fix: prevent timing attack in GitLab webhook token validation
Replace insecure !== operator with hash_equals() for constant-time string comparison when validating GitLab webhook tokens. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Andras Bacsai
parent
8e002e0558
commit
7a305fd2cd
1 changed files with 1 additions and 1 deletions
|
|
@ -100,7 +100,7 @@ public function manual(Request $request)
|
|||
}
|
||||
foreach ($applications as $application) {
|
||||
$webhook_secret = data_get($application, 'manual_webhook_secret_gitlab');
|
||||
if ($webhook_secret !== $x_gitlab_token) {
|
||||
if (! hash_equals($webhook_secret ?? '', $x_gitlab_token ?? '')) {
|
||||
$return_payloads->push([
|
||||
'application' => $application->name,
|
||||
'status' => 'failed',
|
||||
|
|
|
|||
Loading…
Reference in a new issue