2019 Q1 Recurity Assessment: Information Exposure Through Timing Discrepancy
During the OAuth authentication process, the application attempts to validate a parameter in an insecure way, potentially exposing data. As can be seen in the following code of
ee/lib/gitlab/geo/oauth/login_state.rb, the non-constant time comparison operator == is used to verify the validity of the provided HMAC.
def valid? return false unless salt.present? & hmac.present? hmac == generate_hmac end
Due to the way how this operator works, the comparison
"xecret" == "secret" is resolved significantly faster than
"secrex" == "secret".Ref
Since the HMAC contains the parameter
redirect_to, this issue could be used to guess the correct hash for an arbitrary URL of the attacker's choice, forwarding the user to an attacker-controlled URL.
However, it should be noted that the amount of effort required to exploit this issue is disproportionately high compared to its impact.
Observe the code at
Recurity Labs recommends choosing a constant-time comparison, such as
secure_compare from Rails