This challenge covers the review of a CVE in a Java codebase and its patch



The Code Review Patch challenges provide an in-depth look at locating and understanding vulnerabilities by comparing original and patched code. In this particular lab, you will be working with the `SaslRoleTokenSigner` class from the Apache Pulsar project. Initially, you are encouraged to identify the issue without looking at the patch. If you encounter difficulties, you can refer to the provided patch to cross-verify your findings.

The core of this lab involves a vulnerability in the signature verification process of the `SaslRoleTokenSigner` class. The original code uses a simple string comparison to verify signatures, which is susceptible to timing attacks. The patch replaces this with a more secure method using `MessageDigest.isEqual`, which mitigates the risk by ensuring constant-time comparison, thus preventing timing attacks. This exercise helps you understand the importance of secure coding practices, especially in cryptographic operations.

Want to learn more? Get started with PentesterLab Pro! GO PRO