[PR #3452] [MERGED] use constant time comparison #4750

New issue

Closed

opened 2026-05-05 14:48:02 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented 2026-05-05 14:48:02 -06:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/fatedier/frp/pull/3452
Author: @fatedier
Created: 5/28/2023
Status: ✅ Merged
Merged: 5/28/2023
Merged by: @fatedier

Base: dev ← Head: pwd

---

📝 Commits (1)

• 3d32e28 use constant time comparison

📊 Changes

11 files changed (+45 additions, -35 deletions)

View changed files

📝 client/admin.go (+1 -1)
📝 pkg/auth/token.go (+6 -6)
📝 pkg/nathole/controller.go (+1 -1)
📝 pkg/plugin/client/http_proxy.go (+5 -1)
📝 pkg/plugin/client/static_file.go (+2 -1)
📝 pkg/util/net/http.go (+16 -16)
📝 pkg/util/util/util.go (+5 -0)
📝 server/dashboard.go (+1 -1)
📝 test/e2e/framework/framework.go (+4 -4)
📝 test/e2e/framework/process.go (+2 -2)
📝 test/e2e/pkg/port/port.go (+2 -2)

📄 Description

Summary

🤖 Generated by Copilot at 920ea05

This pull request enhances the security of frp by using constant time string comparisons and adding delays for authentication failures in various components. It also improves the error logging and test execution time for the e2e tests. The affected components include the token auth setter verifier, the http_proxy and static_file plugins, the HTTPAuthMiddleware, the admin and dashboard servers, and the xtcp controller.

WHY

Walkthrough

🤖 Generated by Copilot at 920ea05

• Prevent timing attacks and brute force attacks on authentication by using constant time string comparison and adding delays for invalid credentials (link, link, link, link, link, link, link, link, link, link, link, link, link, link, link, link, link)
• Add a delay of 200 milliseconds to the HTTP authentication middleware for the admin.go, static_file.go, and dashboard.go files (link, link, link, link)
• Add the time and util packages to the imports for the http_proxy.go, static_file.go, and net/http.go files (link, link, link)
• Add a field and a method for setting the authentication failure delay to the HTTP authentication middleware struct in net/http.go (link, link)
• Replace the string comparison with a constant time string comparison for verifying the basic authentication credentials in the http_proxy.go and net/http.go files (link, link, link, link)
• Add the subtle package to the imports and a function for constant time string comparison to the util/util.go file (link, link)
• Replace the string comparison with a constant time string comparison for verifying the token in the token.go file and the sign key in the controller.go file (link, link, link, link)
• Reduce the sleep time after starting the server and client processes for the tests in process.go (link)
• Print the error and standard output of the server and client processes after each test in framework.go (link, link)

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fatedier/frp/pull/3452 **Author:** [@fatedier](https://github.com/fatedier) **Created:** 5/28/2023 **Status:** ✅ Merged **Merged:** 5/28/2023 **Merged by:** [@fatedier](https://github.com/fatedier) **Base:** `dev` ← **Head:** `pwd` --- ### 📝 Commits (1) - [`3d32e28`](https://github.com/fatedier/frp/commit/3d32e280837f024f01bb0c98521f18e630b70dbf) use constant time comparison ### 📊 Changes **11 files changed** (+45 additions, -35 deletions) <details> <summary>View changed files</summary> 📝 `client/admin.go` (+1 -1) 📝 `pkg/auth/token.go` (+6 -6) 📝 `pkg/nathole/controller.go` (+1 -1) 📝 `pkg/plugin/client/http_proxy.go` (+5 -1) 📝 `pkg/plugin/client/static_file.go` (+2 -1) 📝 `pkg/util/net/http.go` (+16 -16) 📝 `pkg/util/util/util.go` (+5 -0) 📝 `server/dashboard.go` (+1 -1) 📝 `test/e2e/framework/framework.go` (+4 -4) 📝 `test/e2e/framework/process.go` (+2 -2) 📝 `test/e2e/pkg/port/port.go` (+2 -2) </details> ### 📄 Description ### Summary <!-- copilot:summary --> ### <samp>🤖 Generated by Copilot at 920ea05</samp> This pull request enhances the security of frp by using constant time string comparisons and adding delays for authentication failures in various components. It also improves the error logging and test execution time for the e2e tests. The affected components include the token auth setter verifier, the http_proxy and static_file plugins, the HTTPAuthMiddleware, the admin and dashboard servers, and the xtcp controller. ### WHY <!-- author to complete --> ### Walkthrough <!-- copilot:walkthrough --> ### <samp>🤖 Generated by Copilot at 920ea05</samp> * Prevent timing attacks and brute force attacks on authentication by using constant time string comparison and adding delays for invalid credentials ([link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-59287927a544069422a5f28382e81bb40ace0d744675513cb7a61edf9c580032L51-R51), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-d310d7e9bbd41ac7a0cf3116a8c3c8726aae2a76591c96d002eaa454678ff544L76-R77), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-d310d7e9bbd41ac7a0cf3116a8c3c8726aae2a76591c96d002eaa454678ff544L83-R88), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-d310d7e9bbd41ac7a0cf3116a8c3c8726aae2a76591c96d002eaa454678ff544L94-R99), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-2f15ef36bc925196e99eb8971b235db30a64a9c44c6ac37215abdaaac812777fL177-R177), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-97bc97cc16f9ba8e279612e411a2cee0403c5ed2af7be924ed66854f419b6964R24), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-97bc97cc16f9ba8e279612e411a2cee0403c5ed2af7be924ed66854f419b6964R30), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-97bc97cc16f9ba8e279612e411a2cee0403c5ed2af7be924ed66854f419b6964L182-R186), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-c8767c89d4dc441b090b7667cb8971a9df6a576eba3bbbc54ff54d77c280394cR21), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-c8767c89d4dc441b090b7667cb8971a9df6a576eba3bbbc54ff54d77c280394cL67-R68), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-3a844d843eca1bc9bd56950dc0d638bc09f566f9854102d04b22793506327b56R22-R24), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-3a844d843eca1bc9bd56950dc0d638bc09f566f9854102d04b22793506327b56L49-R54), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-3a844d843eca1bc9bd56950dc0d638bc09f566f9854102d04b22793506327b56L60-R79), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-3a844d843eca1bc9bd56950dc0d638bc09f566f9854102d04b22793506327b56L73-L85), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-220bfdeeeeaabb744e23da69fbada64e73aa59078dac6fa8894a64ddcd8eec08R20), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-220bfdeeeeaabb744e23da69fbada64e73aa59078dac6fa8894a64ddcd8eec08R143-R146), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-784df5374a58c17eb8c55b7253a3354d5035ec70687e9d48fcbabc889ba9c389L53-R53)) * Add a delay of 200 milliseconds to the HTTP authentication middleware for the `admin.go`, `static_file.go`, and `dashboard.go` files ([link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-59287927a544069422a5f28382e81bb40ace0d744675513cb7a61edf9c580032L51-R51), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-c8767c89d4dc441b090b7667cb8971a9df6a576eba3bbbc54ff54d77c280394cR21), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-c8767c89d4dc441b090b7667cb8971a9df6a576eba3bbbc54ff54d77c280394cL67-R68), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-784df5374a58c17eb8c55b7253a3354d5035ec70687e9d48fcbabc889ba9c389L53-R53)) * Add the time and util packages to the imports for the `http_proxy.go`, `static_file.go`, and `net/http.go` files ([link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-97bc97cc16f9ba8e279612e411a2cee0403c5ed2af7be924ed66854f419b6964R24), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-c8767c89d4dc441b090b7667cb8971a9df6a576eba3bbbc54ff54d77c280394cR21), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-3a844d843eca1bc9bd56950dc0d638bc09f566f9854102d04b22793506327b56R22-R24)) * Add a field and a method for setting the authentication failure delay to the HTTP authentication middleware struct in `net/http.go` ([link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-3a844d843eca1bc9bd56950dc0d638bc09f566f9854102d04b22793506327b56L49-R54), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-3a844d843eca1bc9bd56950dc0d638bc09f566f9854102d04b22793506327b56L60-R79)) * Replace the string comparison with a constant time string comparison for verifying the basic authentication credentials in the `http_proxy.go` and `net/http.go` files ([link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-97bc97cc16f9ba8e279612e411a2cee0403c5ed2af7be924ed66854f419b6964R30), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-97bc97cc16f9ba8e279612e411a2cee0403c5ed2af7be924ed66854f419b6964L182-R186), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-3a844d843eca1bc9bd56950dc0d638bc09f566f9854102d04b22793506327b56R22-R24), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-3a844d843eca1bc9bd56950dc0d638bc09f566f9854102d04b22793506327b56L73-L85)) * Add the subtle package to the imports and a function for constant time string comparison to the `util/util.go` file ([link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-220bfdeeeeaabb744e23da69fbada64e73aa59078dac6fa8894a64ddcd8eec08R20), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-220bfdeeeeaabb744e23da69fbada64e73aa59078dac6fa8894a64ddcd8eec08R143-R146)) * Replace the string comparison with a constant time string comparison for verifying the token in the `token.go` file and the sign key in the `controller.go` file ([link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-d310d7e9bbd41ac7a0cf3116a8c3c8726aae2a76591c96d002eaa454678ff544L76-R77), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-d310d7e9bbd41ac7a0cf3116a8c3c8726aae2a76591c96d002eaa454678ff544L83-R88), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-d310d7e9bbd41ac7a0cf3116a8c3c8726aae2a76591c96d002eaa454678ff544L94-R99), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-2f15ef36bc925196e99eb8971b235db30a64a9c44c6ac37215abdaaac812777fL177-R177)) * Reduce the sleep time after starting the server and client processes for the tests in `process.go` ([link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-2ce7cd299067ef6a56dda8fc78be4f7471ddf92a4ff6df1b5390358eba3ee42dL59-R59)) * Print the error and standard output of the server and client processes after each test in `framework.go` ([link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-c354587e36151f73f4a4da62c22d612510bee633ada8a52ed16b89c7185f0283L121-R121), [link](https://github.com/fatedier/frp/pull/3452/files?diff=unified&w=0#diff-c354587e36151f73f4a4da62c22d612510bee633ada8a52ed16b89c7185f0283L128-R128)) --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

