Security Audit Finding
Severity: Medium
File: node/rustchain_sync_endpoints.py:93-96
Issue: The require_admin decorator uses != for admin key comparison instead of hmac.compare_digest. This is inconsistent with the same file's _verify_sync_signature function (line 83) which correctly uses hmac.compare_digest.
Code:
def require_admin(f):
@wraps(f)
def decorated(*args, **kwargs):
key = request.headers.get("X-Admin-Key") or request.headers.get("X-API-Key")
if not key or key != admin_key: # Timing-unsafe!
return jsonify({"error": "Unauthorized"}), 401
return f(*args, **kwargs)
return decorated
Contrast with correct code in same file:
# Line 83 — correct:
if not hmac.compare_digest(signature, expected):
return False, "Invalid signature"
Impact:
- Timing side-channel leaks admin key length and content
- All sync endpoints (/api/sync/status, /api/sync/pull, etc.) are affected
- Attacker can brute-force admin key byte-by-byte
Fix:
if not key or not hmac.compare_digest(key, admin_key):
return jsonify({"error": "Unauthorized"}), 401
Wallet: RTC4642c5ee8467f61ed91b5775b0eeba984dd776ba
Security Audit Finding
Severity: Medium
File: node/rustchain_sync_endpoints.py:93-96
Issue: The
require_admindecorator uses!=for admin key comparison instead ofhmac.compare_digest. This is inconsistent with the same file's_verify_sync_signaturefunction (line 83) which correctly useshmac.compare_digest.Code:
Contrast with correct code in same file:
Impact:
Fix:
Wallet: RTC4642c5ee8467f61ed91b5775b0eeba984dd776ba