From 11d1d79ebf85248dc43432389746c1ecc3452b6a Mon Sep 17 00:00:00 2001
From: Carroll Chiou <cchiou@cloudbees.com>
Date: Tue, 21 Jun 2022 23:22:15 -0600
Subject: [PATCH] [SECURITY-1849]

---
 .../plugins/github/webhook/GHWebhookSignature.java    | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/jenkinsci/plugins/github/webhook/GHWebhookSignature.java b/src/main/java/org/jenkinsci/plugins/github/webhook/GHWebhookSignature.java
index 5d434a682..4ded97d8e 100644
--- a/src/main/java/org/jenkinsci/plugins/github/webhook/GHWebhookSignature.java
+++ b/src/main/java/org/jenkinsci/plugins/github/webhook/GHWebhookSignature.java
@@ -2,13 +2,14 @@
 
 import hudson.util.Secret;
 import org.apache.commons.codec.binary.Hex;
-import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
 
+import java.security.MessageDigest;
+
 import static com.google.common.base.Preconditions.checkNotNull;
 import static java.nio.charset.StandardCharsets.UTF_8;
 
@@ -71,6 +72,12 @@ public String sha1() {
     public boolean matches(String digest) {
         String computed = sha1();
         LOGGER.trace("Signature: calculated={} provided={}", computed, digest);
-        return StringUtils.equals(computed, digest);
+        if (digest == null && computed == null) {
+            return true;
+        } else if (digest == null || computed == null) {
+            return false;
+        } else {
+            return MessageDigest.isEqual(computed.getBytes(UTF_8), digest.getBytes(UTF_8));
+        }
     }
 }