Просмотр исходного кода

fix: Constant time comparison for webhook authentication

jamesread 6 месяцев назад
Родитель
Сommit
0b072db36d
2 измененных файлов с 11 добавлено и 9 удалено
  1. 4 1
      service/internal/webhooks/auth.go
  2. 7 8
      service/internal/webhooks/matcher.go

+ 4 - 1
service/internal/webhooks/auth.go

@@ -2,6 +2,7 @@ package webhooks
 
 import (
 	"crypto/hmac"
+	"crypto/subtle"
 	"crypto/sha1"
 	"crypto/sha256"
 	"encoding/hex"
@@ -105,7 +106,9 @@ func (v *AuthVerifier) verifyBearer(r *http.Request) bool {
 	}
 
 	token := strings.TrimPrefix(authHeader, "Bearer ")
-	return token == v.config.Secret
+	tokenBytes := []byte(token)
+	secretBytes := []byte(v.config.Secret)
+	return len(tokenBytes) == len(secretBytes) && subtle.ConstantTimeCompare(tokenBytes, secretBytes) == 1
 }
 
 func (v *AuthVerifier) verifyBasic(r *http.Request) bool {

+ 7 - 8
service/internal/webhooks/matcher.go

@@ -12,7 +12,6 @@ import (
 type WebhookMatcher struct {
 	config    config.WebhookConfig
 	req       *http.Request
-	body      interface{}
 	bodyBytes []byte
 }
 
@@ -50,9 +49,9 @@ func (m *WebhookMatcher) matchHeaders() bool {
 		actualValue := m.req.Header.Get(key)
 		if !m.compareValues(actualValue, expectedValue) {
 			log.WithFields(log.Fields{
-				"header":      key,
-				"expected":    expectedValue,
-				"actual":      actualValue,
+				"header":   key,
+				"expected": expectedValue,
+				"actual":   actualValue,
 			}).Debugf("Header mismatch")
 			return false
 		}
@@ -70,9 +69,9 @@ func (m *WebhookMatcher) matchQuery() bool {
 		actualValue := query.Get(key)
 		if !m.compareValues(actualValue, expectedValue) {
 			log.WithFields(log.Fields{
-				"query":       key,
-				"expected":    expectedValue,
-				"actual":      actualValue,
+				"query":    key,
+				"expected": expectedValue,
+				"actual":   actualValue,
 			}).Debugf("Query parameter mismatch")
 			return false
 		}
@@ -144,7 +143,7 @@ func (m *WebhookMatcher) ExtractArguments() (map[string]string, error) {
 		value, err := matcher.ExtractValue(jsonPath)
 		if err != nil {
 			log.WithFields(log.Fields{
-				"argName": argName,
+				"argName":  argName,
 				"jsonPath": jsonPath,
 				"error":    err,
 			}).Debugf("Failed to extract value")