[SECURITY-2141]

yaroslavafenkin · yaroslavafenkin · commit 4f425675edf7 · 2021-12-20T11:50:00.000+02:00
diff --git a/plugin/src/main/java/io/jenkins/plugins/casc/TokenReloadAction.java b/plugin/src/main/java/io/jenkins/plugins/casc/TokenReloadAction.java
@@ -6,6 +6,8 @@
 import hudson.security.ACL;
 import hudson.security.ACLContext;
 import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
 import java.util.logging.Logger;
 import javax.servlet.http.HttpServletRequest;
 import org.kohsuke.stapler.StaplerRequest;
@@ -48,7 +50,8 @@ public void doIndex(StaplerRequest request, StaplerResponse response) throws IOE
         } else {
             String requestToken = getRequestToken(request);
 
-            if (token.equals(requestToken)) {
+            if (requestToken != null && MessageDigest.isEqual(token.getBytes(StandardCharsets.UTF_8), requestToken.getBytes(
+                StandardCharsets.UTF_8))) {
                 LOGGER.info("Configuration reload triggered via token");
 
                 try (ACLContext ignored = ACL.as(ACL.SYSTEM)) {
