From 540f79a38f215751fbd17e61db3dc29037799740 Mon Sep 17 00:00:00 2001
From: Shireen Missi <94372015+ShireenMissi@users.noreply.github.com>
Date: Tue, 10 Sep 2024 13:02:38 +0100
Subject: [PATCH] fix(Telegram Trigger Node): Use timing-safe string comparison
 (no-changelog) (#10718)

---
 packages/nodes-base/nodes/Telegram/TelegramTrigger.node.ts | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/packages/nodes-base/nodes/Telegram/TelegramTrigger.node.ts b/packages/nodes-base/nodes/Telegram/TelegramTrigger.node.ts
index 861a57683..aec3dc4dc 100644
--- a/packages/nodes-base/nodes/Telegram/TelegramTrigger.node.ts
+++ b/packages/nodes-base/nodes/Telegram/TelegramTrigger.node.ts
@@ -1,3 +1,4 @@
+import crypto from 'crypto';
 import type {
 	IHookFunctions,
 	IWebhookFunctions,
@@ -233,7 +234,11 @@ export class TelegramTrigger implements INodeType {
 		const nodeVersion = this.getNode().typeVersion;
 		if (nodeVersion > 1) {
 			const secret = getSecretToken.call(this);
-			if (secret !== headerData['x-telegram-bot-api-secret-token']) {
+			const secretBuffer = Buffer.from(secret);
+			const headerSecretBuffer = Buffer.from(
+				String(headerData['x-telegram-bot-api-secret-token'] ?? ''),
+			);
+			if (!crypto.timingSafeEqual(secretBuffer, headerSecretBuffer)) {
 				const res = this.getResponseObject();
 				res.status(403).json({ message: 'Provided secret is not valid' });
 				return {