python/aiogram
1
0
Fork 0
mirror of https://github.com/aiogram/aiogram.git synced 2026-04-08 16:37:47 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(utils): use hmac.compare_digest for secure WebApp signature validation

Browse source 
The WebApp signature validation in utils.web_app currently compares the
calculated HMAC with the provided hash using `==`. While this works correctly
for cryptographic verification, it may theoretically leak timing information.

This change replaces the comparison with `hmac.compare_digest`, which is
designed to perform constant-time comparisons and is recommended for all
cryptographic checks. Although practical timing attacks are unlikely in this
context, this change improves overall security best practices.
This commit is contained in:
Slava Terekhin 2025-07-16 00:59:24 +05:00 committed by GitHub
parent 7a517f1eba
commit 3cf30aa4f7
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
aiogram/utils/web_app.py
View file

@ -134,7 +134,7 @@ def check_webapp_signature(token: str, init_data: str) -> bool:
calculated_hash = hmac.new(
key=secret_key.digest(), msg=data_check_string.encode(), digestmod=hashlib.sha256
).hexdigest()
return calculated_hash == hash_
return hmac.compare_digest(calculated_hash, hash_value)
def parse_webapp_init_data(