From 071e80941cdf13bdd034556acafceaa8ff04a0da Mon Sep 17 00:00:00 2001
From: Rajiv Nayan Choubey <rajivnayanc@gmail.com>
Date: Sun, 29 Mar 2026 15:19:43 +0530
Subject: [PATCH] [FIX] validateWebhookSignature possible timing attack

---
 lib/utils/razorpay-utils.js | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/lib/utils/razorpay-utils.js b/lib/utils/razorpay-utils.js
index 6ba64689..f12a4400 100644
--- a/lib/utils/razorpay-utils.js
+++ b/lib/utils/razorpay-utils.js
@@ -80,8 +80,6 @@ function validateWebhookSignature (body, signature, secret) {
    * @return {Boolean}
    */
 
-  var crypto = require("crypto");
-
   if (!isDefined(body)      ||
       !isDefined(signature) ||
       !isDefined(secret)      ) {
@@ -98,8 +96,15 @@ function validateWebhookSignature (body, signature, secret) {
   var expectedSignature = crypto.createHmac('sha256', secret)
                                 .update(body)
                                 .digest('hex');
+  
+  const signatureBuffer = Buffer.from(signature);
+  const expectedSignatureBuffer = Buffer.from(expectedSignature);
+
+  if (signatureBuffer.length !== expectedSignatureBuffer.length) {
+    return false;
+  }
 
-  return expectedSignature === signature;
+  return crypto.timingSafeEqual(signatureBuffer, expectedSignatureBuffer);
 }
 
 function validatePaymentVerification(params={}, signature, secret){