[PR #575] [MERGED] Change pwd check to O(1) check to prevent timing attacks - single user mode #3405

Closed
opened 2026-02-22 18:33:43 -05:00 by yindo · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/Mintplex-Labs/anything-llm/pull/575
Author: @timothycarambat
Created: 1/11/2024
Status: Merged
Merged: 1/11/2024
Merged by: @timothycarambat

Base: masterHead: security/constant-time-authtoken-check


📝 Commits (1)

  • 7bb5088 Change pwd check to O(1) check to prevent timing attacks

📊 Changes

4 files changed (+16 additions, -5 deletions)

View changed files

📝 frontend/src/components/Modals/Password/index.jsx (+1 -1)
📝 frontend/src/pages/Login/index.jsx (+5 -1)
📝 server/endpoints/system.js (+8 -2)
📝 server/utils/middleware/validatedRequest.js (+2 -1)

📄 Description

Pull Request Type

  • feat
  • 🐛 fix
  • ♻️ refactor
  • 💄 style
  • 🔨 chore
  • 📝 docs

What is in this change?

For single-user mode, move === to bcrypt comparison to prevent efficacy of timing attack potential. This is already covered for Multi-user.

The risk of this is low as the overhead for the HTTP response varies from request to request making this opportunity near-impossible to execute, but why not patch it 👍

Developer Validations

  • I ran yarn lint from the root of the repo & committed changes
  • Relevant documentation has been updated
  • I have tested my code functionality
  • Docker build succeeds locally

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/Mintplex-Labs/anything-llm/pull/575 **Author:** [@timothycarambat](https://github.com/timothycarambat) **Created:** 1/11/2024 **Status:** ✅ Merged **Merged:** 1/11/2024 **Merged by:** [@timothycarambat](https://github.com/timothycarambat) **Base:** `master` ← **Head:** `security/constant-time-authtoken-check` --- ### 📝 Commits (1) - [`7bb5088`](https://github.com/Mintplex-Labs/anything-llm/commit/7bb5088cd3a1e02bef784c2668f9f88b060bc751) Change pwd check to O(1) check to prevent timing attacks ### 📊 Changes **4 files changed** (+16 additions, -5 deletions) <details> <summary>View changed files</summary> 📝 `frontend/src/components/Modals/Password/index.jsx` (+1 -1) 📝 `frontend/src/pages/Login/index.jsx` (+5 -1) 📝 `server/endpoints/system.js` (+8 -2) 📝 `server/utils/middleware/validatedRequest.js` (+2 -1) </details> ### 📄 Description ### Pull Request Type <!-- For change type, change [ ] to [x]. --> - [ ] ✨ feat - [x] 🐛 fix - [ ] ♻️ refactor - [ ] 💄 style - [ ] 🔨 chore - [ ] 📝 docs ### What is in this change? For single-user mode, move `===` to `bcrypt` comparison to prevent efficacy of [timing attack potential](https://ropesec.com/articles/timing-attacks/). This is already covered for Multi-user. The risk of this is low as the overhead for the HTTP response varies from request to request making this opportunity near-impossible to execute, but why not patch it 👍 ### Developer Validations <!-- All of the applicable items should be checked. --> - [x] I ran `yarn lint` from the root of the repo & committed changes - [x] Relevant documentation has been updated - [x] I have tested my code functionality - [x] Docker build succeeds locally --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
yindo added the pull-request label 2026-02-22 18:33:43 -05:00
yindo closed this issue 2026-02-22 18:33:43 -05:00
yindo changed title from [PR #575] Change pwd check to O(1) check to prevent timing attacks - single user mode to [PR #575] [MERGED] Change pwd check to O(1) check to prevent timing attacks - single user mode 2026-06-05 15:13:14 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Mintplex-Labs/anything-llm#3405