use constant-time string compare for internal api authentication

Ruby str_equal uses memcmp internally to compare String. Memcmp is vunerable to timing attacks because it returns early on mismatch (on most x32 platforms memcmp uses a bytewise comparision). Devise.secure_compare implements a constant time comparision instead.

use constant-time string compare for internal api authentication
Ruby str_equal uses memcmp internally to compare String. Memcmp is vunerable to timing attacks because it returns early on mismatch (on most x32 platforms memcmp uses a bytewise comparision). Devise.secure_compare implements a constant time comparision instead.
9f089ac4 · Jörg Thalheim · 0625d68f · 9f089ac4
Commit 9f089ac4 authored Mar 06, 2015 by Jörg Thalheim
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

lib/api/helpers.rb lib/api/helpers.rb +4 -1

No files found.
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -83,7 +83,10 @@ module API
    end

    def authenticate_by_gitlab_shell_token!
-      unauthorized! unless secret_token == params['secret_token'].try(:chomp)
+      input = params['secret_token'].try(:chomp)
+      unless Devise.secure_compare(secret_token, input)
+        unauthorized!
+      end
    end

    def authenticated_as_admin!