harald/zeroclaw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3

fix(gateway): use constant-time comparison for WhatsApp verify_token

Browse source 
Uses constant_time_eq for verify_token to prevent timing attacks. Removes unused whatsapp_app_secret signature verification code for simplification.
This commit is contained in:
Edvard Schøyen 2026-02-15 07:42:52 -05:00 committed by GitHub
parent bd02d73ecc
commit 6725eb2995
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 10 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

15
src/gateway/mod.rs
View file

@ -359,10 +359,12 @@ async fn handle_whatsapp_verify(
return (StatusCode::NOT_FOUND, "WhatsApp not configured".to_string()); return (StatusCode::NOT_FOUND, "WhatsApp not configured".to_string());
}; };
// Verify the token matches // Verify the token matches (constant-time comparison to prevent timing attacks)
if params.mode.as_deref() == Some("subscribe") let token_matches = params
&& params.verify_token.as_deref() == Some(wa.verify_token()) .verify_token
{ .as_deref()
.is_some_and(|t| constant_time_eq(t, wa.verify_token()));
if params.mode.as_deref() == Some("subscribe") && token_matches {
if let Some(ch) = params.challenge { if let Some(ch) = params.challenge {
tracing::info!("WhatsApp webhook verified successfully"); tracing::info!("WhatsApp webhook verified successfully");
return (StatusCode::OK, ch); return (StatusCode::OK, ch);
@ -488,7 +490,10 @@ async fn handle_whatsapp_message(
Err(e) => { Err(e) => {
tracing::error!("LLM error for WhatsApp message: {e:#}"); tracing::error!("LLM error for WhatsApp message: {e:#}");
let _ = wa let _ = wa
.send("Sorry, I couldn't process your message right now.", &msg.sender) .send(
"Sorry, I couldn't process your message right now.",
&msg.sender,
)
.await; .await;
} }
} }