8000 routers: do not leak secrets via timing side channel by leonklingele · Pull Request #7364 · go-gitea/gitea · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

routers: do not leak secrets via timing side channel #7364

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jul 6, 2019
Merged

routers: do not leak secrets via timing side channel #7364

merged 4 commits into from
Jul 6, 2019

Conversation

leonklingele
Copy link
Contributor

No description provided.

leonklingele
leonklingele commented Jul 6, 2019
View reviewed changes
routers/repo/pull.go
8000
@@ -771,7 +772,9 @@ func TriggerTask(ctx *context.Context) {
if ctx.Written() {
return
}
if secret != base.EncodeMD5(owner.Salt) {
got := []byte(base.EncodeMD5(owner.Salt))
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why does this

  1. use md5?
  2. use owner's salt instead of some secret?

And who calls this API? Couldn't find any callers inside gitea itself.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jul 6, 2019
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Jul 6, 2019
@codecov-io
Copy link
codecov-io commented Jul 6, 2019
edited
Loading

Codecov Report

Merging #7364 into master will increase coverage by <.01%.
The diff coverage is 0%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #7364      +/-   ##
==========================================
+ Coverage   41.24%   41.25%   +<.01%     
==========================================
  Files         467      467              
  Lines       63291    63295       +4     
==========================================
+ Hits        26107    26111       +4     
+ Misses      33769    33768       -1     
- Partials     3415     3416       +1
Impacted Files Coverage Δ
routers/metrics.go 0% <0%> (ø) ⬆️
routers/repo/pull.go 31.62% <0%> (-0.09%) ⬇️
modules/process/manager.go 76.81% <0%> (-4.35%) ⬇️
models/repo_list.go 72.08% <0%> (-1.02%) ⬇️
models/gpg_key.go 56.66% <0%> (+0.83%) ⬆️
routers/repo/view.go 43.25% <0%> (+1.01%) ⬆️
models/unit.go 67.56% <0%> (+5.4%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 96b66e3...0efbb49. Read the comment docs.

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jul 6, 2019
@techknowlogick techknowlogick merged commit ef57fe4 into go-gitea:master Jul 6, 2019
@zeripath zeripath added this to the 1.9.0 milestone Jul 6, 2019
jeffliu27 pushed a commit to jeffliu27/gitea that referenced this pull request Jul 18, 2019
@leonklingele @jeffliu27
routers: do not leak secrets via timing side channel (go-gitea#7364)
71df1a3 
* routers: do not leak secrets via timing side channel

* routers/repo: do not leak secrets via timing side channel
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lunny lunny lunny approved these changes

@zeripath zeripath zeripath approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug
Projects
None yet
Milestone
1.9.0
Development

Successfully merging this pull request may close these issues.
6 participants
@leonklingele @codecov-io @lunny @zeripath @techknowlogick @GiteaBot
0