From 9f089ac48c22b2f7cfbc7dd0ca29da924c566363 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@higgsboson.tk>
Date: Fri, 6 Mar 2015 19:49:38 +0100
Subject: use constant-time string compare for internal api authentication

Ruby str_equal uses memcmp internally to compare String.
Memcmp is vunerable to timing attacks because it returns early
on mismatch (on most x32 platforms memcmp uses a bytewise comparision).
Devise.secure_compare implements a constant time comparision instead.
---
 lib/api/helpers.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'lib/api')

diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 228a719fbdf..ee678d84c84 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -83,7 +83,10 @@ module API
     end
 
     def authenticate_by_gitlab_shell_token!
-      unauthorized! unless secret_token == params['secret_token'].try(:chomp)
+      input = params['secret_token'].try(:chomp)
+      unless Devise.secure_compare(secret_token, input)
+        unauthorized!
+      end
     end
 
     def authenticated_as_admin!
-- 
cgit v1.2.1