commit

node_modules/safe-compare/.npmignore

@@ -0,0 +1,44 @@
+# Created by .ignore support plugin (hsz.mobi)
+### Node template
+# Logs
+logs
+*.log
+npm-debug.log*
+
+# Runtime data
+pids
+*.pid
+*.seed
+
+# IDE
+.idea
+.c9
+.git
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+
+# Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (http://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directory
+# https://docs.npmjs.com/misc/faq#should-i-check-my-node-modules-folder-into-git
+node_modules
+
+# misc
+.DS_Store
+.codeclimate.yml
+.travis.yml
+
+# test directory
+benchmark
+test

node_modules/safe-compare/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Michael Raith
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

node_modules/safe-compare/README.md

@@ -0,0 +1,58 @@
+# safe-compare
+Constant-time comparison algorithm to prevent Node.js timing attacks.
+
+For more information about Node.js timing attacks, please visit https://snyk.io/blog/node-js-timing-attack-ccc-ctf/.
+
+[![npm package](https://img.shields.io/npm/v/safe-compare.svg?style=flat-square)](https://www.npmjs.org/package/safe-compare)
+[![tag:?](https://img.shields.io/github/tag/Bruce17/safe-compare.svg?style=flat-square)](https://github.com/Bruce17/safe-compare/releases)
+[![Dependency Status](https://david-dm.org/Bruce17/safe-compare.svg?style=flat-square)](https://david-dm.org/Bruce17/safe-compare)
+[![devDependency Status](https://david-dm.org/Bruce17/safe-compare/dev-status.svg?style=flat-square)](https://david-dm.org/Bruce17/safe-compare#info=devDependencies)
+[![Coverage Status](https://coveralls.io/repos/github/Bruce17/safe-compare/badge.svg?branch=master)](https://coveralls.io/github/Bruce17/safe-compare?branch=master)
+[![Code Climate](https://codeclimate.com/github/Bruce17/safe-compare/badges/gpa.svg)](https://codeclimate.com/github/Bruce17/safe-compare)
+[![Known Vulnerabilities](https://snyk.io/test/github/bruce17/safe-compare/badge.svg)](https://snyk.io/test/github/bruce17/safe-compare)
+[![Build Status - Tarvis](https://travis-ci.org/Bruce17/safe-compare.svg?style=flat-square&branch=master)](https://travis-ci.org/Bruce17/safe-compare)
+[![Build status - AppVeyor](https://ci.appveyor.com/api/projects/status/ounmeq5c4ajuu7g3/branch/master?svg=true)](https://ci.appveyor.com/project/Bruce17/safe-compare/branch/master)
+
+**NOTICE**:
+
+If you are using Node.js v6.6.0 or higher, you can use [crypto.timingSafeEqual(a, b)](https://nodejs.org/api/crypto.html#crypto_crypto_timingsafeequal_a_b) from the `crypto` module. Keep in mind that the method `crypto.timingSafeEqual` only accepts `Buffer`s with the same length! This bundle will handle strings with different lengths for you.
+
+
+## Installation
+
+```
+$ npm install safe-compare --save
+```
+
+
+## Usage
+
+```javascript
+var safeCompare = require('safe-compare');
+
+safeCompare('hello world', 'hello world'); // -> true
+
+safeCompare('hello', 'not hello'); // -> false
+safeCompare('hello foo', 'hello bar'); // -> false
+```
+
+Note: runtime is always corresponding to the length of the first parameter.
+
+
+## Tests
+
+```
+$ npm test
+```
+
+
+## What's the improvement of this package?
+
+This Node.js module is a improvement of the two existing modules [scmp](https://github.com/freewil/scmp) and [secure-compare](https://github.com/vdemedes/secure-compare). It uses the best parts of both implementations.
+
+The implementation of [scmp](https://github.com/freewil/scmp) is a good base, but it has a shorter execution time if the string's length is not equal. The package [secure-compare](https://github.com/vdemedes/secure-compare) always compares the two input strings, but its implementation is not as clean as in [scmp](https://github.com/freewil/scmp).
+
+
+## License
+
+safe-compare is released under the MIT license.

