Skip to content
This repository was archived by the owner on Aug 17, 2022. It is now read-only.

Releases: redbubble/finagle-hawk

v0.3.1

10 Jan 05:11
@vladzz vladzz
v0.3.1
9721313
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.3.1 Latest
Latest

Dependencies updated

  • rbutils -> 0.2.10
  • cats -> 1.0.1
  • mouse -> 0.16
  • shapeless -> 2.3.3
  • Circe -> 0.9.0
  • Finagle 17.12
  • joda convert 1.9.2

Bugfix

When comparing the computed mac and the provided mac, the code previously uses the standard == comparison operator. This will exit as soon as it finds differences in a string. This patch updates these calls to use MessageDigest.isEqual on the raw bytes of string, so that given two strings of identical length it will always take the same amount of time to check if they are equal, which prevents early exists from leaking information to attackers.

Thanks to Nicholas Goodwin for his help on this.

Assets 2
Loading

v0.3.0

24 Sep 07:58
@tomjadams tomjadams
v0.3.0
5bd808f
Compare
Choose a tag to compare
v0.3.0

Please upgrade

This release addresses a vulnerability in the way MACs of incoming requests were validated. Previously only the time was validated and the result of the MAC validation was ignored. Thanks to Ryan Plessner for reporting this.

Also includes breaking changes to the way the HawkAuthenticateRequestFilter is constructed:

  • Added StatsReceiver as an implicit argument;
  • Pushed up the leeway into the constructor, rather than hard coding it. Will default to 2 minutes.

Plenty of internal cleanups, to make the code more type-safe.

Loading