Constant time string equality

Webhook/RequestValidator.cs

@@ -4,6 +4,16 @@
 
 namespace GitHubAutoresponder.Webhook {
     public class RequestValidator : IRequestValidator {
+        private bool AreEqualConstantTime(string a, string b) {
+            bool areEqual = true;
+
+            for (int i = 0; i < a.Length; i++) {
+                areEqual = areEqual && a[i] == b[i];
+            }
+
+            return areEqual;
+        }
+
         private string ConvertRawBytesToHexString(byte[] bytes) {
             return string.Join(
                 string.Empty,
@@ -15,10 +25,10 @@ public bool IsValidRequest(string expectedSignature, string key, string payload)
             using (HMACSHA1 hmac = new HMACSHA1(Encoding.ASCII.GetBytes(key))) {
                 byte[] rawPayload = Encoding.ASCII.GetBytes(payload);
                 byte[] rawHash = hmac.ComputeHash(rawPayload);
-                string hash = this.ConvertRawBytesToHexString(rawHash);
+                string hash = ConvertRawBytesToHexString(rawHash);
                 string signature = $"sha1={hash}";
 
-                return signature == expectedSignature; // TODO: constant-time comparison
+                return AreEqualConstantTime(signature, expectedSignature);
             }
         }
     }