From 7cb91b3b9995c92bfd2bfb694669f02d7fa44618 Mon Sep 17 00:00:00 2001 From: Tatu Lund Date: Mon, 1 Feb 2021 17:51:22 +0200 Subject: fix: use time-constant comparison for CSRF tokens (#12188) This hardens the framework against a theoretical timing attack based on comparing how quickly a request with an invalid CSRF token is rejected. Cherry-picked from: https://github.com/vaadin/flow/pull/9875 --- server/src/main/java/com/vaadin/server/VaadinService.java | 6 +++++- uitest/src/test/java/com/vaadin/tests/VerifyBrowserVersionTest.java | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/server/src/main/java/com/vaadin/server/VaadinService.java b/server/src/main/java/com/vaadin/server/VaadinService.java index 31ddf7b8ba..45e71dace7 100644 --- a/server/src/main/java/com/vaadin/server/VaadinService.java +++ b/server/src/main/java/com/vaadin/server/VaadinService.java @@ -29,6 +29,8 @@ import java.io.Serializable; import java.lang.reflect.Constructor; import java.net.MalformedURLException; import java.net.URL; +import java.nio.charset.StandardCharsets; +import java.security.MessageDigest; import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; @@ -1962,7 +1964,9 @@ public abstract class VaadinService implements Serializable { .isXsrfProtectionEnabled()) { String sessionToken = session.getCsrfToken(); - if (sessionToken == null || !sessionToken.equals(requestToken)) { + if (sessionToken == null || !MessageDigest.isEqual( + sessionToken.getBytes(StandardCharsets.UTF_8), + requestToken.getBytes(StandardCharsets.UTF_8))) { return false; } } diff --git a/uitest/src/test/java/com/vaadin/tests/VerifyBrowserVersionTest.java b/uitest/src/test/java/com/vaadin/tests/VerifyBrowserVersionTest.java index 87b428a15a..4f90112990 100644 --- a/uitest/src/test/java/com/vaadin/tests/VerifyBrowserVersionTest.java +++ b/uitest/src/test/java/com/vaadin/tests/VerifyBrowserVersionTest.java @@ -25,7 +25,7 @@ public class VerifyBrowserVersionTest extends MultiBrowserTest { // Chrome version does not necessarily match the desired version // because of auto updates... browserIdentifier = getExpectedUserAgentString( - getDesiredCapabilities()) + "87"; + getDesiredCapabilities()) + "88"; } else if (BrowserUtil.isFirefox(getDesiredCapabilities())) { browserIdentifier = getExpectedUserAgentString( getDesiredCapabilities()) + "81"; -- cgit v1.2.3