Merge pull request #8928 from Mic92/master

use constant-time string compare for internal api authentication

Merge pull request #8928 from Mic92/master
use constant-time string compare for internal api authentication
8d9823ab · Robert Schilling · 3cf4359b · 9f089ac4 · 8d9823ab
Commit 8d9823ab authored Mar 07, 2015 by Robert Schilling
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

lib/api/helpers.rb lib/api/helpers.rb +4 -1

No files found.
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -83,7 +83,10 @@ module API
    end

    def authenticate_by_gitlab_shell_token!
-      unauthorized! unless secret_token == params['secret_token'].try(:chomp)
+      input = params['secret_token'].try(:chomp)
+      unless Devise.secure_compare(secret_token, input)
+        unauthorized!
+      end
    end

    def authenticated_as_admin!