From a3f69952c0a29f02908d9290f827571d59d7681c Mon Sep 17 00:00:00 2001
From: Boshi Lian <farmer1992@gmail.com>
Date: Mon, 21 Oct 2024 02:46:19 -0700
Subject: [PATCH] Refactor code to use subtle.ConstantTimeCompare for secure
 comparison (#466)

* Refactor code to use subtle.ConstantTimeCompare for secure comparison

* Refactor code to use subtle.ConstantTimeCompare for secure comparison
---
 plugin/docker/docker.go                  | 4 ++--
 plugin/internal/workingdir/workingdir.go | 4 ++--
 plugin/kubernetes/kubernetes.go          | 3 ++-
 plugin/yaml/yaml.go                      | 3 ++-
 4 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/plugin/docker/docker.go b/plugin/docker/docker.go
index 6e1d69b63..2e6c3eb19 100644
--- a/plugin/docker/docker.go
+++ b/plugin/docker/docker.go
@@ -3,8 +3,8 @@
 package main
 
 import (
-	"bytes"
 	"context"
+	"crypto/subtle"
 	"encoding/base64"
 	"fmt"
 	"net"
@@ -211,7 +211,7 @@ func (p *plugin) findAndCreateUpstream(conn libplugin.ConnMetadata, password str
 				return nil, err
 			}
 
-			if bytes.Equal(authedPubkey.Marshal(), publicKey) {
+			if subtle.ConstantTimeCompare(authedPubkey.Marshal(), publicKey) == 1 {
 				return p.createUpstream(conn, pipe, "")
 			}
 		}
diff --git a/plugin/internal/workingdir/workingdir.go b/plugin/internal/workingdir/workingdir.go
index f17f619d8..93c4d4d09 100644
--- a/plugin/internal/workingdir/workingdir.go
+++ b/plugin/internal/workingdir/workingdir.go
@@ -2,7 +2,7 @@ package workingdir
 
 import (
 	"bufio"
-	"bytes"
+	"crypto/subtle"
 	"fmt"
 	"os"
 	"path"
@@ -60,7 +60,7 @@ func (w *Workingdir) Mapkey(pub []byte) ([]byte, error) {
 			return nil, err
 		}
 
-		if bytes.Equal(authedPubkey.Marshal(), pub) {
+		if subtle.ConstantTimeCompare(authedPubkey.Marshal(), pub) == 1 {
 			log.Infof("found mapping key %v", w.fullpath(userKeyFile))
 			return w.Readfile(userKeyFile)
 		}
diff --git a/plugin/kubernetes/kubernetes.go b/plugin/kubernetes/kubernetes.go
index 9273c6ab7..caf84947e 100644
--- a/plugin/kubernetes/kubernetes.go
+++ b/plugin/kubernetes/kubernetes.go
@@ -3,6 +3,7 @@ package main
 import (
 	"bytes"
 	"context"
+	"crypto/subtle"
 	"encoding/base64"
 	"fmt"
 	"os"
@@ -295,7 +296,7 @@ func (p *plugin) findAndCreateUpstream(conn libplugin.ConnMetadata, password str
 						return nil, err
 					}
 
-					if bytes.Equal(authedPubkey.Marshal(), publicKey) {
+					if subtle.ConstantTimeCompare(authedPubkey.Marshal(), publicKey) == 1 {
 						return p.createUpstream(conn, pipe, "")
 					}
 				}
diff --git a/plugin/yaml/yaml.go b/plugin/yaml/yaml.go
index 2cb7a52ec..53c5f5c8e 100644
--- a/plugin/yaml/yaml.go
+++ b/plugin/yaml/yaml.go
@@ -4,6 +4,7 @@ package main
 
 import (
 	"bytes"
+	"crypto/subtle"
 	"encoding/base64"
 	"fmt"
 	"os"
@@ -329,7 +330,7 @@ func (p *plugin) findAndCreateUpstream(conn libplugin.ConnMetadata, password str
 					return nil, err
 				}
 
-				if bytes.Equal(authedPubkey.Marshal(), publicKey) {
+				if subtle.ConstantTimeCompare(authedPubkey.Marshal(), publicKey) == 1 {
 					return p.createUpstream(conn, pipe.To, "")
 				}
 			}