fix token issue - timing attack

70623cd4 · James Lopez · 8cba0612 · 70623cd4 · 70623cd4
Commit 70623cd4 authored Mar 02, 2016 by James Lopez
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

app/models/project.rb app/models/project.rb +2 -2

app/models/project_services/ci_service.rb app/models/project_services/ci_service.rb +1 -1

No files found.
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -889,13 +889,13 @@ class Project < ActiveRecord::Base
  end

  def valid_runners_token? token
-    self.runners_token && self.runners_token == token
+    self.runners_token && ActiveSupport::SecurityUtils.secure_compare(token, self.runners_token)
  end

  # TODO (ayufan): For now we use runners_token (backward compatibility)
  # In 8.4 every build will have its own individual token valid for time of build
  def valid_build_token? token
-    self.builds_enabled? && self.runners_token && self.runners_token == token
+    self.builds_enabled? && self.runners_token && ActiveSupport::SecurityUtils.secure_compare(token, self.runners_token)
  end

  def build_coverage_enabled?

--- a/app/models/project_services/ci_service.rb
+++ b/app/models/project_services/ci_service.rb
@@ -26,7 +26,7 @@ class CiService < Service
  default_value_for :category, 'ci'

  def valid_token?(token)
-    self.respond_to?(:token) && self.token.present? && self.token == token
+    self.respond_to?(:token) && self.token.present? && ActiveSupport::SecurityUtils.secure_compare(token, self.token)
  end

  def supported_events