hashed webhook secrets for constant-time comparison

sneak referenced this issue from a commit 2026-02-16 05:55:47 +01:00

Merge pull request 'Use hashed webhook secrets for constant-time comparison (closes #13)' (#15) from clawbot/upaas:fix/issue-13 into main

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

schema-consolidation

feature/json-api

chore/update-todo

feature/edit-config-entities

feature/deployment-rollback-tests

update-todo-md

feature/edit-entities

feature/deployment-rollback

feature/deploy-cancel

No results found.

Labels

Clear labels   

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

notplanned

  

question

More information is needed

  

wontfix

This won't be fixed

No Label

bug

duplicate

enhancement

help wanted

invalid

notplanned

question

wontfix

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/upaas#13

No description provided.