From a6dff4fb7460514aa46ab48b17a278f946da5b23 Mon Sep 17 00:00:00 2001
From: Andrew Dunham <andrew@du.nham.ca>
Date: Wed, 30 Nov 2022 11:41:03 -0500
Subject: [PATCH] docs/webhooks: use subtle.ConstantTimeCompare for comparing
 signatures

Fixes #6572

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I58610c46e0ea1d3a878f91d154db3da4de9cae00
---
 docs/webhooks/example.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/webhooks/example.go b/docs/webhooks/example.go
index b5584e012..7a70ad52a 100644
--- a/docs/webhooks/example.go
+++ b/docs/webhooks/example.go
@@ -9,6 +9,7 @@ package webhooks
 import (
 	"crypto/hmac"
 	"crypto/sha256"
+	"crypto/subtle"
 	"encoding/hex"
 	"encoding/json"
 	"errors"
@@ -95,7 +96,7 @@ func verifyWebhookSignature(req *http.Request, secret string) (events []event, e
 	// Verify that the signatures match.
 	var match bool
 	for _, signature := range signatures[currentVersion] {
-		if signature == want {
+		if subtle.ConstantTimeCompare([]byte(signature), []byte(want)) == 1 {
 			match = true
 			break
 		}