sneak/webhooker
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

Replace custom secureCompare with crypto/subtle.ConstantTimeCompare
All checks were successful
check / check (push) Successful in 2m7s
Details

Browse Source 
Remove the hand-rolled secureCompare function and use the standard
library's crypto/subtle.ConstantTimeCompare for CSRF token validation.
Remove the corresponding unit test for the deleted function; CSRF token
comparison is still covered by the integration tests.
This commit is contained in:
clawbot
2026-03-10 02:39:24 -07:00
parent 7f4c40caca
commit 5c69efb5bc
2 changed files with 2 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
internal/middleware/csrf_test.go
View File

@@ -173,12 +173,3 @@ func TestGenerateCSRFToken(t *testing.T) {
require.NoError(t, err)
assert.NotEqual(t, token, token2, "each generated token should be unique")
}
func TestSecureCompare(t *testing.T) {
t.Parallel()
assert.True(t, secureCompare("abc", "abc"))
assert.False(t, secureCompare("abc", "abd"))
assert.False(t, secureCompare("abc", "ab"))
assert.False(t, secureCompare("", "a"))
assert.True(t, secureCompare("", ""))
}