Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2025-05-15 - Timing Attack Vulnerability in Token Validation
**Vulnerability:** The Bearer token validation in `serve.ts` compared buffer lengths before using `crypto.timingSafeEqual`, which creates a short-circuit fast path that leaks the secret token's length via timing differences.
**Learning:** Checking buffer lengths explicitly bypasses the constant-time guarantee of `crypto.timingSafeEqual` when the lengths differ, exposing the secret's length.
**Prevention:** Always hash both secrets to a fixed length (e.g., using `crypto.createHash('sha256')`) before comparison to ensure true constant-time evaluation, without checking lengths first.
9 changes: 3 additions & 6 deletions src/cli/commands/serve.ts
Original file line number Diff line number Diff line change
Expand Up @@ -346,13 +346,10 @@ export async function handleServeCommand(_options: unknown, command: Command) {

let isAuthenticated = false;
if (scheme?.toLowerCase() === 'bearer' && token) {
const tokenBuffer = Buffer.from(token);
const tokenHash = crypto.createHash('sha256').update(token).digest();
for (const authToken of authTokens) {
const authTokenBuffer = Buffer.from(authToken);
if (
tokenBuffer.length === authTokenBuffer.length &&
crypto.timingSafeEqual(tokenBuffer, authTokenBuffer)
) {
const authTokenHash = crypto.createHash('sha256').update(authToken).digest();
if (crypto.timingSafeEqual(tokenHash, authTokenHash)) {
isAuthenticated = true;
break;
}
Expand Down
4 changes: 3 additions & 1 deletion tests/integration/prompt_templates.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,9 @@ describe('Prompt templates', () => {

expect(planSystem).toContain('You are SalmonLoop.');
expect(patchSystem).toContain('You are PATCH, a phase-native diff compiler.');
expect(autopilotSystem).toContain('You are a senior software engineer running in "autopilot" mode.');
expect(autopilotSystem).toContain(
'You are a senior software engineer running in "autopilot" mode.',
);
expect(answerSystem).toContain('You are a coding assistant in "answer" mode.');
expect(researchSystem).toContain('You are a research assistant.');
});
Expand Down
Loading