BUG: Uncaught TypeError Crash in CSRF Verification Middleware #31
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
verifyCsrf.js compares cookieToken.length !== headerToken.length at character-level. If multi-byte tokens are sent where string length matches but byte length differs, Buffer.from() yields differing lengths. Consequently, crypto.timingSafeEqual throws an unhandled TypeError crash (500) rather than a clean 403.
Resolution: Refactored server/middleware/verifyCsrf.js to instantiate byte buffers from tokens first, and then perform a timing-safe length verification on the buffers (a.length !== b.length) before running crypto.timingSafeEqual(). This prevents uncaught Node.js TypeErrors and handles multi-byte tokens gracefully. Added unit tests in tests/unit/verifyCsrf.test.js.