mudhorn/n8n
1
0
Fork 0
mirror of https://github.com/n8n-io/n8n.git synced 2025-03-05 20:50:17 -08:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix(core): Use timing safe function to compare runner auth tokens (#12485)

Browse source
This commit is contained in:
Tomi Turtiainen 2025-01-09 12:52:17 +02:00 committed by GitHub
parent 7583e2ad94
commit 8fab98f3f1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 9 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
packages/cli/src/task-runners/auth/__tests__/task-runner-auth.service.test.ts
View file

@ -33,11 +33,11 @@ describe('TaskRunnerAuthService', () => {
describe('isValidAuthToken', () => { describe('isValidAuthToken', () => {
it('should be valid for the configured token', () => { it('should be valid for the configured token', () => {
expect(authService.isValidAuthToken('random-secret')); expect(authService.isValidAuthToken('random-secret')).toBe(true);
}); });
it('should be invalid for anything else', () => { it('should be invalid for anything else', () => {
expect(authService.isValidAuthToken('!random-secret')); expect(authService.isValidAuthToken('!random-secret')).toBe(false);
}); });
}); });

9
packages/cli/src/task-runners/auth/task-runner-auth.service.ts
View file

@ -1,6 +1,6 @@
import { GlobalConfig } from '@n8n/config'; import { GlobalConfig } from '@n8n/config';
import { Service } from '@n8n/di'; import { Service } from '@n8n/di';
import { randomBytes } from 'crypto'; import { randomBytes, timingSafeEqual } from 'crypto';
import { Time } from '@/constants'; import { Time } from '@/constants';
import { CacheService } from '@/services/cache/cache.service'; import { CacheService } from '@/services/cache/cache.service';
@ -9,6 +9,8 @@ const GRANT_TOKEN_TTL = 15 * Time.seconds.toMilliseconds;
@Service() @Service()
export class TaskRunnerAuthService { export class TaskRunnerAuthService {
private readonly authToken = Buffer.from(this.globalConfig.taskRunners.authToken);
constructor( constructor(
private readonly globalConfig: GlobalConfig, private readonly globalConfig: GlobalConfig,
private readonly cacheService: CacheService, private readonly cacheService: CacheService,
@ -17,7 +19,10 @@ export class TaskRunnerAuthService {
) {} ) {}
isValidAuthToken(token: string) { isValidAuthToken(token: string) {
return token === this.globalConfig.taskRunners.authToken; const tokenBuffer = Buffer.from(token);
if (tokenBuffer.length !== this.authToken.length) return false;
return timingSafeEqual(tokenBuffer, this.authToken);
} }
/** /**