sec: resolve cryptographic timing attack vulnerability in admin authentication (#18) by rishabh0510rishabh · Pull Request #21 · Vishisht16/Humane-Proxy

rishabh0510rishabh · 2026-05-17T08:27:16Z

PR Description

Problem / Motivation

Analysis of the REST Admin API middleware revealed a critical timing side-channel security vulnerability in how Bearer tokens are validated.

In humane_proxy/api/admin.py's _require_admin dependency, the HUMANE_PROXY_ADMIN_KEY extracted from the environment was compared against the incoming request credentials using Python's standard inequality operator (!=).

Because standard string equality compares strings character-by-character and short-circuits upon encountering the first mismatch, it introduces a measurable timing discrepancy based on how many characters of the client's payload match the actual secret. An attacker can leverage this timing side-channel (CWE-208) to brute-force the HUMANE_PROXY_ADMIN_KEY over the network, thereby granting them full access to all /admin endpoints (such as exporting or deleting sensitive escalation records).

Proposed Fix

This PR replaces the short-circuiting inequality operator (!=) with hmac.compare_digest from the Python standard library.

hmac.compare_digest is specifically designed for cryptographic constant-time comparison. It performs a uniform, constant-time comparison of the two string values regardless of whether, or where, the characters mismatch. This entirely closes the timing side-channel vulnerability.

Technical Changes

We imported the hmac module and updated _require_admin in admin.py:

diff --git a/humane_proxy/api/admin.py b/humane_proxy/api/admin.py
index f83dea1..ecd174c 100644
--- a/humane_proxy/api/admin.py
+++ b/humane_proxy/api/admin.py
@@ -19,6 +19,7 @@ Endpoints:
 from __future__ import annotations
 
 import csv
+import hmac
 import io
 import json
 import logging
@@ -60,7 +61,7 @@ def _require_admin(
                 "environment variable to enable it."
             ),
         )
-    if credentials is None or credentials.credentials != admin_key:
+    if credentials is None or not hmac.compare_digest(credentials.credentials, admin_key):
         raise HTTPException(
             status_code=401,
             detail="Invalid or missing Bearer token.",

Verification & Testing

All tests have been run locally to ensure correctness and that no regressions are introduced.

Admin Authentication Tests: Verified that valid tokens successfully authenticate, and missing or invalid tokens result in the correct 401 Unauthorized / 403 Forbidden status codes.
Whole Test Suite: Ran the entire test suite to ensure the system is completely stable:
```
python -m pytest ..\tests
```
Result: 214 passed, 13 skipped (0 failures).

Compliance and Checklist

Fixes CWE-208 timing side-channel vulnerability
Uses Python standard library (hmac.compare_digest) for constant-time comparison
All unit and integration tests passed cleanly
No breaking API changes or configurations introduced

Add a .env.example with LLM API placeholders and optional overrides to document environment variables. Add a project-level humane_proxy.yaml containing server, safety, heuristics, trajectory, and escalation default settings. Improve admin auth by importing hmac and using hmac.compare_digest for token comparison to avoid timing-attack risk.

CLAassistant · 2026-05-17T08:27:22Z

All committers have signed the CLA.

coderabbitai · 2026-05-17T08:27:27Z

📝 Walkthrough

Summary by CodeRabbit

Release Notes

Security
- Improved admin API authentication to use constant-time comparison for token validation, preventing timing-based attacks.
New Features
- Added configuration for safety thresholds, content filtering heuristics, trajectory tuning parameters, and escalation controls with webhook integrations.
Documentation
- Added environment configuration template documenting required API credentials and optional settings.

Walkthrough

This PR introduces environmental configuration and security improvements for HumaneProxy. It adds an environment template file, hardens admin token validation with constant-time comparison to prevent timing attacks, and establishes a comprehensive runtime configuration file defining safety thresholds, keyword heuristics for content filtering, context reduction rules, and escalation/alerting settings.

Changes

Configuration and Security Updates

Layer / File(s)	Summary
Admin token security hardening `humane_proxy/api/admin.py`	Bearer token validation is updated to use `hmac.compare_digest()` for constant-time comparison instead of direct inequality checks, mitigating timing-based authentication bypass attempts.
Environment variables template `humane_proxy/.env.example`	Example configuration file documents required `LLM_API_KEY` and `LLM_API_URL` placeholders, plus optional commented overrides for port, risk threshold, webhook URLs, PagerDuty routing, and database path.
Runtime configuration and safety settings `humane_proxy/humane_proxy.yaml`	Comprehensive configuration file defines server runtime settings, numeric safety thresholds, keyword-based heuristics for self-harm and criminal content detection, context reduction phrases, trajectory tuning parameters, and escalation controls with webhook routing endpoints.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

[BUG] Cryptographic Timing Attack Vulnerability in Admin API Authentication #18: Admin API Bearer token validation update to use constant-time comparison (hmac.compare_digest) instead of direct string comparison, addressing timing-attack vulnerability.

Poem

🐰 A configuration tale
Credentials now safe with constant-time care,
Environment templates and settings laid bare,
Heuristics and thresholds in YAML so true,
The proxy stands ready, secure through and through! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: fixing a cryptographic timing attack vulnerability in admin authentication via constant-time comparison.
Description check	✅ Passed	The description comprehensively explains the vulnerability, the fix, technical changes, testing, and compliance, all directly related to the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@humane_proxy/humane_proxy.yaml`:
- Line 3: Replace the placeholder documentation URL
"https://github.com/your-org/humane-proxy#configuration" in the comment at the
top of humane_proxy.yaml with the real repository or docs path for this project
(e.g., your org's actual GitHub repo or the project's docs site) so users
following the configuration link land on a working page; update the comment
string to the correct URL.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1bcf5ca4-e01a-4f0e-ae50-a006345f3669

📥 Commits

Reviewing files that changed from the base of the PR and between 9168b30 and 48f0e0a.

