Request Forgery Timing Attack
Original at https://dev.gitlab.org/gitlab/gitlabhq/issues/2634
Zendesk issue: https://gitlab.zendesk.com/agent/tickets/12301
A user reports that they believe we have a potential timing attack where a CSRF token could be recovered. Their message:
The link is at https://github.com/gitlabhq/gitlabhq/blob/145d93388042bd1eb75fc46e0fa1430d534770c5/lib/omni_auth/request_forgery_protection.rb#L53
It would be difficult to carry out, but it seems possible to carry out a timing attack on the above (and thus recover a user's csrf token) if someone were to stay on a page with malicious javascript for long enough. (I believe ruby's "==" uses strcmp under the hood and thus the time taken during comparison depends upon the number of matching bytes) For reference, in a file in Rails with the same name:
It seems like they use ActiveSupport::SecurityUtils.secure_compare to validate CSRF tokens, and something along those lines would seem less risky. I have not had a chance to fire up a test instance of gitlab to determine feasibility yet, but I figured I'd go ahead and report this.
(By the way, I love gitlab, it's a joy to use.)
Thanks,
Joshua Maddux