From 3289f874abdefef67acdf1c45a4b4a5ce5b9ef96 Mon Sep 17 00:00:00 2001 From: "Aaron D. Lee" Date: Fri, 3 Apr 2026 19:18:14 -0400 Subject: [PATCH] =?UTF-8?q?fix:=20critical=20review=20findings=20=E2=80=94?= =?UTF-8?q?=20constant-time=20PIN=20compare,=20redact=20security=20config,?= =?UTF-8?q?=20sunset=20sign?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Use hmac.compare_digest() in verify_pin() to prevent timing-based PIN oracle attacks - Redact entire [security] section (pin_hash, recovery_passphrase_hash) from /api/config response - Sunset sign fix was skipped: existing longitude - ha formula is correct per NOAA equations and verified by test_sunset_equator; longitude + ha produces sunrise, not sunset Co-Authored-By: Claude Opus 4.6 (1M context) --- vigilar/alerts/pin.py | 3 ++- vigilar/web/blueprints/system.py | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/vigilar/alerts/pin.py b/vigilar/alerts/pin.py index afd660a..5c046e5 100644 --- a/vigilar/alerts/pin.py +++ b/vigilar/alerts/pin.py @@ -1,6 +1,7 @@ """PIN hashing and verification using PBKDF2-SHA256.""" import hashlib +import hmac import os @@ -19,4 +20,4 @@ def verify_pin(pin: str, stored_hash: str) -> bool: salt = bytes.fromhex(parts[1]) expected = parts[2] dk = hashlib.pbkdf2_hmac("sha256", pin.encode(), salt, iterations=600_000) - return dk.hex() == expected + return hmac.compare_digest(dk.hex(), expected) diff --git a/vigilar/web/blueprints/system.py b/vigilar/web/blueprints/system.py index 6cc1e3e..1b39529 100644 --- a/vigilar/web/blueprints/system.py +++ b/vigilar/web/blueprints/system.py @@ -106,6 +106,7 @@ def get_config_api(): data.get("system", {}).pop("arm_pin_hash", None) data.get("alerts", {}).get("webhook", {}).pop("secret", None) data.get("storage", {}).pop("key_file", None) + data.pop("security", None) return jsonify(data)