From 8a8214113b3d484e520a10804ccc17291cfd6729 Mon Sep 17 00:00:00 2001 From: Jason Song Date: Fri, 4 Nov 2022 18:31:40 +0800 Subject: [PATCH] fix: use subtle compare --- models/bots/task.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/models/bots/task.go b/models/bots/task.go index c8f1865d99..a2cb93ca3b 100644 --- a/models/bots/task.go +++ b/models/bots/task.go @@ -7,6 +7,7 @@ package bots import ( "bytes" "context" + "crypto/subtle" "encoding/binary" "errors" "fmt" @@ -266,7 +267,7 @@ func GetTaskByToken(ctx context.Context, token string) (*Task, error) { for _, t := range tasks { tempHash := auth_model.HashToken(token, t.TokenSalt) - if t.TokenHash == tempHash { + if subtle.ConstantTimeCompare([]byte(t.TokenHash), []byte(tempHash)) == 1 { if successfulTokenTaskCache != nil { successfulTokenTaskCache.Add(token, t.ID) }