Skip to content

πŸ›‘οΈ Sentinel: Harden timing-safe equality and sensitive content filtering#73

Open
SuvenSeo wants to merge 1 commit into
masterfrom
sentinel-security-hardening-8469797605679338390
Open

πŸ›‘οΈ Sentinel: Harden timing-safe equality and sensitive content filtering#73
SuvenSeo wants to merge 1 commit into
masterfrom
sentinel-security-hardening-8469797605679338390

Conversation

@SuvenSeo

@SuvenSeo SuvenSeo commented Jun 13, 2026

Copy link
Copy Markdown
Owner

πŸ›‘οΈ Sentinel: Security Hardening Report

🚨 Severity: HIGH
πŸ’‘ Vulnerability: Length-based timing attacks on secrets and accidental persistence of sensitive data (API keys, tokens).
🎯 Impact: Attackers could potentially guess secret lengths through timing side-channels. Secrets could be stored in plaintext in the database via Telegram messages or journal entries.
πŸ”§ Fix:

  1. Hardened timing-safe equality by hashing inputs with SHA-256 before comparison.
  2. Implemented Edge-compatible async hashing for the dashboard proxy.
  3. Injected sensitive content filters into ingestion paths (Telegram, Journal).
    βœ… Verification: New security-hardening.test.js suite passes; all existing tests pass; verified async call sites.

⚑ Bolt Performance Note: Using crypto.subtle.digest in parallel via Promise.all in proxy.js minimizes the latency impact of the extra hashing step.

PR created automatically by Jules for task 8469797605679338390 started by @SuvenSeo

@google-labs-jules @SuvenSeo
πŸ›‘οΈ Sentinel: Harden timing-safe equality and sensitive content filtering
cba1d46 
- Implement pre-hashing (SHA-256) in `safeEqual` and `safeEqualText` to prevent length-based timing attacks.
- Update `safeEqualText` in `proxy.js` to be async for Edge Runtime compatibility.
- Add `hasSensitiveContent` filtering to Telegram message and journal handlers to prevent secret persistence.
- Add security hardening test suite and journal critical learnings.

Co-authored-by: SuvenSeo <263689617+SuvenSeo@users.noreply.github.com>
@google-labs-jules

google-labs-jules Bot commented Jun 13, 2026

Copy link
Copy Markdown

πŸ‘‹ Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a πŸ‘€ emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@vercel

vercel Bot commented Jun 13, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
seo-os-agent Ready Ready Preview, Comment Jun 13, 2026 7:55pm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SuvenSeo