diff options
author | Douwe Maan <douwe@gitlab.com> | 2016-03-12 12:14:32 +0000 |
---|---|---|
committer | Douwe Maan <douwe@gitlab.com> | 2016-03-12 12:14:32 +0000 |
commit | 34e8c562363a130ca9f2a6be7959efbc54e64663 (patch) | |
tree | 7e04ef2abd4f6d2b246d6845ed9a4f43bfe6a13c | |
parent | 2b9b07891c402f6407a8b099fe67c78a43266ea1 (diff) | |
parent | fc610c182e73cdff2534bef91ce0385b06befacf (diff) | |
download | gitlab-ce-34e8c562363a130ca9f2a6be7959efbc54e64663.tar.gz |
Merge branch 'fix/token-timing-attack' into 'master'
fix token issue - timing attack
Updates token comparisons to use a secure version instead of `==`
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/13617
See merge request !3062
-rw-r--r-- | app/models/project.rb | 4 | ||||
-rw-r--r-- | app/models/project_services/ci_service.rb | 2 |
2 files changed, 3 insertions, 3 deletions
diff --git a/app/models/project.rb b/app/models/project.rb index ce103398a9a..1f18ad78164 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -930,13 +930,13 @@ class Project < ActiveRecord::Base end def valid_runners_token? token - self.runners_token && self.runners_token == token + self.runners_token && ActiveSupport::SecurityUtils.variable_size_secure_compare(token, self.runners_token) end # TODO (ayufan): For now we use runners_token (backward compatibility) # In 8.4 every build will have its own individual token valid for time of build def valid_build_token? token - self.builds_enabled? && self.runners_token && self.runners_token == token + self.builds_enabled? && self.runners_token && ActiveSupport::SecurityUtils.variable_size_secure_compare(token, self.runners_token) end def build_coverage_enabled? diff --git a/app/models/project_services/ci_service.rb b/app/models/project_services/ci_service.rb index e10b5529b42..d9f0849d147 100644 --- a/app/models/project_services/ci_service.rb +++ b/app/models/project_services/ci_service.rb @@ -26,7 +26,7 @@ class CiService < Service default_value_for :category, 'ci' def valid_token?(token) - self.respond_to?(:token) && self.token.present? && self.token == token + self.respond_to?(:token) && self.token.present? && ActiveSupport::SecurityUtils.variable_size_secure_compare(token, self.token) end def supported_events |