From cc5501adb555ca32c7d3c3ff860d92694566e252 Mon Sep 17 00:00:00 2001
From: Connor Edwards <38229097+cedws@users.noreply.github.com>
Date: Thu, 14 Jul 2022 17:40:32 +0100
Subject: [PATCH] fix: use constant time comparison of webhook secret in gitlab
 event validator

---
 server/controllers/events/gitlab_request_parser_validator.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/controllers/events/gitlab_request_parser_validator.go b/server/controllers/events/gitlab_request_parser_validator.go
index 9755bd5d9e..b92fd4df81 100644
--- a/server/controllers/events/gitlab_request_parser_validator.go
+++ b/server/controllers/events/gitlab_request_parser_validator.go
@@ -14,6 +14,7 @@
 package events
 
 import (
+	"crypto/subtle"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -61,8 +62,7 @@ func (d *DefaultGitlabRequestParserValidator) ParseAndValidate(r *http.Request,
 
 	// Validate secret if specified.
 	headerSecret := r.Header.Get(secretHeader)
-	secretStr := string(secret)
-	if len(secret) != 0 && headerSecret != secretStr {
+	if len(secret) != 0 && subtle.ConstantTimeCompare(secret, []byte(headerSecret)) != 1 {
 		return nil, fmt.Errorf("header %s=%s did not match expected secret", secretHeader, headerSecret)
 	}