From fc610c182e73cdff2534bef91ce0385b06befacf Mon Sep 17 00:00:00 2001
From: James Lopez <james@jameslopez.es>
Date: Tue, 8 Mar 2016 15:57:45 +0100
Subject: [PATCH] add SHA256 to secure_compare

---
 app/models/project.rb                     | 4 ++--
 app/models/project_services/ci_service.rb | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/models/project.rb b/app/models/project.rb
index c0f2ab91fa4..3451779e18d 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -908,13 +908,13 @@ class Project < ActiveRecord::Base
   end
 
   def valid_runners_token? token
-    self.runners_token && ActiveSupport::SecurityUtils.secure_compare(token, self.runners_token)
+    self.runners_token && ActiveSupport::SecurityUtils.variable_size_secure_compare(token, self.runners_token)
   end
 
   # TODO (ayufan): For now we use runners_token (backward compatibility)
   # In 8.4 every build will have its own individual token valid for time of build
   def valid_build_token? token
-    self.builds_enabled? && self.runners_token && ActiveSupport::SecurityUtils.secure_compare(token, self.runners_token)
+    self.builds_enabled? && self.runners_token && ActiveSupport::SecurityUtils.variable_size_secure_compare(token, self.runners_token)
   end
 
   def build_coverage_enabled?
diff --git a/app/models/project_services/ci_service.rb b/app/models/project_services/ci_service.rb
index f328deda354..d9f0849d147 100644
--- a/app/models/project_services/ci_service.rb
+++ b/app/models/project_services/ci_service.rb
@@ -26,7 +26,7 @@ class CiService < Service
   default_value_for :category, 'ci'
 
   def valid_token?(token)
-    self.respond_to?(:token) && self.token.present? && ActiveSupport::SecurityUtils.secure_compare(token, self.token)
+    self.respond_to?(:token) && self.token.present? && ActiveSupport::SecurityUtils.variable_size_secure_compare(token, self.token)
   end
 
   def supported_events
-- 
GitLab