fix(core): Use timing safe function to compare runner auth tokens (#12485)

packages/cli/src/task-runners/auth/__tests__/task-runner-auth.service.test.ts

@@ -33,11 +33,11 @@ describe('TaskRunnerAuthService', () => {
 
 	describe('isValidAuthToken', () => {
 		it('should be valid for the configured token', () => {
-			expect(authService.isValidAuthToken('random-secret'));
+			expect(authService.isValidAuthToken('random-secret')).toBe(true);
 		});
 
 		it('should be invalid for anything else', () => {
-			expect(authService.isValidAuthToken('!random-secret'));
+			expect(authService.isValidAuthToken('!random-secret')).toBe(false);
 		});
 	});
 

packages/cli/src/task-runners/auth/task-runner-auth.service.ts

@@ -1,6 +1,6 @@
 import { GlobalConfig } from '@n8n/config';
 import { Service } from '@n8n/di';
-import { randomBytes } from 'crypto';
+import { randomBytes, timingSafeEqual } from 'crypto';
 
 import { Time } from '@/constants';
 import { CacheService } from '@/services/cache/cache.service';
@@ -9,6 +9,8 @@ const GRANT_TOKEN_TTL = 15 * Time.seconds.toMilliseconds;
 
 @Service()
 export class TaskRunnerAuthService {
+	private readonly authToken = Buffer.from(this.globalConfig.taskRunners.authToken);
+
 	constructor(
 		private readonly globalConfig: GlobalConfig,
 		private readonly cacheService: CacheService,
@@ -17,7 +19,10 @@ export class TaskRunnerAuthService {
 	) {}
 
 	isValidAuthToken(token: string) {
-		return token === this.globalConfig.taskRunners.authToken;
+		const tokenBuffer = Buffer.from(token);
+		if (tokenBuffer.length !== this.authToken.length) return false;
+
+		return timingSafeEqual(tokenBuffer, this.authToken);
 	}
 
 	/**