fix: address CodeRabbit security and documentation feedback

audacioustux · audacioustux · commit 5fa632b555be · 2025-11-27T16:29:55.000Z
- Use crypto/subtle.ConstantTimeCompare for webhook secret validation
  to prevent timing attacks
- Fix test script usage comment to match actual filename

Signed-off-by: Tanjim Hossain &lt;tanjim.hossain@gmail.com&gt;
diff --git a/config/examples/cloudevents/test-webhook.sh b/config/examples/cloudevents/test-webhook.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # Test script for CloudEvents webhook
-# Usage: ./test-cloudevents-webhook.sh <webhook-url> <secret>
+# Usage: ./test-webhook.sh <webhook-url> <secret>
 
 set -e
 
diff --git a/pkg/webhook/cloudevents.go b/pkg/webhook/cloudevents.go
@@ -1,6 +1,7 @@
 package webhook
 
 import (
+	"crypto/subtle"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -63,7 +64,7 @@ func (c *CloudEventsWebhook) Validate(r *http.Request) error {
 			return fmt.Errorf("missing webhook secret")
 		}
 
-		if secret != c.secret {
+		if subtle.ConstantTimeCompare([]byte(secret), []byte(c.secret)) != 1 {
 			return fmt.Errorf("invalid webhook secret")
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`package webhook`
`2`	`2`
`3`	`3`	`import (`
	`4`	`+ "crypto/subtle"`
`4`	`5`	`"encoding/json"`
`5`	`6`	`"fmt"`
`6`	`7`	`"io"`
`@@ -63,7 +64,7 @@ func (c CloudEventsWebhook) Validate(r http.Request) error {`
`63`	`64`	`return fmt.Errorf("missing webhook secret")`
`64`	`65`	`}`
`65`	`66`
`66`		`- if secret != c.secret {`
	`67`	`+ if subtle.ConstantTimeCompare([]byte(secret), []byte(c.secret)) != 1 {`
`67`	`68`	`return fmt.Errorf("invalid webhook secret")`
`68`	`69`	`}`
`69`	`70`	`}`