plivo/plivo-ruby

Signature validation is insecure

Opened this issue a year ago · 0 comments

rgalanakis commented a year ago

This line:

plivo-ruby/lib/plivo/utils.rb

Line 219 in 1190383

    
           Base64.encode64(OpenSSL::HMAC.digest(sha256_digest, auth_token, data_to_sign)).strip() == signature

Is vulnerable to timing attacks, as per https://github.com/Asmod4n/mruby-secure-compare