Skip to content

[Bug] sophia_governor_review_service.py: Admin auth uses == instead of hmac.compare_digest — timing attack #3229

Open
Open
[Bug] sophia_governor_review_service.py: Admin auth uses == instead of hmac.compare_digest — timing attack#3229
@haoyousun60-create

Description

@haoyousun60-create
haoyousun60-create
opened on May 3, 2026

Security Audit Finding

Severity: Medium
File: node/sophia_governor_review_service.py:142-145
Issue: The admin authentication check uses == for key comparison instead of hmac.compare_digest.

Code:

required_admin = os.getenv("RC_ADMIN_KEY", "").strip()
if required_admin:
    provided_admin = (req.headers.get("X-Admin-Key") or req.headers.get("X-API-Key") or "").strip()
    if provided_admin == required_admin:  # Timing-unsafe!

Impact:

  • Timing attack on RC_ADMIN_KEY
  • Attacker can access Sophia governor review endpoints
  • Can approve/reject governance reviews

Fix:

if provided_admin and hmac.compare_digest(provided_admin, required_admin):

Note: This is the 6th file with the same pattern. A project-wide audit for == comparisons on secrets is recommended.

Wallet: RTC4642c5ee8467f61ed91b5775b0eeba984dd776ba

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions