Skip to content

fix(utils): use hmac.compare_digest for secure WebApp signature valid…#1710

Merged
JrooTJunior merged 1 commit intoaiogram:dev-3.xfrom
iSlavok:dev-3.x
Jul 19, 2025
Merged

fix(utils): use hmac.compare_digest for secure WebApp signature valid…#1710
JrooTJunior merged 1 commit intoaiogram:dev-3.xfrom
iSlavok:dev-3.x

Conversation

@iSlavok
Copy link
Contributor

@iSlavok iSlavok commented Jul 15, 2025
edited
Loading

fix(utils): use hmac.compare_digest for secure WebApp signature validation

The WebApp signature validation in utils.web_app currently compares the calculated HMAC with the provided hash using ==. While this works correctly for cryptographic verification, it may theoretically leak timing information.

This change replaces the comparison with hmac.compare_digest, which is designed to perform constant-time comparisons and is recommended for all cryptographic checks. Although practical timing attacks are unlikely in this context, this change improves overall security best practices.

Description

This pull request addresses a potential vulnerability in the WebApp signature validation mechanism. The current implementation uses the == operator to compare the calculated HMAC signature with the provided hash. This could be susceptible to timing attacks, as standard string comparison does not execute in constant time.

This change replaces the insecure comparison with hmac.compare_digest, which is the recommended practice for cryptographic operations in Python and mitigates such attacks.

Fixes #1711

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

I have confirmed that my changes are effective and do not break existing functionality by adding unit tests that cover the following scenarios:

  • Test A: A test case to ensure that a valid signature is correctly verified using hmac.compare_digest.
  • Test B: A test case to ensure that an invalid signature is correctly rejected and the function returns False.

Test Configuration:

  • Operating System: Ubuntu 22.04
  • Python version: 3.12

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

Special thanks to @desspperate for helping to find and resolve this issue.

@github-actions github-actions bot added the 3.x Issue or PR for stable 3.x version label Jul 15, 2025
@github-actions
Copy link

github-actions bot commented Jul 15, 2025

✔️ Changelog found.

Thank you for adding a description of the changes

@codecov
Copy link

codecov bot commented Jul 15, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 100.00%. Comparing base (7a517f1) to head (f2b8e60).
Report is 1 commits behind head on dev-3.x.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff            @@
##           dev-3.x     #1710   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files          578       578           
  Lines        13531     13531           
=========================================
  Hits         13531     13531
Flag Coverage Δ
unittests 100.00% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
aiogram/utils/web_app.py 100.00% <100.00%> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@JrooTJunior JrooTJunior requested a review from Copilot July 15, 2025 23:04
Copilot AI reviewed Jul 15, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes a security vulnerability in WebApp signature validation by replacing an insecure string comparison with a constant-time comparison function. The change prevents potential timing attacks during cryptographic verification while maintaining the same functionality.

Key changes:

  • Replace == operator with hmac.compare_digest() for HMAC signature comparison
  • Add changelog entry documenting the security improvement

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
aiogram/utils/web_app.py Updates signature validation to use secure constant-time comparison
CHANGES/1709.bugfix.rst Documents the security fix in the changelog

@JrooTJunior JrooTJunior merged commit ddcedad into aiogram:dev-3.x Jul 19, 2025
24 checks passed
@desspperate desspperate mentioned this pull request Feb 11, 2026
Closed
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@JrooTJunior JrooTJunior JrooTJunior approved these changes

Assignees

No one assigned

Labels

3.x Issue or PR for stable 3.x version

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: Use constant-time comparison in check_webapp_signature

3 participants

@iSlavok @JrooTJunior