fix(core): Use timing safe function to compare runner auth tokens (#12485)

2025-03-05 20:50:17 -08:00 · 2025-01-09 12:52:17 +02:00 · 2025-01-09 12:52:17 +02:00 · 8fab98f3f1
parent 7583e2ad94
commit 8fab98f3f1
2 changed files with 9 additions and 4 deletions
--- a/packages/cli/src/task-runners/auth/tests/task-runner-auth.service.test.ts
+++ b/packages/cli/src/task-runners/auth/tests/task-runner-auth.service.test.ts
@ -33,11 +33,11 @@ describe('TaskRunnerAuthService', () => {

 	describe('isValidAuthToken', () => {
 		it('should be valid for the configured token', () => {
-			expect(authService.isValidAuthToken('random-secret'));
+			expect(authService.isValidAuthToken('random-secret')).toBe(true);
 		});

 		it('should be invalid for anything else', () => {
-			expect(authService.isValidAuthToken('!random-secret'));
+			expect(authService.isValidAuthToken('!random-secret')).toBe(false);
 		});
 	});

--- a/packages/cli/src/task-runners/auth/task-runner-auth.service.ts
+++ b/packages/cli/src/task-runners/auth/task-runner-auth.service.ts
@ -1,6 +1,6 @@
 import { GlobalConfig } from '@n8n/config';
 import { Service } from '@n8n/di';
-import { randomBytes } from 'crypto';
+import { randomBytes, timingSafeEqual } from 'crypto';

 import { Time } from '@/constants';
 import { CacheService } from '@/services/cache/cache.service';
@ -9,6 +9,8 @@ const GRANT_TOKEN_TTL = 15 * Time.seconds.toMilliseconds;

@Service()
 export class TaskRunnerAuthService {
+	private readonly authToken = Buffer.from(this.globalConfig.taskRunners.authToken);
+
 	constructor(
 		private readonly globalConfig: GlobalConfig,
 		private readonly cacheService: CacheService,
@ -17,7 +19,10 @@ export class TaskRunnerAuthService {
 	) {}

 	isValidAuthToken(token: string) {
-		return token === this.globalConfig.taskRunners.authToken;
+		const tokenBuffer = Buffer.from(token);
+		if (tokenBuffer.length !== this.authToken.length) return false;
+
+		return timingSafeEqual(tokenBuffer, this.authToken);
 	}

 	/**