github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-07 11:13:48 +00:00
Code Issues Projects Releases Wiki Activity

NCC-E003660-PCK: Non Constant-Time Comparison of Service Account Token Secrets

Browse Source
This commit is contained in:
carlory 2023-07-28 14:03:28 +08:00
parent 97c7dbcd22
commit 14251738d2
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/serviceaccount/legacy.go
View File

@ -17,8 +17,8 @@ limitations under the License.
package serviceaccount package serviceaccount
import ( import (
"bytes"
"context" "context"
"crypto/subtle"
"encoding/json" "encoding/json"
"errors" "errors"
"fmt" "fmt"
@ -124,7 +124,7 @@ func (v *legacyValidator) Validate(ctx context.Context, tokenData string, public
klog.V(4).Infof("Token is deleted and awaiting removal: %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName) klog.V(4).Infof("Token is deleted and awaiting removal: %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
return nil, errors.New("Token has been invalidated") return nil, errors.New("Token has been invalidated")
} }
if !bytes.Equal(secret.Data[v1.ServiceAccountTokenKey], []byte(tokenData)) { if subtle.ConstantTimeCompare(secret.Data[v1.ServiceAccountTokenKey], []byte(tokenData)) == 0 {
klog.V(4).Infof("Token contents no longer matches %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName) klog.V(4).Infof("Token contents no longer matches %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
return nil, errors.New("Token does not match server's copy") return nil, errors.New("Token does not match server's copy")
} }