From 7cb91b3b9995c92bfd2bfb694669f02d7fa44618 Mon Sep 17 00:00:00 2001
From: Tatu Lund <tatu@vaadin.com>
Date: Mon, 1 Feb 2021 17:51:22 +0200
Subject: [PATCH] fix: use time-constant comparison for CSRF tokens (#12188)

This hardens the framework against a theoretical timing attack based on
comparing how quickly a request with an invalid CSRF token is rejected.

Cherry-picked from: https://github.com/vaadin/flow/pull/9875
---
 server/src/main/java/com/vaadin/server/VaadinService.java   | 6 +++++-
 .../java/com/vaadin/tests/VerifyBrowserVersionTest.java     | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/server/src/main/java/com/vaadin/server/VaadinService.java b/server/src/main/java/com/vaadin/server/VaadinService.java
index 31ddf7b8ba..45e71dace7 100644
--- a/server/src/main/java/com/vaadin/server/VaadinService.java
+++ b/server/src/main/java/com/vaadin/server/VaadinService.java
@@ -29,6 +29,8 @@ import java.io.Serializable;
 import java.lang.reflect.Constructor;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
@@ -1962,7 +1964,9 @@ public abstract class VaadinService implements Serializable {
                 .isXsrfProtectionEnabled()) {
             String sessionToken = session.getCsrfToken();
 
-            if (sessionToken == null || !sessionToken.equals(requestToken)) {
+            if (sessionToken == null || !MessageDigest.isEqual(
+                    sessionToken.getBytes(StandardCharsets.UTF_8),
+                    requestToken.getBytes(StandardCharsets.UTF_8))) {
                 return false;
             }
         }
diff --git a/uitest/src/test/java/com/vaadin/tests/VerifyBrowserVersionTest.java b/uitest/src/test/java/com/vaadin/tests/VerifyBrowserVersionTest.java
index 87b428a15a..4f90112990 100644
--- a/uitest/src/test/java/com/vaadin/tests/VerifyBrowserVersionTest.java
+++ b/uitest/src/test/java/com/vaadin/tests/VerifyBrowserVersionTest.java
@@ -25,7 +25,7 @@ public class VerifyBrowserVersionTest extends MultiBrowserTest {
             // Chrome version does not necessarily match the desired version
             // because of auto updates...
             browserIdentifier = getExpectedUserAgentString(
-                    getDesiredCapabilities()) + "87";
+                    getDesiredCapabilities()) + "88";
         } else if (BrowserUtil.isFirefox(getDesiredCapabilities())) {
             browserIdentifier = getExpectedUserAgentString(
                     getDesiredCapabilities()) + "81";
-- 
2.39.5