From 301455f5edcd52081620e4e55b96fdd3ff1ebe6c Mon Sep 17 00:00:00 2001
From: "Alexander A. Klimov" <alexander.klimov@icinga.com>
Date: Wed, 11 Jun 2025 11:38:05 +0200
Subject: [PATCH] Self service: fix timing attack

Compare icinga_host.api_key ("known_string") via hash_equals().
---
 library/Director/Objects/IcingaHost.php | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/library/Director/Objects/IcingaHost.php b/library/Director/Objects/IcingaHost.php
index 7859324f..b5522125 100644
--- a/library/Director/Objects/IcingaHost.php
+++ b/library/Director/Objects/IcingaHost.php
@@ -585,13 +585,15 @@ class IcingaHost extends IcingaObject implements ExportInterface
         $query = $db->getDbAdapter()
             ->select()
             ->from('icinga_host')
-            ->where('api_key = ?', $key);
+            ->where('api_key IS NOT NULL')
+            ->query();
 
-        $result = self::loadAll($db, $query);
-        if (count($result) !== 1) {
-            throw new NotFoundError('Got invalid API key "%s"', $key);
+        foreach ($query as $row) {
+            if (hash_equals($row->api_key, $key)) {
+                return (new static())->setConnection($db)->setDbProperties($row);
+            }
         }
 
-        return current($result);
+        throw new NotFoundError('Got invalid API key "%s"', $key);
     }
 }