Skip to content

Commit

Permalink
Use subtle.ConstantTimeCompare instead of compare directly (goharbor#…
Browse files Browse the repository at this point in the history 
…18697)

Signed-off-by: stonezdj <daojunz@vmware.com>
  • Loading branch information
@stonezdj @kycheng
stonezdj authored and kycheng committed Jun 14, 2024
1 parent c0b1c08 commit 98c7c75
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 2 deletions.
3 changes: 2 additions & 1 deletion src/jobservice/api/authenticator.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
package api

import (
"crypto/subtle"
"errors"
"fmt"
"net/http"
Expand Down Expand Up @@ -66,7 +67,7 @@ func (sa *SecretAuthenticator) DoAuth(req *http.Request) error {
}

expectedSecret := config.GetUIAuthSecret()
if expectedSecret != secret {
if subtle.ConstantTimeCompare([]byte(expectedSecret), []byte(secret)) == 0 {
return errors.New("unauthorized")
}

Expand Down
3 changes: 2 additions & 1 deletion src/registryctl/auth/secret.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
package auth

import (
"crypto/subtle"
"errors"
"net/http"
"strings"
Expand Down Expand Up @@ -54,7 +55,7 @@ func (s *secretHandler) AuthorizeRequest(req *http.Request) error {
secInReq := strings.TrimPrefix(auth, HarborSecret)

for _, v := range s.secrets {
if secInReq == v {
if subtle.ConstantTimeCompare([]byte(secInReq), []byte(v)) == 1 {
return nil
}
}
Expand Down

0 comments on commit 98c7c75

Please sign in to comment.