Skip to content

Commit

Permalink
fix: use time-constant comparison for CSRF tokens (#9875)
Browse files Browse the repository at this point in the history 
This hardens the framework against a theoretical timing attack based on
comparing how quickly a request with an invalid CSRF token is rejected.

(cherry picked from commit 292b3a0)
  • Loading branch information
@Legioth @pleku
Legioth authored and pleku committed Jan 29, 2021
1 parent 716ed84 commit 6c63955
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion flow-server/src/main/java/com/vaadin/flow/server/VaadinService.java
View file
Expand Up @@ -29,6 +29,8 @@
import java.io.Serializable;
import java.lang.reflect.Constructor;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
Expand Down Expand Up @@ -1941,7 +1943,9 @@ public static boolean isCsrfTokenValid(UI ui, String requestToken) {
.isXsrfProtectionEnabled()) {
String uiToken = ui.getCsrfToken();

if (uiToken == null || !uiToken.equals(requestToken)) {
if (uiToken == null || !MessageDigest.isEqual(
uiToken.getBytes(StandardCharsets.UTF_8),
requestToken.getBytes(StandardCharsets.UTF_8))) {
return false;
}
}
Expand Down

0 comments on commit 6c63955

Please sign in to comment.