Skip to content

[Bug] rustchain_sync_endpoints.py: require_admin decorator uses != for admin key comparison — timing attack #3226

Description

@haoyousun60-create

Security Audit Finding

Severity: Medium
File: node/rustchain_sync_endpoints.py:93-96
Issue: The require_admin decorator uses != for admin key comparison instead of hmac.compare_digest. This is inconsistent with the same file's _verify_sync_signature function (line 83) which correctly uses hmac.compare_digest.

Code:

def require_admin(f):
    @wraps(f)
    def decorated(*args, **kwargs):
        key = request.headers.get("X-Admin-Key") or request.headers.get("X-API-Key")
        if not key or key != admin_key:  # Timing-unsafe!
            return jsonify({"error": "Unauthorized"}), 401
        return f(*args, **kwargs)
    return decorated

Contrast with correct code in same file:

# Line 83 — correct:
if not hmac.compare_digest(signature, expected):
    return False, "Invalid signature"

Impact:

  • Timing side-channel leaks admin key length and content
  • All sync endpoints (/api/sync/status, /api/sync/pull, etc.) are affected
  • Attacker can brute-force admin key byte-by-byte

Fix:

if not key or not hmac.compare_digest(key, admin_key):
    return jsonify({"error": "Unauthorized"}), 401

Wallet: RTC4642c5ee8467f61ed91b5775b0eeba984dd776ba

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions