fix: use time-constant comparison for CSRF tokens (#12190)

This hardens the framework against a theoretical timing attack based on
comparing how quickly a request with an invalid CSRF token is rejected.

Backporting of #12188

diff --git a/server/src/main/java/com/vaadin/server/VaadinService.java b/server/src/main/java/com/vaadin/server/VaadinService.java
index ada9a8b875f863187dfa7f1ab40e390751ac9cb7..ff1a7663d5e3b6917ea45178728c903f0043c645 100644 (file)
--- a/server/src/main/java/com/vaadin/server/VaadinService.java
+++ b/server/src/main/java/com/vaadin/server/VaadinService.java
@@ -24,10 +24,12 @@ import java.io.OutputStream;
 import java.io.OutputStreamWriter;
 import java.io.PrintWriter;
 import java.io.Serializable;
+import java.io.UnsupportedEncodingException;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.Method;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.security.MessageDigest;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
@@ -1761,7 +1763,15 @@ public abstract class VaadinService implements Serializable {
                 .isXsrfProtectionEnabled()) {
             String sessionToken = session.getCsrfToken();
 
-            if (sessionToken == null || !sessionToken.equals(requestToken)) {
+            try {
+                if (sessionToken == null || !MessageDigest.isEqual(
+                        sessionToken.getBytes("UTF-8"),
+                        requestToken.getBytes("UTF-8"))) {
+                    return false;
+                }
+            } catch (UnsupportedEncodingException e) {
+                getLogger().log(Level.WARNING,
+                        "Session token was not UTF-8, this should never happen.");
                 return false;
             }
         }