OCram85/code-server
Archived
1
0
Fork 0
Code Pull Requests 2 Activity

Use a timing-safe equality check for passwords (#133)

Browse Source
This commit is contained in:
Michael
2019-03-10 04:24:36 +11:00
committed by Kyle Carberry
parent d7a66e4f15
commit c471babc69
3 changed files with 16 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
packages/server/src/server.ts
View File

@ -16,6 +16,7 @@ import * as path from "path";
import * as pem from "pem";
import * as util from "util";
import * as ws from "ws";
import safeCompare = require("safe-compare");
import { TunnelCloseCode } from "@coder/tunnel/src/common";
import { handle as handleTunnel } from "@coder/tunnel/src/server";
import { createPortScanner } from "./portScanner";
@ -67,7 +68,7 @@ export const createApp = async (options: CreateAppOptions): Promise<{
// Try/catch placed here just in case
const cookies = parseCookies(req);
if (cookies.password && cookies.password === options.password) {
if (cookies.password && safeCompare(cookies.password, options.password)) {
return true;
}
} catch (ex) {