Commit 34e8c562 authored by Douwe Maan's avatar Douwe Maan

Merge branch 'fix/token-timing-attack' into 'master'

fix token issue - timing attack

Updates token comparisons to use a secure version instead of `==`

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/13617

See merge request !3062
parents 2b9b0789 fc610c18
...@@ -930,13 +930,13 @@ class Project < ActiveRecord::Base ...@@ -930,13 +930,13 @@ class Project < ActiveRecord::Base
end end
def valid_runners_token? token def valid_runners_token? token
self.runners_token && self.runners_token == token self.runners_token && ActiveSupport::SecurityUtils.variable_size_secure_compare(token, self.runners_token)
end end
# TODO (ayufan): For now we use runners_token (backward compatibility) # TODO (ayufan): For now we use runners_token (backward compatibility)
# In 8.4 every build will have its own individual token valid for time of build # In 8.4 every build will have its own individual token valid for time of build
def valid_build_token? token def valid_build_token? token
self.builds_enabled? && self.runners_token && self.runners_token == token self.builds_enabled? && self.runners_token && ActiveSupport::SecurityUtils.variable_size_secure_compare(token, self.runners_token)
end end
def build_coverage_enabled? def build_coverage_enabled?
......
...@@ -26,7 +26,7 @@ class CiService < Service ...@@ -26,7 +26,7 @@ class CiService < Service
default_value_for :category, 'ci' default_value_for :category, 'ci'
def valid_token?(token) def valid_token?(token)
self.respond_to?(:token) && self.token.present? && self.token == token self.respond_to?(:token) && self.token.present? && ActiveSupport::SecurityUtils.variable_size_secure_compare(token, self.token)
end end
def supported_events def supported_events
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment