fix: constant-time comparison of grpc-gateway tickets (#5031)

Update GRPC Gateway tickets to compare tickets in constant-time
2 years ago · e6d355b65a
parent 1c62470ba6
commit e6d355b65a
1 changed files with 2 additions and 1 deletions
--- a/internal/daemon/controller/interceptor.go
+++ b/internal/daemon/controller/interceptor.go
@ -5,6 +5,7 @@ package controller

 import (
 	"context"
+	"crypto/subtle"
 	"fmt"
 	"net/http"
 	"reflect"
@ -242,7 +243,7 @@ func sharedRequestInterceptorLogic(
 	switch {
 	case requestInfo.Ticket == "":
 		return nil, errors.New(interceptorCtx, errors.Internal, op, "Invalid context (missing ticket)")
-	case requestInfo.Ticket != ticket:
+	case subtle.ConstantTimeCompare([]byte(requestInfo.Ticket), []byte(ticket)) != 1:
 		return nil, errors.New(interceptorCtx, errors.Internal, op, "Invalid context (bad ticket)")
 	}