From 7cc7b84eaf4e8cf779444115b82293dbdc29939a Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kspearrin@users.noreply.github.com>
Date: Mon, 8 Nov 2021 15:55:42 -0500
Subject: [PATCH] use fixed-time comparison of secrets (#1698)

---
 src/Api/Utilities/ApiHelpers.cs                  | 5 +++--
 src/Billing/Controllers/AppleController.cs       | 3 ++-
 src/Billing/Controllers/BitPayController.cs      | 2 +-
 src/Billing/Controllers/FreshdeskController.cs   | 3 ++-
 src/Billing/Controllers/PayPalController.cs      | 3 ++-
 src/Billing/Controllers/StripeController.cs      | 2 +-
 src/Core/Services/Implementations/UserService.cs | 2 +-
 src/Core/Utilities/CoreHelpers.cs                | 6 ++++++
 8 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/src/Api/Utilities/ApiHelpers.cs b/src/Api/Utilities/ApiHelpers.cs
index 689b2e1e87..83677bf8e0 100644
--- a/src/Api/Utilities/ApiHelpers.cs
+++ b/src/Api/Utilities/ApiHelpers.cs
@@ -1,4 +1,5 @@
-using Microsoft.AspNetCore.Http;
+using Bit.Core.Utilities;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Azure.EventGrid;
 using Microsoft.Azure.EventGrid.Models;
@@ -48,7 +49,7 @@ namespace Bit.Api.Utilities
         {
             var queryKey = request.Query["key"];
 
-            if (queryKey != EventGridKey)
+            if (!CoreHelpers.FixedTimeEquals(queryKey, EventGridKey))
             {
                 return new UnauthorizedObjectResult("Authentication failed. Please use a valid key.");
             }
diff --git a/src/Billing/Controllers/AppleController.cs b/src/Billing/Controllers/AppleController.cs
index c6d29f27fe..d10a0810db 100644
--- a/src/Billing/Controllers/AppleController.cs
+++ b/src/Billing/Controllers/AppleController.cs
@@ -1,4 +1,5 @@
 using Bit.Core;
+using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
@@ -34,7 +35,7 @@ namespace Bit.Billing.Controllers
 
             var key = HttpContext.Request.Query.ContainsKey("key") ?
                 HttpContext.Request.Query["key"].ToString() : null;
-            if (key != _billingSettings.AppleWebhookKey)
+            if (!CoreHelpers.FixedTimeEquals(key, _billingSettings.AppleWebhookKey))
             {
                 return new BadRequestResult();
             }
diff --git a/src/Billing/Controllers/BitPayController.cs b/src/Billing/Controllers/BitPayController.cs
index 906f738bf8..f0481e814c 100644
--- a/src/Billing/Controllers/BitPayController.cs
+++ b/src/Billing/Controllers/BitPayController.cs
@@ -49,7 +49,7 @@ namespace Bit.Billing.Controllers
         [HttpPost("ipn")]
         public async Task<IActionResult> PostIpn([FromBody] BitPayEventModel model, [FromQuery] string key)
         {
-            if (key != _billingSettings.BitPayWebhookKey)
+            if (!CoreHelpers.FixedTimeEquals(key, _billingSettings.BitPayWebhookKey))
             {
                 return new BadRequestResult();
             }
diff --git a/src/Billing/Controllers/FreshdeskController.cs b/src/Billing/Controllers/FreshdeskController.cs
index 2a3ec38e4c..c8a1d83787 100644
--- a/src/Billing/Controllers/FreshdeskController.cs
+++ b/src/Billing/Controllers/FreshdeskController.cs
@@ -14,6 +14,7 @@ using System.Threading.Tasks;
 using System.ComponentModel.DataAnnotations;
 
 using Bit.Core.Settings;
+using Bit.Core.Utilities;
 
 namespace Bit.Billing.Controllers
 {
@@ -57,7 +58,7 @@ namespace Bit.Billing.Controllers
 
             var key = HttpContext.Request.Query.ContainsKey("key") ?
                 HttpContext.Request.Query["key"].ToString() : null;
-            if (key != _billingSettings.FreshdeskWebhookKey)
+            if (!CoreHelpers.FixedTimeEquals(key, _billingSettings.FreshdeskWebhookKey))
             {
                 return new BadRequestResult();
             }
diff --git a/src/Billing/Controllers/PayPalController.cs b/src/Billing/Controllers/PayPalController.cs
index b21a071e8b..b519cce092 100644
--- a/src/Billing/Controllers/PayPalController.cs
+++ b/src/Billing/Controllers/PayPalController.cs
@@ -3,6 +3,7 @@ using Bit.Core.Enums;
 using Bit.Core.Models.Table;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
+using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
@@ -56,7 +57,7 @@ namespace Bit.Billing.Controllers
 
             var key = HttpContext.Request.Query.ContainsKey("key") ?
                 HttpContext.Request.Query["key"].ToString() : null;
-            if (key != _billingSettings.PayPal.WebhookKey)
+            if (!CoreHelpers.FixedTimeEquals(key, _billingSettings.PayPal.WebhookKey))
             {
                 _logger.LogWarning("PayPal webhook key is incorrect or does not exist.");
                 return new BadRequestResult();
diff --git a/src/Billing/Controllers/StripeController.cs b/src/Billing/Controllers/StripeController.cs
index 12a4c5c97c..e3c66b2a73 100644
--- a/src/Billing/Controllers/StripeController.cs
+++ b/src/Billing/Controllers/StripeController.cs
@@ -80,7 +80,7 @@ namespace Bit.Billing.Controllers
         [HttpPost("webhook")]
         public async Task<IActionResult> PostWebhook([FromQuery] string key)
         {
-            if (key != _billingSettings.StripeWebhookKey)
+            if (!CoreHelpers.FixedTimeEquals(key, _billingSettings.StripeWebhookKey))
             {
                 return new BadRequestResult();
             }
diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index 70ade91cfc..5e1cc14e7f 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -893,7 +893,7 @@ namespace Bit.Core.Services
                 return false;
             }
 
-            if (string.Compare(user.TwoFactorRecoveryCode, recoveryCode, true) != 0)
+            if (!CoreHelpers.FixedTimeEquals(user.TwoFactorRecoveryCode, recoveryCode))
             {
                 return false;
             }
diff --git a/src/Core/Utilities/CoreHelpers.cs b/src/Core/Utilities/CoreHelpers.cs
index 18193bb1b6..5f7154d53c 100644
--- a/src/Core/Utilities/CoreHelpers.cs
+++ b/src/Core/Utilities/CoreHelpers.cs
@@ -921,5 +921,11 @@ namespace Bit.Core.Utilities
                 return text;
             }
         }
+
+        public static bool FixedTimeEquals(string input1, string input2)
+        {
+            return CryptographicOperations.FixedTimeEquals(
+                Encoding.UTF8.GetBytes(input1), Encoding.UTF8.GetBytes(input2));
+        }
     }
 }