Expected Behavior

Reviewing this library, noticed that the method equalsConstantTime wasn't adopted everywhere.

https://github.com/spring-projects/spring-security/blob/3b447b938cfcb82e31e1bb744ff59ce52427749b/web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java#L122

Locations where they are not adopted yet

https://github.com/spring-projects/spring-security/blob/3b447b938cfcb82e31e1bb744ff59ce52427749b/core/src/main/java/org/springframework/security/authentication/AbstractAuthenticationToken.java#L141-L142

Below is a cpgql query that could be used to identify the locations with joern (joern.io)

cpg.call("equals").where(_.argument(1).code(".*((?i)cred|pass|token|secret).*")).location.map(l => (l.className, l.filename, l.lineNumber, l.node)).l

joern> cpg.call("equals").where(_.argument(1).code(".*((?i)cred|pass|token|secret).*")).location.map(l => (l.className, l.filename, l.lineNumber, l.node)).l
res83: List[(String, String, Option[Integer], Option[AbstractNode])] = List(
  (
    "org.springframework.security.web.authentication.www.DigestAuthenticationFilter$DigestData",
    "/Volumes/Work/threatr/spring-security/web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java",
    Some(value = 397),
    Some(
      value = Call(
        id = 11568L,
        argumentIndex = 1,
        argumentName = None,
        code = "expectedNonceSignature.equals(nonceTokens[1])",
        columnNumber = Some(value = 9),
        dispatchType = "DYNAMIC_DISPATCH",
        dynamicTypeHintFullName = ArraySeq(),
        lineNumber = Some(value = 397),
        methodFullName = "java.lang.String.equals:boolean(java.lang.Object)",
        name = "equals",
        order = 1,
        signature = "boolean(java.lang.Object)",
        typeFullName = "boolean"
      )
    )
  ),
  (
    "org.springframework.security.crypto.password.LdapShaPasswordEncoder",
    "/Volumes/Work/threatr/spring-security/crypto/src/main/java/org/springframework/security/crypto/password/LdapShaPasswordEncoder.java",
    Some(value = 150),
    Some(
      value = Call(
        id = 43131L,
        argumentIndex = 1,
        argumentName = None,
        code = "PasswordEncoderUtils.equals(encodedPassword, rawPassword)",
        columnNumber = Some(value = 11),
        dispatchType = "STATIC_DISPATCH",
        dynamicTypeHintFullName = ArraySeq(),
        lineNumber = Some(value = 150),
        methodFullName = "org.springframework.security.crypto.password.PasswordEncoderUtils.equals:boolean(java.lang.String,java.lang.String)",
        name = "equals",
        order = 1,
        signature = "boolean(java.lang.String,java.lang.String)",
        typeFullName = "boolean"
      )
    )
  ),

...

Current Behavior

equals method is used for comparing tokens and passwords.

Context

Secure coding.