From 2b1b070fdaf9c1cb31937dce5acf868e666d2aee Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <anders@zulip.com>
Date: Fri, 5 Aug 2022 21:30:08 -0700
Subject: [PATCH] zilencer: Check remote server API keys with constant-time
 comparison.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
---
 zerver/decorator.py | 3 ++-
 zilencer/views.py   | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/zerver/decorator.py b/zerver/decorator.py
index 4eca07fb70..904fca6130 100644
--- a/zerver/decorator.py
+++ b/zerver/decorator.py
@@ -30,6 +30,7 @@ from django.http import HttpRequest, HttpResponse, HttpResponseRedirect, QueryDi
 from django.http.multipartparser import MultiPartParser
 from django.shortcuts import resolve_url
 from django.template.response import SimpleTemplateResponse, TemplateResponse
+from django.utils.crypto import constant_time_compare
 from django.utils.timezone import now as timezone_now
 from django.utils.translation import gettext as _
 from django.views.decorators.csrf import csrf_exempt
@@ -284,7 +285,7 @@ def validate_api_key(
             remote_server = get_remote_server_by_uuid(role)
         except RemoteZulipServer.DoesNotExist:
             raise InvalidZulipServerError(role)
-        if api_key != remote_server.api_key:
+        if not constant_time_compare(api_key, remote_server.api_key):
             raise InvalidZulipServerKeyError(role)
 
         if remote_server.deactivated:
diff --git a/zilencer/views.py b/zilencer/views.py
index 55c65187a2..8e471decd3 100644
--- a/zilencer/views.py
+++ b/zilencer/views.py
@@ -9,6 +9,7 @@ from django.db import IntegrityError, transaction
 from django.db.models import Model
 from django.http import HttpRequest, HttpResponse
 from django.utils import timezone
+from django.utils.crypto import constant_time_compare
 from django.utils.translation import gettext as _
 from django.utils.translation import gettext as err_
 from django.views.decorators.csrf import csrf_exempt
@@ -139,7 +140,7 @@ def register_remote_server(
                 event_time=remote_server.last_updated,
             )
         else:
-            if remote_server.api_key != zulip_org_key:
+            if not constant_time_compare(remote_server.api_key, zulip_org_key):
                 raise InvalidZulipServerKeyError(zulip_org_id)
             else:
                 remote_server.hostname = hostname