timing attack vulnerability

[sjmiller609]

You need to replace a line in flint-bot/sparky/blob/master/lib/res/webhooks.js

offending line:
...
if(sig === hmac.digest('hex')) {
...

Solution: replace triple equals with time-constant comparison from crypto lib
nodejs/node#3073

vulnerability explanation:
https://en.wikipedia.org/wiki/Timing_attack

discussion (in depth explanation):
nodejs/node-v0.x-archive#8560

Thank you for building this framework.

Steven Miller
Cisco Systems, IT Engineer

[nmarus]

Thanks. Fix applied in 4.0.8.

[sjmiller609]

Nice response time. Thanks a lot! Steven