Skip to content

Security: constant-time comparison for REST API credentials#1376

Open
vuckro wants to merge 1 commit into
Ultimate-Multisite:mainfrom
vuckro:security/api-credentials-constant-time
Open

Security: constant-time comparison for REST API credentials#1376
vuckro wants to merge 1 commit into
Ultimate-Multisite:mainfrom
vuckro:security/api-credentials-constant-time

Conversation

@vuckro

@vuckro vuckro commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Summary

API::validate_credentials() compared the stored API key and secret with ===,
which short-circuits on the first differing byte and can leak the values through
response timing.

Changes

  • Compare with hash_equals() (constant time).
  • Reject the prevent sentinel (stored before credentials are generated) and
    empty credentials explicitly, so an unconfigured key/secret can never
    authenticate.

Compatibility

Pure hardening; valid credentials authenticate exactly as before.

Part of a small series of focused security hardening PRs. Full technical detail
is available privately to the maintainers on request (coordinated disclosure).

@claude
fix(security): constant-time comparison for REST API credentials
c180eef 
validate_credentials() compared the stored API key and secret with === ,
which short-circuits on the first differing byte and can leak the values
through response timing. Compare with hash_equals() instead, and reject the
'prevent' sentinel (used before credentials are generated) and empty
credentials explicitly so they can never authenticate.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@vuckro, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 28 minutes and 51 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0d5ce4d2-19fc-48e1-8c85-858bc8d534c9

📥 Commits

Reviewing files that changed from the base of the PR and between 1310078 and c180eef.

📒 Files selected for processing (1)
  • inc/class-api.php
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@superdav42 superdav42 mentioned this pull request Jun 10, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vuckro