Browse Source

routers: do not leak secrets via timing side channel (#7364)

* routers: do not leak secrets via timing side channel

* routers/repo: do not leak secrets via timing side channel
release/v1.9
leonklingele 3 years ago
committed by techknowlogick
parent
commit
ef57fe4ae3
  1. 6
      routers/metrics.go
  2. 5
      routers/repo/pull.go

6
routers/metrics.go

@ -5,6 +5,8 @@
package routers
import (
"crypto/subtle"
"github.com/prometheus/client_golang/prometheus/promhttp"
"code.gitea.io/gitea/modules/context"
@ -22,7 +24,9 @@ func Metrics(ctx *context.Context) {
ctx.Error(401)
return
}
if header != "Bearer "+setting.Metrics.Token {
got := []byte(header)
want := []byte("Bearer " + setting.Metrics.Token)
if subtle.ConstantTimeCompare(got, want) != 1 {
ctx.Error(401)
return
}

5
routers/repo/pull.go

@ -8,6 +8,7 @@ package repo
import (
"container/list"
"crypto/subtle"
"fmt"
"io"
"path"
@ -771,7 +772,9 @@ func TriggerTask(ctx *context.Context) {
if ctx.Written() {
return
}
if secret != base.EncodeMD5(owner.Salt) {
got := []byte(base.EncodeMD5(owner.Salt))
want := []byte(secret)
if subtle.ConstantTimeCompare(got, want) != 1 {
ctx.Error(404)
log.Trace("TriggerTask [%s/%s]: invalid secret", owner.Name, repo.Name)
return

Loading…
Cancel
Save