From ef57fe4ae3c517a0bb10b81a641fb76976f404d3 Mon Sep 17 00:00:00 2001
From: leonklingele <5585491+leonklingele@users.noreply.github.com>
Date: Sat, 6 Jul 2019 19:03:13 +0200
Subject: [PATCH] routers: do not leak secrets via timing side channel (#7364)

* routers: do not leak secrets via timing side channel

* routers/repo: do not leak secrets via timing side channel
---
 routers/metrics.go   | 6 +++++-
 routers/repo/pull.go | 5 ++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/routers/metrics.go b/routers/metrics.go
index 78abd4a785..b7711dfced 100644
--- a/routers/metrics.go
+++ b/routers/metrics.go
@@ -5,6 +5,8 @@
 package routers
 
 import (
+	"crypto/subtle"
+
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 
 	"code.gitea.io/gitea/modules/context"
@@ -22,7 +24,9 @@ func Metrics(ctx *context.Context) {
 		ctx.Error(401)
 		return
 	}
-	if header != "Bearer "+setting.Metrics.Token {
+	got := []byte(header)
+	want := []byte("Bearer " + setting.Metrics.Token)
+	if subtle.ConstantTimeCompare(got, want) != 1 {
 		ctx.Error(401)
 		return
 	}
diff --git a/routers/repo/pull.go b/routers/repo/pull.go
index 4c377bb364..cb4fa9547e 100644
--- a/routers/repo/pull.go
+++ b/routers/repo/pull.go
@@ -8,6 +8,7 @@ package repo
 
 import (
 	"container/list"
+	"crypto/subtle"
 	"fmt"
 	"io"
 	"path"
@@ -771,7 +772,9 @@ func TriggerTask(ctx *context.Context) {
 	if ctx.Written() {
 		return
 	}
-	if secret != base.EncodeMD5(owner.Salt) {
+	got := []byte(base.EncodeMD5(owner.Salt))
+	want := []byte(secret)
+	if subtle.ConstantTimeCompare(got, want) != 1 {
 		ctx.Error(404)
 		log.Trace("TriggerTask [%s/%s]: invalid secret", owner.Name, repo.Name)
 		return