From df036439180366dd371f11164c91d9f8ddc95077 Mon Sep 17 00:00:00 2001
From: Naveed Qadir <naveedqadir0@gmail.com>
Date: Thu, 25 Dec 2025 00:53:46 +0530
Subject: [PATCH 1/2] CompareStrings: constant-time comparison to mitigate
 timing attack

---
 .npmignore         |  1 +
 src/bcrypt_node.cc | 14 +++++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/.npmignore b/.npmignore
index 61561eb..464ef04 100644
--- a/.npmignore
+++ b/.npmignore
@@ -1,3 +1,4 @@
 .lock*
 build*/
 *.sw[a-z]
+issues/
diff --git a/src/bcrypt_node.cc b/src/bcrypt_node.cc
index 2f072a4..bdff75e 100644
--- a/src/bcrypt_node.cc
+++ b/src/bcrypt_node.cc
@@ -195,8 +195,20 @@ namespace {
     }
 
     /* COMPARATOR */
+    /* COMPARATOR - constant-time to avoid timing attacks */
     inline bool CompareStrings(const char* s1, const char* s2) {
-        return strcmp(s1, s2) == 0;
+        if (!s1 || !s2) return false;
+        size_t len1 = strlen(s1);
+        size_t len2 = strlen(s2);
+        size_t maxlen = len1 > len2 ? len1 : len2;
+        unsigned char diff = 0;
+        for (size_t i = 0; i < maxlen; i++) {
+            unsigned char c1 = i < len1 ? (unsigned char)s1[i] : 0;
+            unsigned char c2 = i < len2 ? (unsigned char)s2[i] : 0;
+            diff |= c1 ^ c2;
+        }
+        diff |= (unsigned char)(len1 ^ len2);
+        return diff == 0;
     }
 
     class CompareAsyncWorker : public Napi::AsyncWorker {

From b0bf2ce54e110508da0a7b950892ec7b9efeb419 Mon Sep 17 00:00:00 2001
From: Naveed Qadir <55054920+naveedqadir@users.noreply.github.com>
Date: Thu, 25 Dec 2025 01:02:21 +0530
Subject: [PATCH 2/2] Update .npmignore

---
 .npmignore | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.npmignore b/.npmignore
index 464ef04..61561eb 100644
--- a/.npmignore
+++ b/.npmignore
@@ -1,4 +1,3 @@
 .lock*
 build*/
 *.sw[a-z]
-issues/