fix(compare): reuse shared secret comparison helper (#58432)

* fix(compare): reuse shared secret comparison helper * fix(compare): reject empty bluebubbles auth tokens * docs: add changelog entry for shared secret comparison fix --------- Co-authored-by: Jacob Tomlinson <jtomlinson@nvidia.com>
2026-04-11 01:01:13 +00:00 · 2026-04-02 05:53:19 -07:00
parent 4c08b0bb08
commit be10ecef77
8 changed files with 19 additions and 68 deletions
--- a/extensions/feishu/src/monitor.transport.ts
+++ b/extensions/feishu/src/monitor.transport.ts
@@ -1,6 +1,7 @@
 import * as http from "http";
 import crypto from "node:crypto";
 import * as Lark from "@larksuiteoapi/node-sdk";
+import { safeEqualSecret } from "openclaw/plugin-sdk/browser-support";
 import {
  applyBasicWebhookRequestGuards,
  isRequestBodyLimitError,
@@ -34,15 +35,6 @@ function isFeishuWebhookPayload(value: unknown): value is Record<string, unknown
  return !!value && typeof value === "object" && !Array.isArray(value);
 }

-function timingSafeEqualString(left: string, right: string): boolean {
-  const leftBuffer = Buffer.from(left, "utf8");
-  const rightBuffer = Buffer.from(right, "utf8");
-  if (leftBuffer.length !== rightBuffer.length) {
-    return false;
-  }
-  return crypto.timingSafeEqual(leftBuffer, rightBuffer);
-}
-
 function buildFeishuWebhookEnvelope(
  req: http.IncomingMessage,
  payload: Record<string, unknown>,
@@ -83,7 +75,7 @@ function isFeishuWebhookSignatureValid(params: {
    .createHash("sha256")
    .update(timestamp + nonce + encryptKey + params.rawBody)
    .digest("hex");
-  return timingSafeEqualString(computedSignature, signature);
+  return safeEqualSecret(computedSignature, signature);
 }

 function respondText(res: http.ServerResponse, statusCode: number, body: string): void {