From 14251738d214e8d2ba57ae44d840265522b7923a Mon Sep 17 00:00:00 2001
From: carlory <baofa.fan@daocloud.io>
Date: Fri, 28 Jul 2023 14:03:28 +0800
Subject: [PATCH] NCC-E003660-PCK: Non Constant-Time Comparison of Service
 Account Token Secrets

---
 pkg/serviceaccount/legacy.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/serviceaccount/legacy.go b/pkg/serviceaccount/legacy.go
index 9fbc6639c64..70ea20be774 100644
--- a/pkg/serviceaccount/legacy.go
+++ b/pkg/serviceaccount/legacy.go
@@ -17,8 +17,8 @@ limitations under the License.
 package serviceaccount
 
 import (
-	"bytes"
 	"context"
+	"crypto/subtle"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -124,7 +124,7 @@ func (v *legacyValidator) Validate(ctx context.Context, tokenData string, public
 			klog.V(4).Infof("Token is deleted and awaiting removal: %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
 			return nil, errors.New("Token has been invalidated")
 		}
-		if !bytes.Equal(secret.Data[v1.ServiceAccountTokenKey], []byte(tokenData)) {
+		if subtle.ConstantTimeCompare(secret.Data[v1.ServiceAccountTokenKey], []byte(tokenData)) == 0 {
 			klog.V(4).Infof("Token contents no longer matches %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
 			return nil, errors.New("Token does not match server's copy")
 		}