Self service: fix timing attack

Al2Klimov · Al2Klimov · commit c08705da4bee · 2025-10-13T11:29:51.000+02:00
Compare icinga_host.api_key ("known_string") via hash_equals().
diff --git a/library/Director/Objects/IcingaHost.php b/library/Director/Objects/IcingaHost.php
@@ -585,13 +585,15 @@ public static function loadWithApiKey($key, Db $db)
         $query = $db->getDbAdapter()
             ->select()
             ->from('icinga_host')
-            ->where('api_key = ?', $key);
+            ->where('api_key IS NOT NULL')
+            ->query();
 
-        $result = self::loadAll($db, $query);
-        if (count($result) !== 1) {
-            throw new NotFoundError('Got invalid API key "%s"', $key);
+        foreach ($query as $row) {
+            if (hash_equals($row->api_key, $key)) {
+                return (new static())->setConnection($db)->setDbProperties($row);
+            }
         }
 
-        return current($result);
+        throw new NotFoundError('Got invalid API key "%s"', $key);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -585,13 +585,15 @@ public static function loadWithApiKey($key, Db $db)`
`585`	`585`	`$query = $db->getDbAdapter()`
`586`	`586`	`->select()`
`587`	`587`	`->from('icinga_host')`
`588`		`- ->where('api_key = ?', $key);`
	`588`	`+ ->where('api_key IS NOT NULL')`
	`589`	`+ ->query();`
`589`	`590`
`590`		`- $result = self::loadAll($db, $query);`
`591`		`- if (count($result) !== 1) {`
`592`		`- throw new NotFoundError('Got invalid API key "%s"', $key);`
	`591`	`+ foreach ($query as $row) {`
	`592`	`+ if (hash_equals($row->api_key, $key)) {`
	`593`	`+ return (new static())->setConnection($db)->setDbProperties($row);`
	`594`	`+ }`
`593`	`595`	`}`
`594`	`596`
`595`		`- return current($result);`
	`597`	`+ throw new NotFoundError('Got invalid API key "%s"', $key);`
`596`	`598`	`}`
`597`	`599`	`}`