(cherry-pick) Use subtle.ConstantTimeCompare instead of compare direc…

…tly (#18710) Use subtle.ConstantTimeCompare instead of compare directly Signed-off-by: stonezdj <[email protected]>
goharbor · May 23, 2023 · 31547ec · 31547ec
1 parent 1e616ad
commit 31547ec
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/src/jobservice/api/authenticator.go b/src/jobservice/api/authenticator.go
@@ -15,6 +15,7 @@
 package api
 
 import (
+	"crypto/subtle"
 	"errors"
 	"fmt"
 	"net/http"
@@ -66,7 +67,7 @@ func (sa *SecretAuthenticator) DoAuth(req *http.Request) error {
 	}
 
 	expectedSecret := config.GetUIAuthSecret()
-	if expectedSecret != secret {
+	if subtle.ConstantTimeCompare([]byte(expectedSecret), []byte(secret)) == 0 {
 		return errors.New("unauthorized")
 	}
 

diff --git a/src/registryctl/auth/secret.go b/src/registryctl/auth/secret.go
@@ -15,6 +15,7 @@
 package auth
 
 import (
+	"crypto/subtle"
 	"errors"
 	"net/http"
 	"strings"
@@ -54,7 +55,7 @@ func (s *secretHandler) AuthorizeRequest(req *http.Request) error {
 	secInReq := strings.TrimPrefix(auth, HarborSecret)
 
 	for _, v := range s.secrets {
-		if secInReq == v {
+		if subtle.ConstantTimeCompare([]byte(secInReq), []byte(v)) == 1 {
 			return nil
 		}
 	}