Skip to content

fix(auth): constant-time Basic compare, code sweep, scrubber URL-password gaps#15

Merged
sebyx07 merged 1 commit into
mainfrom
fix/auth-scrubber-hardening
Jul 2, 2026
Merged

fix(auth): constant-time Basic compare, code sweep, scrubber URL-password gaps#15
sebyx07 merged 1 commit into
mainfrom
fix/auth-scrubber-hardening

Conversation

@sebyx07

@sebyx07 sebyx07 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Auth-boundary and credential-scrubbing fixes from the bug hunt, all with tests:

  1. Timing side-channel on the Basic-auth password. check_basic used a plain String == (short-circuits on length and first differing byte). /authorize is gated solely by this and mints root-equivalent bearer tokens, so the comparison time was an oracle an attacker can iterate against. Now compares SHA-256 digests — timing independent of where the inputs differ, and neither digest is attacker-controlled.
  2. Unbounded auth-code map. Codes were only removed on redeem; every abandoned/failed login (or a deliberate loop of /authorize requests) grew the in-memory map forever. new_code now sweeps expired entries.
  3. URL-credential scrubber leaked real passwords. The password group [^\s/@]+ meant https://user:abc/def@host never matched (whole secret leaked to GlitchTip — base64 secrets routinely contain /), and https://u:p@ss@host leaked the tail after the first @. The group is now [^\s]+, greedy to the last @ in the token; worst case it over-redacts a host tail, which is the module's documented bias.

🤖 Generated with Claude Code

…word gaps

- check_basic compared the decoded credential with a short-circuiting
  String ==, a timing oracle on the one secret an attacker can iterate
  against (/authorize mints root-equivalent bearers). Now compares
  SHA-256 digests, making timing independent of where inputs differ.
- Authorization codes abandoned without a redeem were never removed from
  the in-memory map (expiry was only checked lazily on redeem); new_code
  now sweeps expired entries, bounding the map.
- The URL-credential scrubber's password group [^\s/@]+ leaked secrets
  containing '/' (no match at all — base64 secrets routinely have them)
  and the tail of passwords containing '@'. Now [^\s]+, greedy to the
  last '@' in the token — over-redacts host tails at worst, per the
  module's documented bias.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Warning

Review limit reached

You’ve reached a temporary PR review limit under our Fair Usage Limits Policy.

Your recent review volume is higher than typical usage, so adaptive limits are currently applied.

Next review available in: 43 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 53f05a98-41db-45fa-9526-48d35e32bf23

📥 Commits

Reviewing files that changed from the base of the PR and between d8b41a0 and 2062be9.

📒 Files selected for processing (3)
  • src/auth.rs
  • src/oauth/store.rs
  • src/sentry.rs
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/auth-scrubber-hardening

Comment @coderabbitai help to get the list of available commands.

@sebyx07 sebyx07 enabled auto-merge (squash) July 2, 2026 18:25
@sebyx07

sebyx07 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@sebyx07

sebyx07 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

@coderabbitai approve

@sebyx07 sebyx07 merged commit 13ab13f into main Jul 2, 2026
5 checks passed
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
✅ Action performed

Comments resolved and changes approved.

@sebyx07 sebyx07 deleted the fix/auth-scrubber-hardening branch July 2, 2026 18:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant