routers: do not leak secrets via timing side channel (go-gitea#7364)

* routers: do not leak secrets via timing side channel * routers/repo: do not leak secrets via timing side channel
jeffliu27 · Jul 18, 2019 · 71df1a3 · 71df1a3
1 parent a39f022
commit 71df1a3
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/routers/metrics.go b/routers/metrics.go
@@ -5,6 +5,8 @@
 package routers
 
 import (
+	"crypto/subtle"
+
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 
 	"code.gitea.io/gitea/modules/context"
@@ -22,7 +24,9 @@ func Metrics(ctx *context.Context) {
 		ctx.Error(401)
 		return
 	}
-	if header != "Bearer "+setting.Metrics.Token {
+	got := []byte(header)
+	want := []byte("Bearer " + setting.Metrics.Token)
+	if subtle.ConstantTimeCompare(got, want) != 1 {
 		ctx.Error(401)
 		return
 	}

diff --git a/routers/repo/pull.go b/routers/repo/pull.go
@@ -8,6 +8,7 @@ package repo
 
 import (
 	"container/list"
+	"crypto/subtle"
 	"fmt"
 	"io"
 	"path"
@@ -771,7 +772,9 @@ func TriggerTask(ctx *context.Context) {
 	if ctx.Written() {
 		return
 	}
-	if secret != base.EncodeMD5(owner.Salt) {
+	got := []byte(base.EncodeMD5(owner.Salt))
+	want := []byte(secret)
+	if subtle.ConstantTimeCompare(got, want) != 1 {
 		ctx.Error(404)
 		log.Trace("TriggerTask [%s/%s]: invalid secret", owner.Name, repo.Name)
 		return