fix token issue - timing attack
This commit is contained in:
parent
8cba0612e1
commit
70623cd423
2 changed files with 3 additions and 3 deletions
|
@ -889,13 +889,13 @@ class Project < ActiveRecord::Base
|
||||||
end
|
end
|
||||||
|
|
||||||
def valid_runners_token? token
|
def valid_runners_token? token
|
||||||
self.runners_token && self.runners_token == token
|
self.runners_token && ActiveSupport::SecurityUtils.secure_compare(token, self.runners_token)
|
||||||
end
|
end
|
||||||
|
|
||||||
# TODO (ayufan): For now we use runners_token (backward compatibility)
|
# TODO (ayufan): For now we use runners_token (backward compatibility)
|
||||||
# In 8.4 every build will have its own individual token valid for time of build
|
# In 8.4 every build will have its own individual token valid for time of build
|
||||||
def valid_build_token? token
|
def valid_build_token? token
|
||||||
self.builds_enabled? && self.runners_token && self.runners_token == token
|
self.builds_enabled? && self.runners_token && ActiveSupport::SecurityUtils.secure_compare(token, self.runners_token)
|
||||||
end
|
end
|
||||||
|
|
||||||
def build_coverage_enabled?
|
def build_coverage_enabled?
|
||||||
|
|
|
@ -26,7 +26,7 @@ class CiService < Service
|
||||||
default_value_for :category, 'ci'
|
default_value_for :category, 'ci'
|
||||||
|
|
||||||
def valid_token?(token)
|
def valid_token?(token)
|
||||||
self.respond_to?(:token) && self.token.present? && self.token == token
|
self.respond_to?(:token) && self.token.present? && ActiveSupport::SecurityUtils.secure_compare(token, self.token)
|
||||||
end
|
end
|
||||||
|
|
||||||
def supported_events
|
def supported_events
|
||||||
|
|
Loading…
Reference in a new issue