fix token issue - timing attack

author: James Lopez <james@jameslopez.es> 2016-03-02 12:18:43 +0100
committer: James Lopez <james@jameslopez.es> 2016-03-02 12:18:43 +0100
commit: 70623cd423b0c7e26e56422bf25c413d9921ee88 (patch)
tree: f977ca35d156db2d7a75fce165dd704f59818edb /app/models/project.rb
parent: 8cba0612e16268ea12904e40ce7dad293998a875 (diff)
download: gitlab-ce-70623cd423b0c7e26e56422bf25c413d9921ee88.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/app/models/project.rb b/app/models/project.rb
index 6f5d592755a..6c9377448e2 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -889,13 +889,13 @@ class Project < ActiveRecord::Base
   end
 
   def valid_runners_token? token
-    self.runners_token && self.runners_token == token
+    self.runners_token && ActiveSupport::SecurityUtils.secure_compare(token, self.runners_token)
   end
 
   # TODO (ayufan): For now we use runners_token (backward compatibility)
   # In 8.4 every build will have its own individual token valid for time of build
   def valid_build_token? token
-    self.builds_enabled? && self.runners_token && self.runners_token == token
+    self.builds_enabled? && self.runners_token && ActiveSupport::SecurityUtils.secure_compare(token, self.runners_token)
   end
 
   def build_coverage_enabled?
author	James Lopez <james@jameslopez.es>	2016-03-02 12:18:43 +0100
committer	James Lopez <james@jameslopez.es>	2016-03-02 12:18:43 +0100
commit	70623cd423b0c7e26e56422bf25c413d9921ee88 (patch)
tree	f977ca35d156db2d7a75fce165dd704f59818edb /app/models/project.rb
parent	8cba0612e16268ea12904e40ce7dad293998a875 (diff)
download	gitlab-ce-70623cd423b0c7e26e56422bf25c413d9921ee88.tar.gz