diff options
| author | Tatu Lund <tatu@vaadin.com> | 2021-02-01 17:51:22 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-02-01 17:51:22 +0200 |
| commit | 7cb91b3b9995c92bfd2bfb694669f02d7fa44618 (patch) | |
| tree | 6fa40e1a5728a95947a2ab59e45124102f97104d | |
| parent | 885c2298fd709f4b05ee9fd4b38286c82c37cd1e (diff) | |
| download | vaadin-framework-7cb91b3b9995c92bfd2bfb694669f02d7fa44618.tar.gz vaadin-framework-7cb91b3b9995c92bfd2bfb694669f02d7fa44618.zip | |
fix: use time-constant comparison for CSRF tokens (#12188)
This hardens the framework against a theoretical timing attack based on
comparing how quickly a request with an invalid CSRF token is rejected.
Cherry-picked from: https://github.com/vaadin/flow/pull/9875
| -rw-r--r-- | server/src/main/java/com/vaadin/server/VaadinService.java | 6 | ||||
| -rw-r--r-- | uitest/src/test/java/com/vaadin/tests/VerifyBrowserVersionTest.java | 2 |
2 files changed, 6 insertions, 2 deletions
diff --git a/server/src/main/java/com/vaadin/server/VaadinService.java b/server/src/main/java/com/vaadin/server/VaadinService.java index 31ddf7b8ba..45e71dace7 100644 --- a/server/src/main/java/com/vaadin/server/VaadinService.java +++ b/server/src/main/java/com/vaadin/server/VaadinService.java @@ -29,6 +29,8 @@ import java.io.Serializable; import java.lang.reflect.Constructor; import java.net.MalformedURLException; import java.net.URL; +import java.nio.charset.StandardCharsets; +import java.security.MessageDigest; import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; @@ -1962,7 +1964,9 @@ public abstract class VaadinService implements Serializable { .isXsrfProtectionEnabled()) { String sessionToken = session.getCsrfToken(); - if (sessionToken == null || !sessionToken.equals(requestToken)) { + if (sessionToken == null || !MessageDigest.isEqual( + sessionToken.getBytes(StandardCharsets.UTF_8), + requestToken.getBytes(StandardCharsets.UTF_8))) { return false; } } diff --git a/uitest/src/test/java/com/vaadin/tests/VerifyBrowserVersionTest.java b/uitest/src/test/java/com/vaadin/tests/VerifyBrowserVersionTest.java index 87b428a15a..4f90112990 100644 --- a/uitest/src/test/java/com/vaadin/tests/VerifyBrowserVersionTest.java +++ b/uitest/src/test/java/com/vaadin/tests/VerifyBrowserVersionTest.java @@ -25,7 +25,7 @@ public class VerifyBrowserVersionTest extends MultiBrowserTest { // Chrome version does not necessarily match the desired version // because of auto updates... browserIdentifier = getExpectedUserAgentString( - getDesiredCapabilities()) + "87"; + getDesiredCapabilities()) + "88"; } else if (BrowserUtil.isFirefox(getDesiredCapabilities())) { browserIdentifier = getExpectedUserAgentString( getDesiredCapabilities()) + "81"; |