Просмотр исходного кода

fix: Use constant-time comparison for Basic auth verification.

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
James Read 6 месяцев назад
Родитель
Сommit
11278ff6c2
1 измененных файлов с 13 добавлено и 2 удалено
  1. 13 2
      service/internal/webhooks/auth.go

+ 13 - 2
service/internal/webhooks/auth.go

@@ -120,10 +120,21 @@ func (v *AuthVerifier) verifyBasic(r *http.Request) bool {
 		return false
 	}
 
+import (
+	"crypto/subtle"
+	// ... existing imports
+)
+
+func (v *AuthVerifier) verifyBasic(r *http.Request) bool {
+	// ... existing checks ...
+
 	parts := strings.SplitN(v.config.Secret, ":", 2)
 	if len(parts) == 2 {
-		return username == parts[0] && password == parts[1]
+		usernameMatch := subtle.ConstantTimeCompare([]byte(username), []byte(parts[0]))
+		passwordMatch := subtle.ConstantTimeCompare([]byte(password), []byte(parts[1]))
+		return usernameMatch == 1 && passwordMatch == 1
 	}
 
-	return password == v.config.Secret
+	return subtle.ConstantTimeCompare([]byte(password), []byte(v.config.Secret)) == 1
+}
 }