CSA-29: Time safe comparison for access code (#2431)

* time safe comparison for access code * remove whitespace
2025-04-05 21:18:13 -05:00 · 2022-11-22 15:32:21 -05:00 · 2022-11-22 15:32:21 -05:00 · 41ee3d4c69
commit 41ee3d4c69
parent d8834793b5
2 changed files with 4 additions and 2 deletions
--- a/src/Api/Controllers/AuthRequestsController.cs
+++ b/src/Api/Controllers/AuthRequestsController.cs
@ -6,6 +6,7 @@ using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
+using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;

@ -68,7 +69,7 @@ public class AuthRequestsController : Controller
    public async Task<AuthRequestResponseModel> GetResponse(string id, [FromQuery] string code)
    {
        var authRequest = await _authRequestRepository.GetByIdAsync(new Guid(id));
-        if (authRequest == null || code != authRequest.AccessCode || authRequest.GetExpirationDate() < DateTime.UtcNow)
+        if (authRequest == null || !CoreHelpers.FixedTimeEquals(authRequest.AccessCode, code) || authRequest.GetExpirationDate() < DateTime.UtcNow)
        {
            throw new NotFoundException();
        }
--- a/src/Core/LoginFeatures/PasswordlessLogin/VerifyAuthRequest.cs
+++ b/src/Core/LoginFeatures/PasswordlessLogin/VerifyAuthRequest.cs
@ -1,5 +1,6 @@
 using Bit.Core.LoginFeatures.PasswordlessLogin.Interfaces;
 using Bit.Core.Repositories;
+using Bit.Core.Utilities;

 namespace Bit.Core.LoginFeatures.PasswordlessLogin;

@ -15,7 +16,7 @@ public class VerifyAuthRequestCommand : IVerifyAuthRequestCommand
    public async Task<bool> VerifyAuthRequestAsync(Guid authRequestId, string accessCode)
    {
        var authRequest = await _authRequestRepository.GetByIdAsync(authRequestId);
-        if (authRequest == null || authRequest.AccessCode != accessCode)
+        if (authRequest == null || !CoreHelpers.FixedTimeEquals(authRequest.AccessCode, accessCode))
        {
            return false;
        }