[Bug] Replace String.equals with MessageDigest.isEqual

[Crispy-fried-chicken]

Search before asking

• I searched in the issues and found nothing similar.

Version

e951cd0

Minimal reproduce step

I cannot be reproduced stably

What did you expect to see?

During signature verification, no matter whether the verification is correct or not, the time spent should be the same

What did you see instead?

The time spent in signature verification will be positively correlated with the correct substring length.

Anything else?

Hi there,
​ I may have discovered a method in the newest version of pulsar, which has "Observable Timing Discrepancy" vulnerability. The vulnerability is located in the method org.apache.pulsar.broker.authentication.SaslRoleTokenSigner.verifyAndExtract(String signedStr) . The vulnerability bears similarities to a recent CVE disclosure CVE-2020-1926 in the "apache/hive" project.
The source vulnerability information is as follows:

​ Vulnerability Detail:

​ CVE Identifier: CVE-2020-1926

Description:Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8.

​ **Reference:**https://nvd.nist.gov/vuln/detail/CVE-2020-1926

​ Patch: apache/hive@ee5a6be

Vulnerability Description: The vulnerability exists within the String verifyAndExtract(String signedStr) method of the org.apache.pulsar.broker.authentication.SaslRoleTokenSigner class. It is responsible for authenticating and extracting SaslRoleToken. SaslRoleToken is a token used for authentication and authorization, which contains a signed string of information about roles and permissions.But the authentication snippet is similar to the vulnerable snippet for CVE-2020-1926 and may have the same consequence as CVE-2020-1926, where isvulnerable to timing attacks. Therefore, maybe you need to fix the vulnerability with much the same fix code as the CVE-2020-1926 patch.
Considering the potential riskes it may have, I am willing to cooperate with your to verify, address, and report the identified vulnerability promptly through responsible means. If you require any further information or assistance, please do not hesitate to reach out to me.

Are you willing to submit a PR?

• I'm willing to submit a PR!

[hpvd]

please see:
https://pulsar.apache.org/security/#security-policy

[mattisonchao]

Hi @Crispy-fried-chicken
I saw you wanna push a PR for this issue. I assigned to u and thanks for your contribution. :)

[Crispy-fried-chicken]

please see: https://pulsar.apache.org/security/#security-policy

Sorry, I didn't see this security-policy before, so I need to send another email to [email protected] and [email protected] now？

[Crispy-fried-chicken]

Hi @Crispy-fried-chicken I saw you wanna push a PR for this issue. I assigned to u and thanks for your contribution. :)

Hi @mattisonchao I've already push a PR for this issue, please check it. Thank you!

[michaeljmarshall]

please see: https://pulsar.apache.org/security/#security-policy

Sorry, I didn't see this security-policy before, so I need to send another email to [email protected] and [email protected] now？

Yes, please send an email to both addresses.

[Crispy-fried-chicken]

please see: https://pulsar.apache.org/security/#security-policy

Sorry, I didn't see this security-policy before, so I need to send another email to [email protected] and [email protected] now？

Yes, please send an email to both addresses.

OK, I've already sent the email. Besides, due to the widespread use of this component, maybe we can request a CVE-ID for this vulnerability?

[dave2wave]

@Crispy-fried-chicken Why do you continue to comment about this in public? The PMC is aware of this and will do the proper security response in due course.