Cargo,web/builds: use constant_time_eq for security

pflanze · syphar · commit fa81f7087144 · 2024-07-11T18:11:51.000+02:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -109,6 +109,7 @@ chrono = { version = "0.4.11", default-features = false, features = ["clock", "s
 # Transitive dependencies we don't use directly but need to have specific versions of
 thread_local = "1.1.3"
 humantime = "2.1.0"
+constant_time_eq = "0.3.0"
 
 [dependencies.postgres]
 version = "0.19"
diff --git a/src/config.rs b/src/config.rs
@@ -41,7 +41,8 @@ pub struct Config {
     // Gitlab authentication
     pub(crate) gitlab_accesstoken: Option<String>,
 
-    // Access token for APIs for crates.io
+    // Access token for APIs for crates.io (careful: use
+    // constant_time_eq for comparisons!)
     pub(crate) cratesio_token: Option<String>,
 
     // amount of retries for external API calls, mostly crates.io
diff --git a/src/web/builds.rs b/src/web/builds.rs
@@ -24,6 +24,7 @@ use axum_extra::{
     TypedHeader,
 };
 use chrono::{DateTime, Utc};
+use constant_time_eq::constant_time_eq;
 use http::StatusCode;
 use semver::Version;
 use serde::Serialize;
@@ -192,7 +193,7 @@ pub(crate) async fn build_trigger_rebuild_handler(
     let TypedHeader(auth_header) = opt_auth_header.ok_or(JsonAxumNope(AxumNope::Unauthorized(
         "Missing authentication token",
     )))?;
-    if auth_header.token() != expected_token {
+    if !constant_time_eq(auth_header.token().as_bytes(), expected_token.as_bytes()) {
         return Err(JsonAxumNope(AxumNope::Unauthorized(
             "The token used for authentication is not valid",
         )));
