From 7a305fd2cd6866de28c7ff094c66bb8b182d3e7e Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 7 Jan 2026 15:23:48 +0100
Subject: [PATCH] fix: prevent timing attack in GitLab webhook token validation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace insecure !== operator with hash_equals() for constant-time
string comparison when validating GitLab webhook tokens.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 app/Http/Controllers/Webhook/Gitlab.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/Http/Controllers/Webhook/Gitlab.php b/app/Http/Controllers/Webhook/Gitlab.php
index 5b8dd5686..34a5266ca 100644
--- a/app/Http/Controllers/Webhook/Gitlab.php
+++ b/app/Http/Controllers/Webhook/Gitlab.php
@@ -100,7 +100,7 @@ public function manual(Request $request)
             }
             foreach ($applications as $application) {
                 $webhook_secret = data_get($application, 'manual_webhook_secret_gitlab');
-                if ($webhook_secret !== $x_gitlab_token) {
+                if (! hash_equals($webhook_secret ?? '', $x_gitlab_token ?? '')) {
                     $return_payloads->push([
                         'application' => $application->name,
                         'status' => 'failed',