Add timing-safe compare security rule

claude · claude · commit 4a378c3d0fa4 · 2025-12-08T02:06:57.000Z
Add universal security rule that prohibits timing-safe compare functions
on raw secret values. Instead, always hash both tokens with SHA3 before
comparison.

Covers all languages: Node.js, Ruby, Python, Go, Java, etc.

Added to /review checklist for code review enforcement.
diff --git a/ai/rules/review.mdc b/ai/rules/review.mdc
@@ -15,6 +15,7 @@ Criteria {
   Use autodux.mdc for Redux state management patterns and Autodux usage.
   Use javascript-io-network-effects.mdc for network effects and side effect handling.
   Use commit.mdc for commit message quality and conventional commit format.
+  Use security/timing-safe-compare.mdc when reviewing secret/token comparisons (CSRF, API keys, sessions). Flag crypto.timingSafeEqual or raw token comparisons as CRITICAL.
   Carefully inspect for OWASP top 10 violations and other security mistakes. Use search. Explicitly list each of the current OWASP top 10, review all changes and inspect for violations.
   Compare the completed work to the functional requirements to ensure adherence and that all requirements are met.
   Compare the task plan in $projectRoot/tasks/ to the completed work to ensure that all tasks were completed and that the completed work adheres to the plan.
diff --git a/ai/rules/security/timing-safe-compare.mdc b/ai/rules/security/timing-safe-compare.mdc
@@ -0,0 +1,70 @@
+---
+description: Security rule for timing-safe secret comparison. Use SHA3 hashing instead of timing-safe compare functions. Applies to all languages.
+alwaysApply: false
+---
+
+# Timing Safe Compare Security Rule
+
+## Constraint: No Timing Safe Compare on Raw Values
+
+There is no timing safe compare for raw values. Never use:
+- `crypto.timingSafeEqual` (Node.js)
+- `hmac.compare` / `secure_compare` (Ruby)
+- `constant_time_compare` (Python)
+- `ConstantTimeCompare` (Go)
+- `MessageDigest.isEqual` (Java)
+- XOR accumulation tricks
+- Any direct string compare on raw secrets
+
+Always hash both the stored secret token and the candidate token with SHA3, then compare the hashes.
+
+## Reasons
+
+1. **Hashing removes all prefix structure.** Any bit change fully randomizes the hash. No timing oracle. No hangman-style attacks.
+2. **Raw secrets never appear in logs or errors.** Hashing provides defense in depth.
+3. **No reliance on runtime guarantees.** Timing-safe compare functions can lose their guarantees under compiler, engine, or JIT optimizations across any language runtime.
+
+## Implementation Pattern (JavaScript example)
+
+```javascript
+import { sha3_256 } from "js-sha3";
+
+const hashToken = (token) => sha3_256(token || "");
+
+// Hash both tokens before comparison.
+// Reasons:
+//   1. Comparing raw tokens is vulnerable to subtle timing leaks,
+//      especially if timing-safe compare helpers get broken by
+//      compiler or engine optimizations.
+//   2. A cryptographic hash makes any change in the input completely
+//      change the output, so there is no prefix-based timing signal.
+//   3. Hashing also keeps raw CSRF token values out of logs and errors.
+const tokensMatch = (token1, token2) => hashToken(token1) === hashToken(token2);
+```
+
+## Rules
+
+TimingSafeCompare {
+  (timing safe compare needed?) =>
+    Implement with SHA3 hashing strategy.
+    Include code comment explaining this reasoning to prevent people from "fixing" to use timingSafeEqual or similar.
+
+  ("timing safe compare" detected in code) =>
+    Raise CRITICAL security bug report: "Timing safe compare on raw value detected"
+    Include justifications from this rule.
+    Recommend SHA3 hashing strategy.
+
+  (crypto.timingSafeEqual detected) =>
+    CRITICAL: Flag as security issue.
+    Replace with SHA3 hash comparison pattern.
+
+  (hmac.compare OR secure_compare OR constant_time_compare OR ConstantTimeCompare OR MessageDigest.isEqual detected) =>
+    CRITICAL: Flag as security issue.
+    Replace with SHA3 hash comparison pattern.
+
+  (raw token comparison detected) =>
+    CRITICAL: Flag as security issue.
+    Both tokens must be hashed before comparison.
+}
+
+This rule overrides all library defaults and conventional wisdom about timing-safe comparison.
