fix: timing-unsafe bootstrap_token comparison

2026-03-18 11:02:09 +00:00 · 2026-02-27 14:24:17 +08:00
parent f41a875e13
commit c0c9975be3
1 changed files with 5 additions and 1 deletions
--- a/apps/common/permissions.py
+++ b/apps/common/permissions.py
@@ -1,5 +1,6 @@
 # -*- coding: utf-8 -*-
 #
+import hmac
 import time

 from django.conf import settings
@@ -48,7 +49,10 @@ class WithBootstrapToken(permissions.BasePermission):
            return False

        request_bootstrap_token = authorization.split()[-1]
-        return settings.BOOTSTRAP_TOKEN == request_bootstrap_token
+        return hmac.compare_digest(
+            settings.BOOTSTRAP_TOKEN.encode(),
+            request_bootstrap_token.encode()
+        )


 class ServiceAccountSignaturePermission(permissions.BasePermission):