Module: ActiveSupport::SecurityUtils

Included in:: SecureCompareRotator

Defined in:: lib/active_support/security_utils.rb

Class Method Summary collapse

.fixed_length_secure_compare(a, b) ⇒ Object
.secure_compare(a, b) ⇒ Object

Secure string comparison for strings of variable length.

Class Method Details

.fixed_length_secure_compare(a, b) ⇒ `Object`

Raises:

(ArgumentError)



11
12
13

# File 'lib/active_support/security_utils.rb', line 11

def fixed_length_secure_compare(a, b)
  OpenSSL.fixed_length_secure_compare(a, b)
end

.secure_compare(a, b) ⇒ `Object`

Secure string comparison for strings of variable length.

While a timing attack would not be able to discern the content of a secret compared via secure_compare, it is possible to determine the secret length. This should be considered when using secure_compare to compare weak, short secrets to user input.



33
34
35

# File 'lib/active_support/security_utils.rb', line 33

def secure_compare(a, b)
  a.bytesize == b.bytesize && fixed_length_secure_compare(a, b)
end

Module: ActiveSupport::SecurityUtils

Class Method Summary collapse

Class Method Details

.fixed_length_secure_compare(a, b) ⇒ Object

.secure_compare(a, b) ⇒ Object

.fixed_length_secure_compare(a, b) ⇒ `Object`

.secure_compare(a, b) ⇒ `Object`