Merge pull request #1224 from stripe/remi-fix-event-validation

ob-stripe · web-flow · commit 83d2416a085d · 2018-07-11T14:43:50.000+02:00
Improve tolerance verification to check both past and future timestamps
diff --git a/src/Stripe.net/Services/Events/StripeEventUtility.cs b/src/Stripe.net/Services/Events/StripeEventUtility.cs
@@ -47,8 +47,8 @@ public static StripeEvent ConstructEvent(string json, string stripeSignatureHead
 
             var webhookUtc = Convert.ToInt32(signatureItems["t"].FirstOrDefault());
 
-            if (utcNow - webhookUtc > tolerance)
-                throw new StripeException("The webhook cannot be processed because the current timestamp is above the allowed tolerance.");
+            if (Math.Abs(utcNow - webhookUtc) > tolerance)
+                throw new StripeException("The webhook cannot be processed because the current timestamp is outside of the allowed tolerance.");
 
             return Mapper<StripeEvent>.MapFromJson(json);
         }

Original file line number	Diff line number	Diff line change
`@@ -47,8 +47,8 @@ public static StripeEvent ConstructEvent(string json, string stripeSignatureHead`
`47`	`47`
`48`	`48`	`var webhookUtc = Convert.ToInt32(signatureItems["t"].FirstOrDefault());`
`49`	`49`
`50`		`- if (utcNow - webhookUtc > tolerance)`
`51`		`- throw new StripeException("The webhook cannot be processed because the current timestamp is above the allowed tolerance.");`
	`50`	`+ if (Math.Abs(utcNow - webhookUtc) > tolerance)`
	`51`	`+ throw new StripeException("The webhook cannot be processed because the current timestamp is outside of the allowed tolerance.");`
`52`	`52`
`53`	`53`	`return Mapper<StripeEvent>.MapFromJson(json);`
`54`	`54`	`}`