use fixed-time comparison of secrets (#1698)

2025-07-04 09:32:48 -05:00 · 2021-11-08 15:55:42 -05:00
parent c07794e907
commit 7cc7b84eaf
8 changed files with 18 additions and 8 deletions
--- a/src/Billing/Controllers/StripeController.cs
+++ b/src/Billing/Controllers/StripeController.cs
@ -80,7 +80,7 @@ namespace Bit.Billing.Controllers
        [HttpPost("webhook")]
        public async Task<IActionResult> PostWebhook([FromQuery] string key)
        {
-            if (key != _billingSettings.StripeWebhookKey)
+            if (!CoreHelpers.FixedTimeEquals(key, _billingSettings.StripeWebhookKey))
            {
                return new BadRequestResult();
            }