Merge branch 'arch_23291/use_constant_time_comparison_for_system_toke…

…n_pr' into branches/rudder/8.0
Normation · Aug 17, 2023 · 4246c7f · 4246c7f
2 parents e70d945 + 5435bd3
commit 4246c7f
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 5 deletions.
diff --git a/...ces/rudder/rudder-core/src/main/scala/com/normation/rudder/api/ApiAccountRepository.scala b/...ces/rudder/rudder-core/src/main/scala/com/normation/rudder/api/ApiAccountRepository.scala
@@ -54,6 +54,7 @@ import com.normation.rudder.repository.ldap.LDAPDiffMapper
 import com.normation.rudder.repository.ldap.LDAPEntityMapper
 import com.normation.rudder.services.user.PersonIdentService
 import com.normation.zio._
+import java.security.MessageDigest
 import org.joda.time.DateTime
 import zio._
 import zio.syntax._
@@ -151,7 +152,8 @@ final class RoLDAPApiAccountRepository(
   override def getByToken(token: ApiToken): IOResult[Option[ApiAccount]] = {
     if (token.isHashed) {
       None.succeed
-    } else if (token == systemAPIAccount.token) {
+    } else if (MessageDigest.isEqual(token.value.getBytes(), systemAPIAccount.token.value.getBytes())) {
+      // Constant-time comparison
       Some(systemAPIAccount).succeed
     } else {
       val hash = ApiToken.hash(token.value)

diff --git a/.../rudder/rudder-web/src/main/scala/bootstrap/liftweb/checks/action/CreateSystemToken.scala b/.../rudder/rudder-web/src/main/scala/bootstrap/liftweb/checks/action/CreateSystemToken.scala
@@ -61,22 +61,22 @@ class CreateSystemToken(systemAccount: ApiAccount) extends BootstrapChecks {
     (for {
       path <- tryo {
                 Paths.get(tokenPath)
-              } ?~! "An error occured while getting system api token path"
+              } ?~! "An error occurred while getting system api token path"
 
       file <- tryo {
                 Files.deleteIfExists(path)
                 Files.createFile(path)
                 Files.write(path, systemAccount.token.value.getBytes(StandardCharsets.UTF_8))
-              } ?~! "An error occured while creating system api token file"
+              } ?~! "An error occurred while creating system api token file"
 
       perms <- tryo {
                  Files.setPosixFilePermissions(path, PosixFilePermissions.fromString("rw-------"))
-               } ?~! "An error occured while setting permissions on system api token file"
+               } ?~! "An error occurred while setting permissions on system api token file"
     } yield {}) match {
       case Full(_) =>
         BootstrapLogger.logEffect.info(s"System api token file created in ${tokenPath}")
       case eb: EmptyBox =>
-        val fail = eb ?~! s"An error occured while creating system api token file in ${tokenPath}"
+        val fail = eb ?~! s"An error occurred while creating system api token file in ${tokenPath}"
         BootstrapLogger.logEffect.error(fail.messageChain)
     }