Use constant-time comparison for anti-csrf tokens

This is probably completely overkill, but since anti-csrf tokens are secrets, they should be compared against untrusted inputs in constant time.
miniflux · Mar 3, 2024 · da048ae · da048ae
1 parent abdd587
commit da048ae
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/internal/crypto/crypto.go b/internal/crypto/crypto.go
@@ -7,6 +7,7 @@ import (
 	"crypto/hmac"
 	"crypto/rand"
 	"crypto/sha256"
+	"crypto/subtle"
 	"encoding/base64"
 	"encoding/hex"
 	"fmt"
@@ -60,3 +61,10 @@ func GenerateUUID() string {
 	b := GenerateRandomBytes(16)
 	return fmt.Sprintf("%X-%X-%X-%X-%X", b[0:4], b[4:6], b[6:8], b[8:10], b[10:])
 }
+
+func ConstantTimeCmp(a, b string) bool {
+	if subtle.ConstantTimeCompare([]byte(a), []byte(b)) == 1 {
+		return true
+	}
+	return false
+}
diff --git a/internal/ui/middleware.go b/internal/ui/middleware.go
@@ -10,6 +10,7 @@ import (
 	"net/http"
 
 	"miniflux.app/v2/internal/config"
+	"miniflux.app/v2/internal/crypto"
 	"miniflux.app/v2/internal/http/cookie"
 	"miniflux.app/v2/internal/http/request"
 	"miniflux.app/v2/internal/http/response/html"
@@ -92,7 +93,7 @@ func (m *middleware) handleAppSession(next http.Handler) http.Handler {
 			formValue := r.FormValue("csrf")
 			headerValue := r.Header.Get("X-Csrf-Token")
 
-			if session.Data.CSRF != formValue && session.Data.CSRF != headerValue {
+			if !crypto.ConstantTimeCmp(session.Data.CSRF, formValue) && !crypto.ConstantTimeCmp(session.Data.CSRF, headerValue) {
 				slog.Warn("Invalid or missing CSRF token",
 					slog.Any("url", r.RequestURI),
 					slog.String("form_csrf", formValue),