routers: do not leak secrets via timing side channel (#7364)

* routers: do not leak secrets via timing side channel * routers/repo: do not leak secrets via timing side channel
2025-07-22 18:28:37 +00:00 · 2019-07-06 19:03:13 +02:00
parent 96b66e330b
commit ef57fe4ae3
2 changed files with 9 additions and 2 deletions
--- a/routers/repo/pull.go
+++ b/routers/repo/pull.go
@@ -8,6 +8,7 @@ package repo

 import (
 	"container/list"
+	"crypto/subtle"
 	"fmt"
 	"io"
 	"path"
@@ -771,7 +772,9 @@ func TriggerTask(ctx *context.Context) {
 	if ctx.Written() {
 		return
 	}
-	if secret != base.EncodeMD5(owner.Salt) {
+	got := []byte(base.EncodeMD5(owner.Salt))
+	want := []byte(secret)
+	if subtle.ConstantTimeCompare(got, want) != 1 {
 		ctx.Error(404)
 		log.Trace("TriggerTask [%s/%s]: invalid secret", owner.Name, repo.Name)
 		return