GitLab webhook event validator vulnerable to timing attacks

[cedws]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

---

Overview of the Issue

I was just passing through the code and noticed that the GitLab webhook event validator code does not use a constant time comparison function to validate the webhook secret. In theory it would be possible to use a timing attack to recover this secret as an attacker and then forge webhook events. GitHub and Bitbucket event validator code is not vulnerable because they make use of HMACs as far as I can see.

The risk of this being exploited is probably fairly low so I think it's safe to report publicly like this.

atlantis/server/controllers/events/gitlab_request_parser_validator.go

Lines 62 to 67 in e153cea

	// Validate secret if specified.
	headerSecret := r.Header.Get(secretHeader)
	secretStr := string(secret)
	if len(secret) != 0 && headerSecret != secretStr {
	return nil, fmt.Errorf("header %s=%s did not match expected secret", secretHeader, headerSecret)
	}

I will follow up with a PR to fix this shortly.

[lkysow]

Thanks @cedws! In the future just a heads up that we have a different process for security issues: https://github.com/runatlantis/atlantis/blob/master/CONTRIBUTING.md#reporting-security-issues