Skip to content

Commit

Permalink
fix: use constant time comparison of webhook secret in gitlab event v…
Browse files Browse the repository at this point in the history 
…alidator (#2392)
  • Loading branch information
@cedws
cedws committed Jul 15, 2022
1 parent e153cea commit 4887091
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions server/controllers/events/gitlab_request_parser_validator.go
View file
Expand Up @@ -14,6 +14,7 @@
package events

import (
"crypto/subtle"
"encoding/json"
"fmt"
"io"
Expand Down Expand Up @@ -61,8 +62,7 @@ func (d *DefaultGitlabRequestParserValidator) ParseAndValidate(r *http.Request,

// Validate secret if specified.
headerSecret := r.Header.Get(secretHeader)
secretStr := string(secret)
if len(secret) != 0 && headerSecret != secretStr {
if len(secret) != 0 && subtle.ConstantTimeCompare(secret, []byte(headerSecret)) != 1 {
return nil, fmt.Errorf("header %s=%s did not match expected secret", secretHeader, headerSecret)
}

Expand Down

0 comments on commit 4887091

Please sign in to comment.