Make Gitlab token verification constant time

go-playground / webhooks

:fishing_pole_and_fish: Webhook receiver for GitHub, Bitbucket, GitLab, Gogs

MIT License

955 stars 237 forks source link

Make Gitlab token verification constant time #165

Closed neiser closed 1 year ago

neiser commented 1 year ago

This prevents leakage of token information using timing attacks. A simple string comparison does not suffice here.

It's also good practice to hash first to prevent leakage of the length of the secret, as subtle.ConstantTimeCompare has the undesired behavior of returning early if the length of the two given byte slices does not match. A hash function always generates a byte slice of constant length though.

coveralls commented 1 year ago

Coverage: 88.244% (+0.04%) from 88.208% when pulling 5f7b06069ad8bb33160a96619c6706ee9bc5f876 on neiser:prevent-timing-attacks into 4f72f9c366d8b19787398015a3389b826c36239f on go-playground:master.