From 4ecb7399bcc16e8e30d7b3017eeb96a33aa27735 Mon Sep 17 00:00:00 2001 From: Anthony Morris Date: Thu, 28 May 2020 10:54:06 -0700 Subject: [PATCH 1/2] =?UTF-8?q?=E2=9E=96=20Remove=20the=20need=20for=20ext?= =?UTF-8?q?ernal=20safe-compare?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- packages/koa-shopify-auth/package.json | 2 -- .../koa-shopify-auth/src/auth/safe-compare.ts | 15 +++++++++++++++ .../src/auth/test/validate-hmac.test.ts | 4 ++-- .../koa-shopify-auth/src/auth/validate-hmac.ts | 3 ++- yarn.lock | 12 ++++++------ 5 files changed, 25 insertions(+), 11 deletions(-) create mode 100644 packages/koa-shopify-auth/src/auth/safe-compare.ts diff --git a/packages/koa-shopify-auth/package.json b/packages/koa-shopify-auth/package.json index d060e48232..e62b9a6843 100644 --- a/packages/koa-shopify-auth/package.json +++ b/packages/koa-shopify-auth/package.json @@ -26,7 +26,6 @@ "@shopify/network": "^1.4.7", "koa-compose": ">=3.0.0 <4.0.0", "nonce": "^1.0.4", - "safe-compare": "^1.1.2", "tslib": "^1.9.3" }, "devDependencies": { @@ -34,7 +33,6 @@ "@shopify/jest-koa-mocks": "^2.2.2", "@types/koa": "^2.0.0", "@types/koa-compose": "*", - "@types/safe-compare": "^1.1.0", "koa": "^2.5.0" }, "sideEffects": false, diff --git a/packages/koa-shopify-auth/src/auth/safe-compare.ts b/packages/koa-shopify-auth/src/auth/safe-compare.ts new file mode 100644 index 0000000000..61c847015a --- /dev/null +++ b/packages/koa-shopify-auth/src/auth/safe-compare.ts @@ -0,0 +1,15 @@ +import crypto from 'crypto'; + +export default function safeCompare(stringA: string, stringB: string) { + const aLen = Buffer.byteLength(stringA); + const bLen = Buffer.byteLength(stringB); + + // Turn strings into buffers with equal length + // to avoid leaking the length + const buffA = Buffer.alloc(aLen, 0, 'utf8'); + buffA.write(stringA); + const buffB = Buffer.alloc(aLen, 0, 'utf8'); + buffB.write(stringB); + + return crypto.timingSafeEqual(buffA, buffB) && aLen === bLen; +} diff --git a/packages/koa-shopify-auth/src/auth/test/validate-hmac.test.ts b/packages/koa-shopify-auth/src/auth/test/validate-hmac.test.ts index ee2f4ce391..6de014a31b 100644 --- a/packages/koa-shopify-auth/src/auth/test/validate-hmac.test.ts +++ b/packages/koa-shopify-auth/src/auth/test/validate-hmac.test.ts @@ -1,10 +1,10 @@ import validateHmac from '../validate-hmac'; -jest.mock('safe-compare', () => { +jest.mock('../safe-compare', () => { return jest.fn((first: string, second: string) => first === second); }); -const safeCompare = require.requireMock('safe-compare'); +const safeCompare = require.requireMock('../safe-compare'); const data = {fiz: 'buzz', foo: 'bar'}; const secret = 'some secret'; const hmac = '7c66606415117ff9744a2a9b2be1712a15928b5ef474ab1a9ff5dc36b7dcaed8'; diff --git a/packages/koa-shopify-auth/src/auth/validate-hmac.ts b/packages/koa-shopify-auth/src/auth/validate-hmac.ts index 5c485b3ac1..126b60ca1b 100644 --- a/packages/koa-shopify-auth/src/auth/validate-hmac.ts +++ b/packages/koa-shopify-auth/src/auth/validate-hmac.ts @@ -2,7 +2,8 @@ import querystring from 'querystring'; import crypto from 'crypto'; import {Context} from 'koa'; -import safeCompare from 'safe-compare'; + +import safeCompare from './safe-compare'; export default function validateHmac( hmac: string, diff --git a/yarn.lock b/yarn.lock index f6ebe907f7..465aa8769c 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1746,11 +1746,6 @@ "@types/prop-types" "*" csstype "^2.2.0" -"@types/safe-compare@^1.1.0": - version "1.1.0" - resolved "https://registry.yarnpkg.com/@types/safe-compare/-/safe-compare-1.1.0.tgz#47ed9b9ca51a3a791b431cd59b28f47fa9bf1224" - integrity sha512-1ri+LJhh0gRxIa37IpGytdaW7yDEHeJniBSMD1BmitS07R1j63brcYCzry+l0WJvGdEKQNQ7DYXO2epgborWPw== - "@types/serve-static@*": version "1.13.3" resolved "https://registry.yarnpkg.com/@types/serve-static/-/serve-static-1.13.3.tgz#eb7e1c41c4468272557e897e9171ded5e2ded9d1" @@ -10274,7 +10269,7 @@ safe-buffer@^5.0.1, safe-buffer@^5.1.0, safe-buffer@^5.1.1, safe-buffer@^5.1.2, resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.2.0.tgz#b74daec49b1148f88c64b68d49b1e815c1f2f519" integrity sha512-fZEwUGbVl7kouZs1jCdMLdt95hdIv0ZeHg6L7qPeciMZhZ+/gdesW4wgTARkrFWEpspjEATAzUGPG8N2jJiwbg== -safe-compare@^1.1.2, safe-compare@^1.1.3: +safe-compare@^1.1.3: version "1.1.4" resolved "https://registry.yarnpkg.com/safe-compare/-/safe-compare-1.1.4.tgz#5e0128538a82820e2e9250cd78e45da6786ba593" integrity sha512-b9wZ986HHCo/HbKrRpBJb2kqXMK9CEWIE1egeEvZsYn69ay3kdfl9nG3RyOcR+jInTDf7a86WQ1d4VJX7goSSQ== @@ -11410,6 +11405,11 @@ typescript@^3.7.5: resolved "https://registry.yarnpkg.com/typescript/-/typescript-3.7.5.tgz#0692e21f65fd4108b9330238aac11dd2e177a1ae" integrity sha512-/P5lkRXkWHNAbcJIiHPfRoKqyd7bsyCma1hZNUGfn20qm64T6ZBlrzprymeu918H+mB/0rIg2gGK/BXkhhYgBw== +ua-parser-js@^0.7.17: + version "0.7.21" + resolved "https://registry.yarnpkg.com/ua-parser-js/-/ua-parser-js-0.7.21.tgz#853cf9ce93f642f67174273cc34565ae6f308777" + integrity sha512-+O8/qh/Qj8CgC6eYBVBykMrNtp5Gebn4dlGD/kKXVkJNDwyrAwSIqwz8CDf+tsAIWVycKcku6gIXJ0qwx/ZXaQ== + ua-parser-js@^0.7.18: version "0.7.20" resolved "https://registry.yarnpkg.com/ua-parser-js/-/ua-parser-js-0.7.20.tgz#7527178b82f6a62a0f243d1f94fd30e3e3c21098" From 81eba78f9e7ba2c410f355ac37970b340d401b7e Mon Sep 17 00:00:00 2001 From: Anthony Morris Date: Sat, 13 Jun 2020 22:02:06 -0700 Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=93=9D=20Add=20CHANGELOG=20entry?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- packages/koa-shopify-auth/CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/packages/koa-shopify-auth/CHANGELOG.md b/packages/koa-shopify-auth/CHANGELOG.md index 432fa06490..1ee361e055 100644 --- a/packages/koa-shopify-auth/CHANGELOG.md +++ b/packages/koa-shopify-auth/CHANGELOG.md @@ -5,7 +5,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). - +## [Unreleased] + +### Removed + +- Removes `safe-compare` as a dependency, preferring Node's `crypto.timingSafeEqual` [1470](https://github.com/Shopify/quilt/pull/1470) ## [3.1.63] - 2020-05-25