gitea-mirror 2026-05-05 14:48:02 -06:00

• closed this issue
• added the
  pull-request
  label

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

new

master

copilot/review-pull-request-5198

v0.68.1

v0.68.0

v0.67.0

v0.66.0

v0.65.0

v0.64.0

v0.63.0

v0.62.1

v0.62.0

v0.61.2

v0.61.1

v0.61.0

v0.60.0

v0.59.0

v0.58.1

v0.58.0

v0.57.0

v0.56.0

v0.55.1

v0.55.0

v0.54.0

v0.53.2

v0.53.1

v0.53.0

v0.52.3

v0.52.2

v0.52.1

v0.52.0

v0.51.3

v0.51.2

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.1

v0.46.0

v0.45.0

v0.44.0

v0.43.0

v0.42.0

v0.41.0

v0.40.0

v0.39.1

v0.39.0

v0.38.0

v0.37.1

v0.37.0

v0.36.2

v0.36.1

v0.36.0

v0.35.1

v0.35.0

v0.34.3

v0.34.2

v0.34.1

v0.34.0

v0.33.0

v0.32.1

v0.32.0

v0.31.2

v0.31.1

v0.31.0

v0.30.0

v0.29.1

v0.29.0

v0.28.2

v0.28.1

v0.28.0

v0.27.1

v0.27.0

v0.26.0

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.3

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.0

v0.19.1

v0.19.0

v0.18.0

v0.17.0

v0.16.1

v0.16.0

v0.15.1

v0.15.0

v0.14.1

v0.14.0

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.1

v0.8.0

v0.7.0

v0.6.0

v0.5.0

v0.3.0

v0.2.0

v0.1.0

Labels

Clear labels   

In Progress

  

WIP

  

WaitingForInfo

  

bug

  

doc

  

duplicate

  

easy

  

enhancement

  

future

  

help wanted

  

invalid

  

lifecycle/stale

  

need-issue-template

  

need-usage-help

  

no plan

  

proposal

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

todo

No labels

In Progress

WIP

WaitingForInfo

bug

doc

duplicate

easy

enhancement

future

help wanted

invalid

lifecycle/stale

need-issue-template

need-usage-help

no plan

proposal

pull-request

question

todo

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#4750

No description provided.