fix(login): fix vulnerbility for timing attacks

closes #3760
2025-02-25 18:55:37 -06:00 · 2016-01-18 08:38:32 +01:00 · 2016-01-18 08:38:32 +01:00 · 053868f593
commit 053868f593
parent 317c5ba88d
1 changed files with 2 additions and 1 deletions
--- a/pkg/login/auth.go
+++ b/pkg/login/auth.go
@ -3,6 +3,7 @@ package login
 import (
 	"errors"

+	"crypto/subtle"
 	"github.com/grafana/grafana/pkg/bus"
 	m "github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/setting"
@ -56,7 +57,7 @@ func loginUsingGrafanaDB(query *LoginUserQuery) error {
 	user := userQuery.Result

 	passwordHashed := util.EncodePassword(query.Password, user.Salt)
-	if passwordHashed != user.Password {
+	if subtle.ConstantTimeCompare([]byte(passwordHashed), []byte(user.Password)) != 1 {
 		return ErrInvalidCredentials
 	}