OpenClaw: Shared-secret comparison call sites leaked length information through timing
Several webhook and interaction secret-comparison call sites leaked secret-length information because they performed early length-mismatch checks before constant-time comparison instead of using the shared safeEqualSecret helper.
extensions/bluebubbles/src/monitor.ts
This webhook auth path normalized two secrets, rejected mismatched lengths before comparison, and was changed to delegate to the shared secret-comparison helper.
extensions/feishu/src/monitor.transport.ts
The Feishu webhook signature validator used a local timingSafeEqualString helper with an early length check before comparing the computed signature to the request signature.
extensions/mattermost/src/mattermost/interactions.ts
Mattermost interaction token verification compared a derived expected token to the supplied token and returned early on length mismatch before the timing-safe compare.