Commit 9f089ac4 authored by Jörg Thalheim's avatar Jörg Thalheim

use constant-time string compare for internal api authentication

Ruby str_equal uses memcmp internally to compare String.
Memcmp is vunerable to timing attacks because it returns early
on mismatch (on most x32 platforms memcmp uses a bytewise comparision).
Devise.secure_compare implements a constant time comparision instead.
parent 0625d68f
......@@ -83,7 +83,10 @@ module API
end
def authenticate_by_gitlab_shell_token!
unauthorized! unless secret_token == params['secret_token'].try(:chomp)
input = params['secret_token'].try(:chomp)
unless Devise.secure_compare(secret_token, input)
unauthorized!
end
end
def authenticated_as_admin!
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment