timingSafeEqual crashes the process when input is non-Buffer #60537
Description
Opening a public issue after discussion
This only crashes when either the server is already wrongly implemented or when non-typechecked user input ends up in timingSafeEqual, both of which are out of scope from being a security issue by the threat model
This needs several calls (3 are enough, as demonstrated) to trigger
Affects 24.x and 25.x
Refs:
- deps: update V8 to 13.6 #58070
- crypto: make timingSafeEqual faster for Uint8Array #52341
- 50a8527867b0 <- likely caused by this
PoC (run a few times or adjust the numbers if you can't reproduce).
This usually crashes on third invalid call on my machine:
import { timingSafeEqual } from 'node:crypto'
const a = Buffer.from('actual')
const input = ''
let j = 0
for (let i = 0; i < 350_000; i++) {
timingSafeEqual(a, a) // valid usage
// Each 70001-th request is invalid (exact number doesn't matter)
// 5 invalid requests total here, but this usually crashes on 3rd
if (i % 70_000 === 0) {
console.log(j++)
try {
timingSafeEqual(a, input) // invalid usage, leading to process being terminated
} catch {
// error is processed or ignored, doesn't matter
}
}
}Or just
import { timingSafeEqual } from 'node:crypto'
for (let i = 0; i < 50_000; i++) {
try {
timingSafeEqual('', '')
} catch {}
}