mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Add AS::SecurityUtils.secure_compare for constant time string comparison
This commit is contained in:
parent
5a16b5cd6d
commit
c8c660002f
2 changed files with 29 additions and 0 deletions
20
activesupport/lib/active_support/security_utils.rb
Normal file
20
activesupport/lib/active_support/security_utils.rb
Normal file
|
@ -0,0 +1,20 @@
|
|||
module ActiveSupport
|
||||
module SecurityUtils
|
||||
# Constant time string comparison.
|
||||
#
|
||||
# The values compared should be of fixed length, such as strings
|
||||
# that have already been processed by HMAC. This should not be used
|
||||
# on variable length plaintext strings because it could leak length info
|
||||
# via timing attacks.
|
||||
def secure_compare(a, b)
|
||||
return false unless a.bytesize == b.bytesize
|
||||
|
||||
l = a.unpack "C#{a.bytesize}"
|
||||
|
||||
res = 0
|
||||
b.each_byte { |byte| res |= byte ^ l.shift }
|
||||
res == 0
|
||||
end
|
||||
module_function :secure_compare
|
||||
end
|
||||
end
|
9
activesupport/test/security_utils_test.rb
Normal file
9
activesupport/test/security_utils_test.rb
Normal file
|
@ -0,0 +1,9 @@
|
|||
require 'abstract_unit'
|
||||
require 'active_support/security_utils'
|
||||
|
||||
class SecurityUtilsTest < ActiveSupport::TestCase
|
||||
def test_secure_compare_should_perform_string_comparison
|
||||
assert ActiveSupport::SecurityUtils.secure_compare('a', 'a')
|
||||
assert !ActiveSupport::SecurityUtils.secure_compare('a', 'b')
|
||||
end
|
||||
end
|
Loading…
Reference in a new issue