Module: ActiveSupport::SecurityUtils

Defined in:

lib/active_support/security_utils.rb

Class Method Summary

• .secure_compare(a, b) ⇒ Object

  Constant time string comparison.

• .variable_size_secure_compare(a, b) ⇒ Object

  :nodoc:.

Class Method Details

.secure_compare(a, b) ⇒ Object

Constant time string comparison.

The values compared should be of fixed length, such as strings that have already been processed by HMAC. This should not be used on variable length plaintext strings because it could leak length info via timing attacks.

# File 'lib/active_support/security_utils.rb', line 11

def secure_compare(a, b)
  return false unless a.bytesize == b.bytesize

  l = a.unpack "C#{a.bytesize}"

  res = 0
  b.each_byte { |byte| res |= byte ^ l.shift }
  res == 0
end

.variable_size_secure_compare(a, b) ⇒ Object

:nodoc:

# File 'lib/active_support/security_utils.rb', line 22

def variable_size_secure_compare(a, b) # :nodoc:
  secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))
end