node_modules/safe-compare/appveyor.yml

@@ -0,0 +1,56 @@
+# Set build version.
+version: "{build}-{branch}"
+
+environment:
+  matrix:
+    - nodejs_version: "11"
+    - nodejs_version: "10"
+    - nodejs_version: "9"
+    - nodejs_version: "8"
+    - nodejs_version: "7"
+    - nodejs_version: "6"
+    - nodejs_version: "5"
+    - nodejs_version: "4"
+    - nodejs_version: "0.12"
+    - nodejs_version: "0.11"
+    - nodejs_version: "0.10"
+    # io.js
+    - nodejs_version: "1"
+
+platform:
+  - x86
+  - x64
+
+matrix:
+  # Fail fast and stop on build errors for the current tested version.
+  fast_finish: true
+
+cache:
+  - node_modules -> package.json
+
+# Fix Git line endings on checkout
+#init:
+#  - git config --global core.autocrlf true
+
+install:
+  - ps: Install-Product node $env:nodejs_version $env:platform
+  - npm install
+
+test_script:
+  # Output used NodeJS/NPM versions
+  - node --version
+  - npm --version
+
+  # run tests
+  - npm run-script test
+  - npm run-script test-travis
+
+#after_test:
+#  # send coverage data to coveralls
+#  - npm run-script coveralls
+#
+#  # send coverage data to codeclimate
+#  - npm run-script codeclimate
+
+# Don't actually build.
+build: off

node_modules/safe-compare/index.js

@@ -0,0 +1,75 @@
+/**
+ * @author Michael Raith
+ * @date   24.02.2016 12:04
+ */
+
+'use strict';
+
+var crypto = require('crypto');
+var bufferAlloc = require('buffer-alloc');
+
+
+/**
+ * Do a constant time string comparison. Always compare the complete strings
+ * against each other to get a constant time. This method does not short-cut
+ * if the two string's length differs.
+ *
+ * @param {string} a
+ * @param {string} b
+ *
+ * @return {boolean}
+ */
+var safeCompare = function safeCompare(a, b) {
+    var strA = String(a);
+    var strB = String(b);
+    var lenA = strA.length;
+    var result = 0;
+
+    if (lenA !== strB.length) {
+        strB = strA;
+        result = 1;
+    }
+
+    for (var i = 0; i < lenA; i++) {
+        result |= (strA.charCodeAt(i) ^ strB.charCodeAt(i));
+    }
+
+    return result === 0;
+};
+
+
+/**
+ * Call native "crypto.timingSafeEqual" methods.
+ * All passed values will be converted into strings first.
+ *
+ * Runtime is always corresponding to the length of the first parameter (string
+ * a).
+ *
+ * @param {string} a
+ * @param {string} b
+ *
+ * @return {boolean}
+ */
+var nativeTimingSafeEqual = function nativeTimingSafeEqual(a, b) {
+    var strA = String(a);
+    var strB = String(b);
+    var aLen = Buffer.byteLength(strA);
+    var bLen = Buffer.byteLength(strB);
+
+    // Always use length of a to avoid leaking the length. Even if this is a
+    // false positive because one is a prefix of the other, the explicit length
+    // check at the end will catch that.
+    var bufA = bufferAlloc(aLen, 0, 'utf8');
+    bufA.write(strA);
+    var bufB = bufferAlloc(aLen, 0, 'utf8');
+    bufB.write(strB);
+
+    return crypto.timingSafeEqual(bufA, bufB) && aLen === bLen;
+};
+
+
+module.exports = (
+    typeof crypto.timingSafeEqual !== 'undefined' ?
+        nativeTimingSafeEqual :
+        safeCompare
+);

node_modules/safe-compare/package.json

@@ -0,0 +1,46 @@
+{
+  "name": "safe-compare",
+  "version": "1.1.4",
+  "description": "Constant-time comparison algorithm to prevent timing attacks.",
+  "main": "index.js",
+  "scripts": {
+    "test": "mocha",
+    "posttest": "matcha",
+    "test-travis": "node --harmony node_modules/istanbul/lib/cli.js cover ./node_modules/mocha/bin/_mocha --report lcovonly -- -u exports",
+    "coveralls": "node ./node_modules/.bin/coveralls < ./coverage/lcov.info",
+    "codeclimate": "node ./node_modules/.bin/codeclimate-test-reporter < ./coverage/lcov.info"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Bruce17/safe-compare.git"
+  },
+  "keywords": [
+    "safe-compare",
+    "secure-compare",
+    "compare",
+    "time-equivalent-comparison",
+    "time",
+    "equivalent",
+    "timing",
+    "attack",
+    "constant-time",
+    "constant",
+    "time"
+  ],
+  "author": "Michael Raith",
+  "license": "MIT",
+  "readmeFilename": "README.md",
+  "bugs": {
+    "url": "https://github.com/Bruce17/safe-compare/issues"
+  },
+  "homepage": "https://github.com/Bruce17/safe-compare#readme",
+  "devDependencies": {
+    "coveralls": "^2.11.14",
+    "istanbul": "^0.4.5",
+    "matcha": "^0.7.0",
+    "mocha": "^3.1.2"
+  },
+  "dependencies": {
+    "buffer-alloc": "^1.2.0"
+  }
+}