Skip to content

fix(auth): use constant-time comparison for internal API secret validation#304

Merged
St0rmz1 merged 3 commits intomainfrom
fix/af5-constant-time-secret-comparison
Feb 18, 2026
Merged

fix(auth): use constant-time comparison for internal API secret validation#304
St0rmz1 merged 3 commits intomainfrom
fix/af5-constant-time-secret-comparison

Conversation

@St0rmz1
Copy link
Contributor

@St0rmz1 St0rmz1 commented Feb 17, 2026

fix(auth): use constant-time comparison for internal API secret validation (AF-5)

Replace short-circuit !== string comparison with timing-safe XOR-based comparison for INTERNAL_API_SECRET in kiloclaw to prevent theoretical timing side channel attacks

@St0rmz1
fix(auth): use constant-time comparison for internal API secret valid…
3a82510 
…ation (AF-5)

Replace short-circuit !== string comparison with timing-safe XOR-based comparison for INTERNAL_API_SECRET in kiloclaw to prevent theoretical timing side channel attacks
@St0rmz1 St0rmz1 marked this pull request as ready for review February 17, 2026 22:28
kiloconnect[bot]
kiloconnect bot reviewed Feb 17, 2026
View reviewed changes
@kiloconnect
Copy link
Contributor

kiloconnect bot commented Feb 17, 2026
edited
Loading

Code Review Summary

Status: 1 Issue Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 1
WARNING 0
SUGGESTION 0
Issue Details (click to expand)

CRITICAL

File Line Issue
kiloclaw/src/auth/middleware.ts 122 Early return on length mismatch leaks secret length via timing side-channel (existing comment)
Files Reviewed (3 files)
  • kiloclaw/src/auth/middleware.ts - 1 issue (existing comment)
  • kiloclaw/src/test-setup.ts - 0 issues
  • kiloclaw/vitest.config.ts - 0 issues

Fix these issues in Kilo Cloud

St0rmz1 and others added 2 commits February 17, 2026 14:47
@St0rmz1
Replace short-circuit !== string comparison with crypto.subtle.timing…
22c9e96 
…SafeEqual

  for INTERNAL_API_SECRET in kiloclaw. Uses dummy self-comparison on length
  mismatch to avoid leaking secret length via timing side-channel.

  Adds vitest setup to polyfill crypto.subtle.timingSafeEqual for Node test
  env.
@St0rmz1
Merge branch 'main' into fix/af5-constant-time-secret-comparison
9339408
@St0rmz1 St0rmz1 merged commit 35ad52a into main Feb 18, 2026
12 checks passed
@St0rmz1 St0rmz1 deleted the fix/af5-constant-time-secret-comparison branch February 18, 2026 04:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kiloconnect kiloconnect[bot] kiloconnect[bot] left review comments

@pandemicsyn pandemicsyn pandemicsyn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@St0rmz1 @pandemicsyn