Skip to content

PW-6762: Fix HMAC verification functions corrupt notification item payload #155

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 11, 2022
Merged

PW-6762: Fix HMAC verification functions corrupt notification item payload #155

merged 2 commits into from
Jul 11, 2022

Conversation

alainburindi
Copy link
Contributor

Description
Do a copy of the payload to avoid changing the main notification payload
Tested scenarios

Fixed issue: #148

@acampos1916
Copy link
Contributor

Thanks for this contribution @alainburindi. I believe this would break usages of those functions that for some reason are expecting the passed payload to change, right?

@alainburindi
Copy link
Contributor Author

Thanks for this contribution @alainburindi. I believe this would break usages of those functions that for some reason are expecting the passed payload to change, right?

Yes, in case there are any. In our use case, we don't want the payload to be changed because our ERP uses one endpoint for different accounts.

We can add another parameter on the function that will be used to check whether the user wants the payloads to be changed or not.

def is_valid_hmac(dict_object, hmac_key, keep_additional_data=False):
    if keep_additional_data:
        dict_object = dict_object.copy()
# ...rest

@acampos1916 What do you think? with this, we won't break any existing usages that expect the payload to change

@acampos1916
Copy link
Contributor

I like that @alainburindi

What do you think @AlexandrosMor?

@AlexandrosMor
Copy link
Contributor

@alainburindi, Thank you for opening this pull request. yes indeed I prefer also that solution

@alainburindi alainburindi force-pushed the bug/fix-hmac-verifications-corrupt-payload branch from 93541af to f730f63 Compare November 25, 2021 17:10
@alainburindi
Copy link
Contributor Author

@acampos1916 @AlexandrosMor I have done the changes accordingly

acampos1916
acampos1916 previously approved these changes Nov 26, 2021
View reviewed changes
@michaelpaul michaelpaul changed the title Fix HMAC verification functions corrupt notification item payload PW-6762: Fix HMAC verification functions corrupt notification item payload Jun 3, 2022
AlexandrosMor
AlexandrosMor reviewed Jun 29, 2022
View reviewed changes
Adyen/util.py Outdated
Comment on lines 37 to 39
def is_valid_hmac(dict_object, hmac_key, keep_additional_data=False):
if keep_additional_data:
dict_object = dict_object.copy()

Copy link
Contributor

@AlexandrosMor AlexandrosMor Jun 29, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
def is_valid_hmac(dict_object, hmac_key, keep_additional_data=False):
if keep_additional_data:
dict_object = dict_object.copy()
def is_valid_hmac(dict_object, hmac_key):
dict_object = dict_object.copy()

We decided to always keep the origin additional data. Could you please review it and add this suggestion ? @alainburindi

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AlexandrosMor I just modified the changes accordingly. can you check them?

@alainburindi alainburindi force-pushed the bug/fix-hmac-verifications-corrupt-payload branch from f730f63 to d871836 Compare June 30, 2022 06:52
AlexandrosMor
AlexandrosMor previously approved these changes Jul 6, 2022
View reviewed changes
@michaelpaul michaelpaul merged commit dccea0e into Adyen:develop Jul 11, 2022
@michaelpaul michaelpaul mentioned this pull request Jul 13, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Aleffio Aleffio Awaiting requested review from Aleffio

@martinsrenato martinsrenato Awaiting requested review from martinsrenato

@rikterbeek rikterbeek Awaiting requested review from rikterbeek

@candemiralp candemiralp Awaiting requested review from candemiralp

@acampos1916 acampos1916 Awaiting requested review from acampos1916

3 more reviewers

@michaelpaul michaelpaul michaelpaul approved these changes

@jillingk jillingk jillingk approved these changes

@AlexandrosMor AlexandrosMor AlexandrosMor left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@alainburindi @acampos1916 @AlexandrosMor @michaelpaul @jillingk