routers: do not leak secrets via timing side channel (#7364)

* routers: do not leak secrets via timing side channel

* routers/repo: do not leak secrets via timing side channel
tokarchuk/v1.17
leonklingele 5 years ago committed by techknowlogick
parent 96b66e330b
commit ef57fe4ae3
  1. 6
      routers/metrics.go
  2. 5
      routers/repo/pull.go

@ -5,6 +5,8 @@
package routers package routers
import ( import (
"crypto/subtle"
"github.com/prometheus/client_golang/prometheus/promhttp" "github.com/prometheus/client_golang/prometheus/promhttp"
"code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/context"
@ -22,7 +24,9 @@ func Metrics(ctx *context.Context) {
ctx.Error(401) ctx.Error(401)
return return
} }
if header != "Bearer "+setting.Metrics.Token { got := []byte(header)
want := []byte("Bearer " + setting.Metrics.Token)
if subtle.ConstantTimeCompare(got, want) != 1 {
ctx.Error(401) ctx.Error(401)
return return
} }

@ -8,6 +8,7 @@ package repo
import ( import (
"container/list" "container/list"
"crypto/subtle"
"fmt" "fmt"
"io" "io"
"path" "path"
@ -771,7 +772,9 @@ func TriggerTask(ctx *context.Context) {
if ctx.Written() { if ctx.Written() {
return return
} }
if secret != base.EncodeMD5(owner.Salt) { got := []byte(base.EncodeMD5(owner.Salt))
want := []byte(secret)
if subtle.ConstantTimeCompare(got, want) != 1 {
ctx.Error(404) ctx.Error(404)
log.Trace("TriggerTask [%s/%s]: invalid secret", owner.Name, repo.Name) log.Trace("TriggerTask [%s/%s]: invalid secret", owner.Name, repo.Name)
return return

Loading…
Cancel
Save