From ef57fe4ae3c517a0bb10b81a641fb76976f404d3 Mon Sep 17 00:00:00 2001 From: leonklingele <5585491+leonklingele@users.noreply.github.com> Date: Sat, 6 Jul 2019 19:03:13 +0200 Subject: [PATCH] routers: do not leak secrets via timing side channel (#7364) * routers: do not leak secrets via timing side channel * routers/repo: do not leak secrets via timing side channel --- routers/metrics.go | 6 +++++- routers/repo/pull.go | 5 ++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/routers/metrics.go b/routers/metrics.go index 78abd4a785..b7711dfced 100644 --- a/routers/metrics.go +++ b/routers/metrics.go @@ -5,6 +5,8 @@ package routers import ( + "crypto/subtle" + "github.com/prometheus/client_golang/prometheus/promhttp" "code.gitea.io/gitea/modules/context" @@ -22,7 +24,9 @@ func Metrics(ctx *context.Context) { ctx.Error(401) return } - if header != "Bearer "+setting.Metrics.Token { + got := []byte(header) + want := []byte("Bearer " + setting.Metrics.Token) + if subtle.ConstantTimeCompare(got, want) != 1 { ctx.Error(401) return } diff --git a/routers/repo/pull.go b/routers/repo/pull.go index 4c377bb364..cb4fa9547e 100644 --- a/routers/repo/pull.go +++ b/routers/repo/pull.go @@ -8,6 +8,7 @@ package repo import ( "container/list" + "crypto/subtle" "fmt" "io" "path" @@ -771,7 +772,9 @@ func TriggerTask(ctx *context.Context) { if ctx.Written() { return } - if secret != base.EncodeMD5(owner.Salt) { + got := []byte(base.EncodeMD5(owner.Salt)) + want := []byte(secret) + if subtle.ConstantTimeCompare(got, want) != 1 { ctx.Error(404) log.Trace("TriggerTask [%s/%s]: invalid secret", owner.Name, repo.Name) return