diff options
| author | Jörg Thalheim <joerg@higgsboson.tk> | 2015-03-06 19:49:38 +0100 |
|---|---|---|
| committer | Jörg Thalheim <joerg@higgsboson.tk> | 2015-03-06 20:06:26 +0100 |
| commit | 9f089ac48c22b2f7cfbc7dd0ca29da924c566363 (patch) | |
| tree | a06b8860ae7233d70ab1c40955e702056647b2a2 /lib | |
| parent | 0625d68f7510a2f2203bfe2c57f5927a0121c561 (diff) | |
| download | gitlab-ce-9f089ac48c22b2f7cfbc7dd0ca29da924c566363.tar.gz | |
use constant-time string compare for internal api authentication
Ruby str_equal uses memcmp internally to compare String.
Memcmp is vunerable to timing attacks because it returns early
on mismatch (on most x32 platforms memcmp uses a bytewise comparision).
Devise.secure_compare implements a constant time comparision instead.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/api/helpers.rb | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index 228a719fbdf..ee678d84c84 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -83,7 +83,10 @@ module API end def authenticate_by_gitlab_shell_token! - unauthorized! unless secret_token == params['secret_token'].try(:chomp) + input = params['secret_token'].try(:chomp) + unless Devise.secure_compare(secret_token, input) + unauthorized! + end end def authenticated_as_admin! |