Module: StandardWebhooks

Defined in:: lib/standard_webhooks.rb

Overview

Constant time string comparison, for fixed length strings. Code borrowed from ActiveSupport github.com/rails/rails/blob/75ac626c4e21129d8296d4206a1960563cc3d4aa/activesupport/lib/active_support/security_utils.rb#L33

The values compared should be of fixed length, such as strings that have already been processed by HMAC. Raises in case of length mismatch.

Defined Under Namespace

Classes: StandardWebhooksError, Webhook, WebhookSigningError, WebhookVerificationError

Class Method Summary collapse

.fixed_length_secure_compare(a, b) ⇒ Object
.secure_compare(a, b) ⇒ Object

Secure string comparison for strings of variable length.

Class Method Details

.fixed_length_secure_compare(a, b) ⇒ `Object`

Raises:

(ArgumentError)



16
17
18

# File 'lib/standard_webhooks.rb', line 16

def fixed_length_secure_compare(a, b)
  OpenSSL.fixed_length_secure_compare(a, b)
end

.secure_compare(a, b) ⇒ `Object`

Secure string comparison for strings of variable length.

While a timing attack would not be able to discern the content of a secret compared via secure_compare, it is possible to determine the secret length. This should be considered when using secure_compare to compare weak, short secrets to user input.



39
40
41

# File 'lib/standard_webhooks.rb', line 39

def secure_compare(a, b)
  a.length == b.length && fixed_length_secure_compare(a, b)
end