Skip to content

fix: prevent timing attack in webhook signature verification #469

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
vaibhavchopra-wq wants to merge 6 commits into
base: master
Choose a base branch
from
Open

fix: prevent timing attack in webhook signature verification #469

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
7455da8
fix: prevent timing attack in webhook signature verification
vaibhavchopra-wq Apr 22, 2026
9ea75c9
refactor: use raw bytes comparison instead of hex strings
vaibhavchopra-wq Apr 22, 2026
01b2636
refactor: remove dead try/catch in signature verification
vaibhavchopra-wq Apr 29, 2026
192076a
Fix typo in CI workflow node version matrix
vaibhavchopra-wq Apr 29, 2026
e891894
Upgrade actions/checkout and setup-node to v4
vaibhavchopra-wq Apr 29, 2026
41f808f
Upgrade actions in node.js.yml to v4
vaibhavchopra-wq Apr 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,12 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [12.x, 14.x, 16.x, 18.x, 19,x]
node-version: [12.x, 14.x, 16.x, 18.x, 19.x]
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v2
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'
Expand All @@ -40,9 +40,9 @@ jobs:
needs: test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4
- run: sudo apt-get install -y oathtool
- uses: actions/setup-node@v2
- uses: actions/setup-node@v4
with:
node-version: 16
registry-url: https://registry.npmjs.org/
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/node.js.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@ jobs:
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/

steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v2
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'
Expand Down
20 changes: 16 additions & 4 deletions lib/utils/razorpay-utils.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,11 +95,23 @@ function validateWebhookSignature (body, signature, secret) {

body = body.toString();

var expectedSignature = crypto.createHmac('sha256', secret)
.update(body)
.digest('hex');
// Compute HMAC as raw bytes (32 bytes for SHA-256)
var expectedBuffer = crypto.createHmac('sha256', secret)
.update(body)
.digest();

// Decode incoming hex signature to raw bytes
// Note: Buffer.from(hex) returns empty/partial Buffer on invalid hex (no throw),
// which is caught by the length check below
var signatureBuffer = Buffer.from(signature, 'hex');

// Both should be 32 bytes (SHA-256 output)
if (expectedBuffer.length !== signatureBuffer.length) {
return false;
}

return expectedSignature === signature;
// Constant-time comparison to prevent timing attacks
return crypto.timingSafeEqual(expectedBuffer, signatureBuffer);
}

function validatePaymentVerification(params={}, signature, secret){
Expand Down
Loading