loading up the forgejo repo on tangled to test page performance
Merge pull request 'use constant time check for internal token' (#5719) from earl-warren/forgejo:wip-timing into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5719
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
+3
-1
+1
release-notes/5719.md
+1
release-notes/5719.md
···
1
+
Forgejo generates a token which is used to authenticate web endpoints that are only meant to be used internally, for instance when the SSH daemon is used to push a commit with Git. The verification of this token was not done in constant time and was susceptible to [timing attacks](https://en.wikipedia.org/wiki/Timing_attack). A pre-condition for such an attack is the precise measurements of the time for each operation. Since it requires observing the timing of network operations, the issue is mitigated when a Forgejo instance is accessed over the internet because the ISP introduce unpredictable random delays.
+2
-1
routers/private/internal.go
+2
-1
routers/private/internal.go
···
5
5
package private
6
6
7
7
import (
8
+
"crypto/subtle"
8
9
"net/http"
9
10
"strings"
10
11
···
28
29
http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
29
30
return
30
31
}
31
-
if len(fields) != 2 || fields[0] != "Bearer" || fields[1] != setting.InternalToken {
32
+
if len(fields) != 2 || fields[0] != "Bearer" || subtle.ConstantTimeCompare([]byte(fields[1]), []byte(setting.InternalToken)) == 0 {
32
33
log.Debug("Forbidden attempt to access internal url: Authorization header: %s", tokens)
33
34
http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
34
35
} else {