Skip to content

fix: use constant-time comparison for auth credentials (CWE-208)#4734

Merged
qinxuye merged 1 commit intoxorbitsai:mainfrom
spidershield-contrib:fix/cwe-208-timing-safe-comparison
Mar 29, 2026
Merged

fix: use constant-time comparison for auth credentials (CWE-208)#4734
qinxuye merged 1 commit intoxorbitsai:mainfrom
spidershield-contrib:fix/cwe-208-timing-safe-comparison

Conversation

@spidershield-contrib
Copy link
Copy Markdown
Contributor

@spidershield-contrib spidershield-contrib commented Mar 28, 2026

Summary

Fixes #4733 — replaces timing-vulnerable comparison with constant-time alternative.

Changes

  • xinference/api/oauth2/auth_service.py: Replace == API key comparison with hmac.compare_digest() in get_user_and_scopes_with_api_key()
  • No behavioral change for valid authentication flows
  • Uses stdlib only — no new dependencies

CWE Reference

  • CWE-208: Observable Timing Discrepancy

Found by SpiderShield security scanner

@XprobeBot XprobeBot added the bug Something isn't working label Mar 28, 2026
@XprobeBot XprobeBot added this to the v2.x milestone Mar 28, 2026
qinxuye
qinxuye approved these changes Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@qinxuye qinxuye left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@qinxuye qinxuye merged commit e6cfeba into xorbitsai:main Mar 29, 2026
12 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qinxuye qinxuye qinxuye approved these changes

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

v2.x

Development

Successfully merging this pull request may close these issues.

Security: timing attack in auth comparison (CWE-208)

3 participants

@spidershield-contrib @qinxuye @XprobeBot