BUG: Uncaught TypeError Crash in CSRF Verification Middleware #31

Closed
opened 2026-05-22 15:40:02 +01:00 by Gandalf · 1 comment
Owner

verifyCsrf.js compares cookieToken.length !== headerToken.length at character-level. If multi-byte tokens are sent where string length matches but byte length differs, Buffer.from() yields differing lengths. Consequently, crypto.timingSafeEqual throws an unhandled TypeError crash (500) rather than a clean 403.

verifyCsrf.js compares cookieToken.length !== headerToken.length at character-level. If multi-byte tokens are sent where string length matches but byte length differs, Buffer.from() yields differing lengths. Consequently, crypto.timingSafeEqual throws an unhandled TypeError crash (500) rather than a clean 403.
Gandalf added the Kind/Bug label 2026-05-22 15:40:55 +01:00
Author
Owner

Resolution: Refactored server/middleware/verifyCsrf.js to instantiate byte buffers from tokens first, and then perform a timing-safe length verification on the buffers (a.length !== b.length) before running crypto.timingSafeEqual(). This prevents uncaught Node.js TypeErrors and handles multi-byte tokens gracefully. Added unit tests in tests/unit/verifyCsrf.test.js.

Resolution: Refactored server/middleware/verifyCsrf.js to instantiate byte buffers from tokens first, and then perform a timing-safe length verification on the buffers (a.length !== b.length) before running crypto.timingSafeEqual(). This prevents uncaught Node.js TypeErrors and handles multi-byte tokens gracefully. Added unit tests in tests/unit/verifyCsrf.test.js.
Gandalf added the Area/Frontend label 2026-05-28 11:53:58 +01:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Gandalf/sofarr#31