From 17d3ff2d775f61aee381d90a304ed416c08f33fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C4=99drzej=20Stuczy=C5=84ski?= Date: Mon, 24 Feb 2025 09:04:34 +0000 Subject: [PATCH] feat: use ct_eq for checking bearer token (#5501) --- Cargo.lock | 1 + common/http-api-common/Cargo.toml | 1 + common/http-api-common/src/middleware/bearer_auth.rs | 3 ++- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/Cargo.lock b/Cargo.lock index 4178cfb4de..582804e39d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5940,6 +5940,7 @@ dependencies = [ "serde", "serde_json", "serde_yaml", + "subtle 2.6.1", "tower 0.5.2", "tracing", "utoipa", diff --git a/common/http-api-common/Cargo.toml b/common/http-api-common/Cargo.toml index e00af2e4ef..e8cf08b103 100644 --- a/common/http-api-common/Cargo.toml +++ b/common/http-api-common/Cargo.toml @@ -20,6 +20,7 @@ mime = { workspace = true } serde = { workspace = true, features = ["derive"] } serde_json.workspace = true serde_yaml = { workspace = true } +subtle.workspace = true tower = { workspace = true } tracing.workspace = true utoipa = { workspace = true, optional = true } diff --git a/common/http-api-common/src/middleware/bearer_auth.rs b/common/http-api-common/src/middleware/bearer_auth.rs index 68867f32a3..bb334ab944 100644 --- a/common/http-api-common/src/middleware/bearer_auth.rs +++ b/common/http-api-common/src/middleware/bearer_auth.rs @@ -7,6 +7,7 @@ use axum::{extract::Request, response::Response}; use futures::future::BoxFuture; use std::sync::Arc; use std::task::{Context, Poll}; +use subtle::ConstantTimeEq; use tower::{Layer, Service}; use tracing::{debug, instrument, trace}; use zeroize::Zeroizing; @@ -76,7 +77,7 @@ impl RequireAuth { return Err("`Authorization` header must contain non-empty `Bearer` token"); } - if self.bearer_token.as_str() != bearer_token { + if bool::from(self.bearer_token.as_bytes().ct_ne(bearer_token.as_bytes())) { return Err("`Authorization` header does not contain the correct `Bearer` token"); }