From 9d042ad585d62f26ee9983bddfe5f4e2cb78a9b6 Mon Sep 17 00:00:00 2001
From: "stonezdj(Daojun Zhang)" <stonezdj@gmail.com>
Date: Mon, 22 May 2023 16:16:52 +0800
Subject: [PATCH] Use subtle.ConstantTimeCompare instead of compare directly
 (#18697)

Signed-off-by: stonezdj <daojunz@vmware.com>
---
 src/jobservice/api/authenticator.go | 3 ++-
 src/registryctl/auth/secret.go      | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/jobservice/api/authenticator.go b/src/jobservice/api/authenticator.go
index cced73415d..6c68395021 100644
--- a/src/jobservice/api/authenticator.go
+++ b/src/jobservice/api/authenticator.go
@@ -15,6 +15,7 @@
 package api
 
 import (
+	"crypto/subtle"
 	"errors"
 	"fmt"
 	"net/http"
@@ -66,7 +67,7 @@ func (sa *SecretAuthenticator) DoAuth(req *http.Request) error {
 	}
 
 	expectedSecret := config.GetUIAuthSecret()
-	if expectedSecret != secret {
+	if subtle.ConstantTimeCompare([]byte(expectedSecret), []byte(secret)) == 0 {
 		return errors.New("unauthorized")
 	}
 
diff --git a/src/registryctl/auth/secret.go b/src/registryctl/auth/secret.go
index b9567a6906..483359fb9a 100644
--- a/src/registryctl/auth/secret.go
+++ b/src/registryctl/auth/secret.go
@@ -15,6 +15,7 @@
 package auth
 
 import (
+	"crypto/subtle"
 	"errors"
 	"net/http"
 	"strings"
@@ -54,7 +55,7 @@ func (s *secretHandler) AuthorizeRequest(req *http.Request) error {
 	secInReq := strings.TrimPrefix(auth, HarborSecret)
 
 	for _, v := range s.secrets {
-		if secInReq == v {
+		if subtle.ConstantTimeCompare([]byte(secInReq), []byte(v)) == 1 {
 			return nil
 		}
 	}