docs/webhooks: use subtle.ConstantTimeCompare for comparing signatures

Fixes #6572 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I58610c46e0ea1d3a878f91d154db3da4de9cae00
2 years ago · a6dff4fb74
parent 74744b0a4c
commit a6dff4fb74
1 changed files with 2 additions and 1 deletions
--- a/docs/webhooks/example.go
+++ b/docs/webhooks/example.go
@ -9,6 +9,7 @@ package webhooks
 import (
 	"crypto/hmac"
 	"crypto/sha256"
 	"crypto/subtle"
 	"encoding/hex"
 	"encoding/json"
 	"errors"
@ -95,7 +96,7 @@ func verifyWebhookSignature(req *http.Request, secret string) (events []event, e
 	// Verify that the signatures match.
 	var match bool
 	for _, signature := range signatures[currentVersion] {
-		if signature == want {
+		if subtle.ConstantTimeCompare([]byte(signature), []byte(want)) == 1 {
 			match = true
 			break
 		}