From 076cb14b3bed2610b9dc10d6181fee35b2daf416 Mon Sep 17 00:00:00 2001
From: Thaddee Tyl <thaddee.tyl@gmail.com>
Date: Sat, 25 Feb 2017 00:32:15 +0100
Subject: [PATCH] Perform constant equal comparison for shared Shields secret

This should prevent timing attacks.
---
 lib/github-auth.js | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/lib/github-auth.js b/lib/github-auth.js
index fc4ae44..a547a0e 100644
--- a/lib/github-auth.js
+++ b/lib/github-auth.js
@@ -59,7 +59,6 @@ function setRoutes(server) {
       if (!token) {
         return end('The GitHub OAuth process did not return a user token.');
       }
-      console.log('GitHub OAuth: ' + token);
 
       ask.res.setHeader('Content-Type', 'text/html');
       end('<p>Shields.io has received your app-specific GitHub user token. ' +
@@ -80,8 +79,7 @@ function setRoutes(server) {
   });
 
   server.route(/^\/github-auth\/add-token$/, function(data, match, end, ask) {
-    console.log('GitHub add token called with', JSON.stringify(data));
-    if (data.shieldsSecret !== serverSecrets.shieldsSecret) {
+    if (constEq(data.shieldsSecret, serverSecrets.shieldsSecret)) {
       // An unknown entity tries to connect. Let the connection linger for a minute.
       return setTimeout(function() { end('Invalid secret.'); }, 60000);
     }
@@ -249,5 +247,14 @@ function githubRequest(request, url, query, cb) {
   });
 }
 
+function constEq(a, b) {
+  if (a.length !== b.length) { return false; }
+  var zero = 0;
+  for (var i = 0; i < a.length; i++) {
+    zero |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return (zero === 0);
+}
+
 exports.setRoutes = setRoutes;
 exports.request = githubRequest;