From 716db00117f77bf9d251374fdae091863a96ca46 Mon Sep 17 00:00:00 2001
From: Piotr Zmudzinski <ptr.zmudzinski@gmail.com>
Date: Fri, 31 Mar 2023 15:00:10 +0200
Subject: [PATCH] fix: change typing of verifyWebhook and patch security issue
 (#1090)

Co-authored-by: Federico Guerinoni <41150432+guerinoni@users.noreply.github.com>
---
 src/client.ts        |  8 +++++++-
 src/signing.ts       | 13 +++++++++----
 test/unit/signing.js | 27 +++++++++++++++++++++++++++
 3 files changed, 43 insertions(+), 5 deletions(-)
 create mode 100644 test/unit/signing.js

diff --git a/src/client.ts b/src/client.ts
index 85d62b8db..e1f2f63a9 100644
--- a/src/client.ts
+++ b/src/client.ts
@@ -2648,7 +2648,13 @@ export class StreamChat<StreamChatGenerics extends ExtendableGenerics = DefaultG
     });
   };
 
-  verifyWebhook(requestBody: string, xSignature: string) {
+  /**
+   * checks signature of a request
+   * @param {string | Buffer} rawBody
+   * @param {string} signature from HTTP header
+   * @returns {boolean}
+   */
+  verifyWebhook(requestBody: string | Buffer, xSignature: string) {
     return !!this.secret && CheckSignature(requestBody, this.secret, xSignature);
   }
 
diff --git a/src/signing.ts b/src/signing.ts
index f9c0245d6..d5c6f83e3 100644
--- a/src/signing.ts
+++ b/src/signing.ts
@@ -74,13 +74,18 @@ export function DevToken(userId: string) {
 
 /**
  *
- * @param {string} body the signed message
+ * @param {string | Buffer} body the signed message
  * @param {string} secret the shared secret used to generate the signature (Stream API secret)
  * @param {string} signature the signature to validate
  * @return {boolean}
  */
-export function CheckSignature(body: string, secret: string, signature: string) {
-  const key = Buffer.from(secret, 'ascii');
+export function CheckSignature(body: string | Buffer, secret: string, signature: string) {
+  const key = Buffer.from(secret, 'utf8');
   const hash = crypto.createHmac('sha256', key).update(body).digest('hex');
-  return hash === signature;
+
+  try {
+    return crypto.timingSafeEqual(Buffer.from(hash), Buffer.from(signature));
+  } catch {
+    return false;
+  }
 }
diff --git a/test/unit/signing.js b/test/unit/signing.js
new file mode 100644
index 000000000..167636e77
--- /dev/null
+++ b/test/unit/signing.js
@@ -0,0 +1,27 @@
+import { expect } from 'chai';
+import { CheckSignature } from '../../src';
+
+const MOCK_SECRET = 'porewqKAFDSAKZssecretsercretfads';
+const MOCK_TEXT = 'text';
+const MOCK_JSON_BODY = { a: 1 };
+const MOCK_TEXT_SHA256 = 'd0b770e93a56adc3ee9ac5734533cc0acd71eea8e5e8204a28042ca0f60de1f3';
+const MOCK_JSON_SHA256 = 'e527a6ad4993a4c9a30680c8be4b3eda1c36ab104f1f7d39c744bd27016a9624';
+
+describe('Signing', () => {
+	describe('CheckSignature', () => {
+		it('validates correct text body and signature', () => {
+			const rawBody = Buffer.from(MOCK_TEXT);
+			expect(CheckSignature(rawBody, MOCK_SECRET, MOCK_TEXT_SHA256)).to.be.true;
+		});
+
+		it('validates correct json body and signature', () => {
+			const rawBody = Buffer.from(JSON.stringify(MOCK_JSON_BODY));
+			expect(CheckSignature(rawBody, MOCK_SECRET, MOCK_JSON_SHA256)).to.be.true;
+		});
+
+		it('refutes incorrect json body', () => {
+			const rawBody = Buffer.from(JSON.stringify({ ...MOCK_JSON_BODY, b: 2 }));
+			expect(CheckSignature(rawBody, MOCK_SECRET, MOCK_JSON_SHA256)).to.be.false;
+		});
+	});
+});