Skip to content

use constant-time string compare for internal api authentication

gitlab-qa-bot requested to merge github/fork/Mic92/master into master

Created by: Mic92

Ruby str_equal uses memcmp internally to compare String. Memcmp is vunerable to timing attacs because it returns early on mismatch (on most x32 platforms memcmp uses a bytewise comparision). Devise.secure_compare implements a constant time comparision instead.

Merge request reports

Loading