admin/n8n-enterprise-unlocked
1
0
Fork 0
mirror of https://github.com/Abdulazizzn/n8n-enterprise-unlocked.git synced 2025-12-17 10:02:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(Telegram Trigger Node): Use timing-safe string comparison (no-changelog) (#10718)

Browse Source
This commit is contained in:
Shireen Missi
2024-09-10 13:02:38 +01:00
committed by GitHub
parent 421aa71251
commit 540f79a38f
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
packages/nodes-base/nodes/Telegram/TelegramTrigger.node.ts
View File

@@ -1,3 +1,4 @@
import crypto from 'crypto';
import type {
IHookFunctions,
IWebhookFunctions,
@@ -233,7 +234,11 @@ export class TelegramTrigger implements INodeType {
const nodeVersion = this.getNode().typeVersion;
if (nodeVersion > 1) {
const secret = getSecretToken.call(this);
if (secret !== headerData['x-telegram-bot-api-secret-token']) {
const secretBuffer = Buffer.from(secret);
const headerSecretBuffer = Buffer.from(
String(headerData['x-telegram-bot-api-secret-token'] ?? ''),
);
if (!crypto.timingSafeEqual(secretBuffer, headerSecretBuffer)) {
const res = this.getResponseObject();
res.status(403).json({ message: 'Provided secret is not valid' });
return {