Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2024-05-24 - Timing Attack via Length Check Fast Path
**Vulnerability:** A length check before calling `crypto.timingSafeEqual` for variable-length secrets (like A2A tokens) created a short-circuit fast path, leaking the length of the secret via timing differences.
**Learning:** `crypto.timingSafeEqual` throws if buffer lengths do not match, tempting developers to check length first. However, doing so destroys the constant-time guarantee because different lengths return immediately.
**Prevention:** Always hash both the user input and the expected secret using a cryptographic hash function (e.g., SHA-256) to ensure they are the exact same fixed length before calling `timingSafeEqual`.
9 changes: 3 additions & 6 deletions src/cli/commands/serve.ts
Original file line number Diff line number Diff line change
Expand Up @@ -346,13 +346,10 @@ export async function handleServeCommand(_options: unknown, command: Command) {

let isAuthenticated = false;
if (scheme?.toLowerCase() === 'bearer' && token) {
const tokenBuffer = Buffer.from(token);
const tokenHash = crypto.createHash('sha256').update(token).digest();
for (const authToken of authTokens) {
const authTokenBuffer = Buffer.from(authToken);
if (
tokenBuffer.length === authTokenBuffer.length &&
crypto.timingSafeEqual(tokenBuffer, authTokenBuffer)
) {
const authHash = crypto.createHash('sha256').update(authToken).digest();
if (crypto.timingSafeEqual(tokenHash, authHash)) {
isAuthenticated = true;
break;
}
Expand Down
4 changes: 3 additions & 1 deletion tests/integration/prompt_templates.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,9 @@ describe('Prompt templates', () => {

expect(planSystem).toContain('You are SalmonLoop.');
expect(patchSystem).toContain('You are PATCH, a phase-native diff compiler.');
expect(autopilotSystem).toContain('You are a senior software engineer running in "autopilot" mode.');
expect(autopilotSystem).toContain(
'You are a senior software engineer running in "autopilot" mode.',
);
expect(answerSystem).toContain('You are a coding assistant in "answer" mode.');
expect(researchSystem).toContain('You are a research assistant.');
});
Expand Down
Loading