From c471babc69e3a4899420c1a47dcfffe3b31419aa Mon Sep 17 00:00:00 2001 From: Michael Date: Sun, 10 Mar 2019 04:24:36 +1100 Subject: [PATCH] Use a timing-safe equality check for passwords (#133) --- packages/server/package.json | 2 ++ packages/server/src/server.ts | 3 ++- packages/server/yarn.lock | 12 ++++++++++++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/packages/server/package.json b/packages/server/package.json index 81d5ca7bb..a231aecd8 100644 --- a/packages/server/package.json +++ b/packages/server/package.json @@ -19,6 +19,7 @@ "node-netstat": "^1.6.0", "pem": "^1.14.1", "promise.prototype.finally": "^3.1.0", + "safe-compare": "^1.1.4", "ws": "^6.1.2", "xhr2": "^0.1.4" }, @@ -28,6 +29,7 @@ "@types/mime-types": "^2.1.0", "@types/opn": "^5.1.0", "@types/pem": "^1.9.4", + "@types/safe-compare": "^1.1.0", "@types/ws": "^6.0.1", "fs-extra": "^7.0.1", "nexe": "^2.0.0-rc.34", diff --git a/packages/server/src/server.ts b/packages/server/src/server.ts index a30dcc987..b7b2a6efc 100644 --- a/packages/server/src/server.ts +++ b/packages/server/src/server.ts @@ -16,6 +16,7 @@ import * as path from "path"; import * as pem from "pem"; import * as util from "util"; import * as ws from "ws"; +import safeCompare = require("safe-compare"); import { TunnelCloseCode } from "@coder/tunnel/src/common"; import { handle as handleTunnel } from "@coder/tunnel/src/server"; import { createPortScanner } from "./portScanner"; @@ -67,7 +68,7 @@ export const createApp = async (options: CreateAppOptions): Promise<{ // Try/catch placed here just in case const cookies = parseCookies(req); - if (cookies.password && cookies.password === options.password) { + if (cookies.password && safeCompare(cookies.password, options.password)) { return true; } } catch (ex) { diff --git a/packages/server/yarn.lock b/packages/server/yarn.lock index b32dbfe48..ea9514c2c 100644 --- a/packages/server/yarn.lock +++ b/packages/server/yarn.lock @@ -148,6 +148,11 @@ resolved "https://registry.yarnpkg.com/@types/range-parser/-/range-parser-1.2.3.tgz#7ee330ba7caafb98090bece86a5ee44115904c2c" integrity sha512-ewFXqrQHlFsgc09MK5jP5iR7vumV/BYayNC6PgJO2LPe8vrnNFyjQjSppfEngITi0qvfKtzFvgKymGheFM9UOA== +"@types/safe-compare@^1.1.0": + version "1.1.0" + resolved "https://registry.yarnpkg.com/@types/safe-compare/-/safe-compare-1.1.0.tgz#47ed9b9ca51a3a791b431cd59b28f47fa9bf1224" + integrity sha512-1ri+LJhh0gRxIa37IpGytdaW7yDEHeJniBSMD1BmitS07R1j63brcYCzry+l0WJvGdEKQNQ7DYXO2epgborWPw== + "@types/serve-static@*": version "1.13.2" resolved "https://registry.yarnpkg.com/@types/serve-static/-/serve-static-1.13.2.tgz#f5ac4d7a6420a99a6a45af4719f4dcd8cd907a48" @@ -3155,6 +3160,13 @@ safe-buffer@5.1.2, safe-buffer@^5.0.1, safe-buffer@^5.1.1, safe-buffer@^5.1.2, s resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.2.tgz#991ec69d296e0313747d59bdfd2b745c35f8828d" integrity sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g== +safe-compare@^1.1.4: + version "1.1.4" + resolved "https://registry.yarnpkg.com/safe-compare/-/safe-compare-1.1.4.tgz#5e0128538a82820e2e9250cd78e45da6786ba593" + integrity sha512-b9wZ986HHCo/HbKrRpBJb2kqXMK9CEWIE1egeEvZsYn69ay3kdfl9nG3RyOcR+jInTDf7a86WQ1d4VJX7goSSQ== + dependencies: + buffer-alloc "^1.2.0" + safe-regex@^1.1.0: version "1.1.0" resolved "https://registry.yarnpkg.com/safe-regex/-/safe-regex-1.1.0.tgz#40a3669f3b077d1e943d44629e157dd48023bf2e"