Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement blake3 cryptographic hash verification for query string #116

Merged
merged 4 commits into from
Nov 20, 2023
Merged

Implement blake3 cryptographic hash verification for query string #116

merged 4 commits into from
Nov 20, 2023

Conversation

FireMasterK
Copy link
Member

No description provided.

github-actions[bot]
github-actions bot reviewed Nov 17, 2023
View reviewed changes
src/main.rs Outdated Show resolved Hide resolved
@sweep-ai Sweep AI
Copy link
Contributor

sweep-ai bot commented Nov 17, 2023

Apply Sweep Rules to your PR?

  • Apply: All new business logic should have corresponding unit tests.
  • Apply: Refactor large functions to be more modular.
  • Apply: Add docstrings to all functions and file headers.

@FireMasterK FireMasterK force-pushed the blake3-query-hashing branch 5 times, most recently from 8b2705a to a69bc32 Compare November 17, 2023 17:07
RealOrangeOne
RealOrangeOne reviewed Nov 18, 2023
View reviewed changes
src/main.rs

let hash = rx.await.unwrap();

if hash != qhash {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason this isn't a constant-time comparison? In an async context it's harder to predict what the CPU is doing, but it's still good practice from a security perspective.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a very small concern in this case, the query hash verification is mainly to prevent bad actors from crafting specialized URLs. (Usually bots) This is also why we only use the first 8 characters, too.

github-actions[bot]
github-actions bot reviewed Nov 20, 2023
View reviewed changes
src/main.rs Outdated Show resolved Hide resolved
@FireMasterK FireMasterK mentioned this pull request Nov 20, 2023
Merged
github-actions[bot]
github-actions bot reviewed Nov 20, 2023
View reviewed changes
src/main.rs Show resolved Hide resolved
@FireMasterK FireMasterK merged commit 0a6feb8 into main Nov 20, 2023
2 checks passed
@FireMasterK FireMasterK deleted the blake3-query-hashing branch November 20, 2023 05:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@RealOrangeOne RealOrangeOne RealOrangeOne left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@FireMasterK @RealOrangeOne