Use secure_compare when checking CSRF token

Since string comparisions may return early we want to use a constant time comparsion function to protect the CSRF token against timing attacks. Rack::Utils provides a such function.
sinatra · Jul 26, 2016 · d8068e8 · d8068e8
1 parent 0bf1125
commit d8068e8
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/lib/rack/protection/authenticity_token.rb b/lib/rack/protection/authenticity_token.rb
@@ -23,8 +23,8 @@ def accepts?(env)
         session = session env
         token   = session[:csrf] ||= session['_csrf_token'] || random_string
         safe?(env) ||
-          env['HTTP_X_CSRF_TOKEN'] == token ||
-          Request.new(env).params[options[:authenticity_param]] == token
+          secure_compare(env['HTTP_X_CSRF_TOKEN'], token) ||
+          secure_compare(Request.new(env).params[options[:authenticity_param]], token)
       end
     end
   end

diff --git a/lib/rack/protection/base.rb b/lib/rack/protection/base.rb
@@ -1,4 +1,5 @@
 require 'rack/protection'
+require 'rack/utils'
 require 'digest'
 require 'logger'
 require 'uri'
@@ -110,6 +111,10 @@ def encrypt(value)
         options[:encryptor].hexdigest value.to_s
       end
 
+      def secure_compare(a, b)
+        Rack::Utils.secure_compare(a.to_s, b.to_s)
+      end
+
       alias default_reaction deny
 
       def html?(headers)