Use timingSafeEqual

ChiChou · Oct 21, 2024 · 2fbaaf1 · 2fbaaf1
1 parent ece84f8
commit 2fbaaf1
Showing 1 changed file with 8 additions and 5 deletions.
diff --git a/server/lib/channels.ts b/server/lib/channels.ts
@@ -1,6 +1,7 @@
 /* eslint-disable @typescript-eslint/no-explicit-any */
 import * as frida from 'frida'
 import http from 'http'
+import { timingSafeEqual } from 'crypto'
 
 import { Server, Namespace, Socket } from 'socket.io'
 import REPL from './repl'
@@ -18,14 +19,14 @@ interface RPCPacket {
 }
 
 export default class Channels {
-  token: string
+  token: Buffer
   socket: Server
   devices: Namespace
   session: Namespace
   changedSignal: frida.DevicesChangedHandler
 
   constructor(srv: http.Server, token: string) {
-    this.token = token
+    this.token = Buffer.from(token)
     this.socket = new Server(srv)
     this.devices = this.socket.of('/devices')
     this.session = this.socket.of('/session')
@@ -43,10 +44,12 @@ export default class Channels {
     this.changedSignal = this.onchange.bind(this)
     mgr.changed.connect(this.changedSignal)
 
-    const validate = (socket: Socket) =>{
-      if (socket.handshake.auth.token !== this.token) {
-        socket.disconnect()
+    const validate = (socket: Socket) => {
+      const { token } = socket.handshake.auth
+      if (typeof token === 'string' && timingSafeEqual(Buffer.from(token), this.token)) {
+        return
       }
+      socket.disconnect()
     }
 
     this.devices.on('connection', validate);