routers: do not leak secrets via timing side channel (#7364)

* routers: do not leak secrets via timing side channel

* routers/repo: do not leak secrets via timing side channel

2 files changed, 9 insertions, 2 deletions

diff --git a/routers/metrics.go b/routers/metrics.go
index 78abd4a785..b7711dfced 100644
--- a/routers/metrics.go
+++ b/routers/metrics.go
@@ -5,6 +5,8 @@
 package routers
 
 import (
+	"crypto/subtle"
+
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 
 	"code.gitea.io/gitea/modules/context"
@@ -22,7 +24,9 @@ func Metrics(ctx *context.Context) {
 		ctx.Error(401)
 		return
 	}
-	if header != "Bearer "+setting.Metrics.Token {
+	got := []byte(header)
+	want := []byte("Bearer " + setting.Metrics.Token)
+	if subtle.ConstantTimeCompare(got, want) != 1 {
 		ctx.Error(401)
 		return
 	}
diff --git a/routers/repo/pull.go b/routers/repo/pull.go
index 4c377bb364..cb4fa9547e 100644
--- a/routers/repo/pull.go
+++ b/routers/repo/pull.go
@@ -8,6 +8,7 @@ package repo
 
 import (
 	"container/list"
+	"crypto/subtle"
 	"fmt"
 	"io"
 	"path"
@@ -771,7 +772,9 @@ func TriggerTask(ctx *context.Context) {
 	if ctx.Written() {
 		return
 	}
-	if secret != base.EncodeMD5(owner.Salt) {
+	got := []byte(base.EncodeMD5(owner.Salt))
+	want := []byte(secret)
+	if subtle.ConstantTimeCompare(got, want) != 1 {
 		ctx.Error(404)
 		log.Trace("TriggerTask [%s/%s]: invalid secret", owner.Name, repo.Name)
 		return