📒 Files selected for processing (3)

humane_proxy/.env.example
humane_proxy/api/admin.py
humane_proxy/humane_proxy.yaml

Vishisht16 · 2026-05-17T09:10:38Z

@rishabh0510rishabh
The admin.py fix is correct, but your PR added duplicates of two unrelated files env.example and humane_proxy.yaml from root to humane_proxy/. I don't see a legit workflow where these files would have accidentally been created or copied into the package directory.
It's likely that this PR was generated by an AI agent and then committed without human review.
GSSoC has strict guidelines against AI-generated low effort contributions. Please explain how these files ended up in your commit.

Vishisht16 · 2026-05-18T16:19:34Z

@rishabh0510rishabh I require you to sign the CLA and explain the commit at the earliest.

rishabh0510rishabh · 2026-05-18T16:25:41Z

Hi @Vishisht16, I apologize for the late response. My exams are currently ongoing, so I haven't been able to commit much time to this lately. I will be free after May 20th, at which point I will look into the issue and, get back to you with an explanation and the necessary updates as soon as possible

…

On Mon, 18 May, 2026, 21:49 Vishisht Mishra, ***@***.***> wrote: *Vishisht16* left a comment (Vishisht16/Humane-Proxy#21) <#21 (comment)> @rishabh0510rishabh <https://github.com/rishabh0510rishabh> I require you to sign the CLA and explain the commit at the earliest. — Reply to this email directly, view it on GitHub <#21 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AULY2H6HHYBGJC2AMRLWWWD43MZ25AVCNFSM6AAAAACZBGVFDWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DINZZGYZDQMBSGY> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Vishisht16 · 2026-05-18T16:27:27Z

@rishabh0510rishabh
If you could write this comment, I need a one liner explanation to my question as soon as possible.

rishabh0510rishabh · 2026-05-18T17:22:10Z

I think it may have happened when I was running local tests and copied them into the humane_proxy/ subdirectory to solve a relative path config issue, then staged them

…

On Mon, 18 May, 2026, 21:57 Vishisht Mishra, ***@***.***> wrote: *Vishisht16* left a comment (Vishisht16/Humane-Proxy#21) <#21 (comment)> @rishabh0510rishabh <https://github.com/rishabh0510rishabh> If you could write this comment, I need a one liner explanation to my question as soon as possible. — Reply to this email directly, view it on GitHub <#21 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AULY2H4HYG7AIBEVMJYR7DD43M2YNAVCNFSM6AAAAACZBGVFDWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DINZZGY4DONBZGY> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Vishisht16 · 2026-05-20T10:38:05Z

@rishabh0510rishabh I'll merge it once you sign the CLA.

Vishisht16 · 2026-05-20T10:46:24Z

Also, it's a good practice to check staged files before you commit. You as another maintainer should know that.
I still don't see a concrete way you could've done that even while testing but I'll merge this PR.

Vishisht16 · 2026-05-24T04:32:07Z

@rishabh0510rishabh can you please sign the CLA so I can merge this immediately?

rishabh0510rishabh · 2026-05-24T04:39:37Z

Sure, @Vishisht16 I have signed the cla

rishabh0510rishabh requested a review from Vishisht16 as a code owner May 17, 2026 08:27

coderabbitai Bot reviewed May 17, 2026

View reviewed changes

Comment thread humane_proxy/humane_proxy.yaml Outdated

Vishisht16 linked an issue May 17, 2026 that may be closed by this pull request

[BUG] Cryptographic Timing Attack Vulnerability in Admin API Authentication #18

Closed

Remove accidental duplicate config files from package directory

f17583c

Vishisht16 approved these changes May 20, 2026

View reviewed changes

Vishisht16 merged commit 1924099 into Vishisht16:main May 24, 2026
8 checks passed

Vishisht16 added gssoc:approved Approved PR under GSSoC'26 level:advanced Requires advanced implementation, bug fixing or refactoring type:performance Fixes performance issues type:security Fixes security issues labels May 24, 2026

Uh oh!

Conversation

rishabh0510rishabh commented May 17, 2026

PR Description

Problem / Motivation

Proposed Fix

Technical Changes

Verification & Testing

Compliance and Checklist

Uh oh!

CLAassistant commented May 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

coderabbitai Bot commented May 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Release Notes

Walkthrough

Changes

Estimated code review effort

Possibly related issues

Poem

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Vishisht16 commented May 17, 2026

Uh oh!

Vishisht16 commented May 18, 2026

Uh oh!

rishabh0510rishabh commented May 18, 2026 via email

Uh oh!

Vishisht16 commented May 18, 2026

Uh oh!

rishabh0510rishabh commented May 18, 2026 via email

Uh oh!

Vishisht16 commented May 20, 2026

Uh oh!

Vishisht16 commented May 20, 2026

Uh oh!

Vishisht16 commented May 24, 2026

Uh oh!

rishabh0510rishabh commented May 24, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

CLAassistant commented May 17, 2026 •

edited

Loading

coderabbitai Bot commented May 17, 2026 •

edited

Loading