Timing attack on basic password auth system

[carmi]

I'm just seeing in the README about basic auth https://github.com/ruby-grape/grape#authentication

http_basic do |username, password|
  # verify user's password here
  { 'test' => 'password1' }[username] == password
end

This sure looks like it's prone to a timing attack on the password like CVE-2015-7576 https://groups.google.com/forum/#!msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ and should ideally not be a recommended solution for password auth.

[carmi]

I think the proper way to do this to avoid the timing attack is (if you have ActiveSupport available)

    http_basic do |username, password|
      ActiveSupport::SecurityUtils.variable_size_secure_compare(GRAPE_API_USERNAME, username) &
        ActiveSupport::SecurityUtils.variable_size_secure_compare(GRAPE_API_PASSWORD, password)
    end

[dblock]

I got to admit that's an impressively obvious CVE. I suggest simply removing the specific example from the documentation and leaving the comment to verify the user's password. It's probably not Grape's responsibility to make sure you implement BASIC auth with this CVE in mind, otherwise we also would have to care about things like what headers you send to the client for, say, CSP.

[dblock]

Closed via #2037