Improve order secret handling (#4139)

- use hmac.compare_digest for all secret comparisons - use salted_hmac with sha256 instead of plain sha1 for hashed secrets - move secret handling into helper functions
2026-05-04 15:04:03 +00:00 · 2024-05-23 14:30:16 +02:00
parent e93e5c047c
commit 05a2f411db
8 changed files with 251 additions and 42 deletions
--- a/src/pretix/plugins/stripe/payment.py
+++ b/src/pretix/plugins/stripe/payment.py
@@ -32,7 +32,6 @@
 # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations under the License.

-import hashlib
 import json
 import logging
 import re
@@ -636,7 +635,7 @@ class StripeMethod(BasePaymentProvider):
            'order': payment.order,
            'payment': payment,
            'payment_info': payment_info,
-            'payment_hash': hashlib.sha1(payment.order.secret.lower().encode()).hexdigest()
+            'payment_hash': payment.order.tagged_secret('plugins:stripe')
        }
        return template.render(ctx)

@@ -890,7 +889,7 @@ class StripeMethod(BasePaymentProvider):
                    return_url=build_absolute_uri(self.event, 'plugins:stripe:sca.return', kwargs={
                        'order': payment.order.code,
                        'payment': payment.pk,
-                        'hash': hashlib.sha1(payment.order.secret.lower().encode()).hexdigest(),
+                        'hash': payment.order.tagged_secret('plugins:stripe'),
                    }),
                    expand=['latest_charge'],
                    **params
@@ -988,7 +987,7 @@ class StripeMethod(BasePaymentProvider):
        url = build_absolute_uri(self.event, 'plugins:stripe:sca', kwargs={
            'order': payment.order.code,
            'payment': payment.pk,
-            'hash': hashlib.sha1(payment.order.secret.lower().encode()).hexdigest(),
+            'hash': payment.order.tagged_secret('plugins:stripe'),
        })
        if not self.redirect_in_widget_allowed and request.session.get('iframe_session', False):
            return build_absolute_uri(self.event, 'plugins:stripe:redirect') + '?data=' + signing.dumps({
@@ -1009,7 +1008,7 @@ class StripeMethod(BasePaymentProvider):
                return_url=build_absolute_uri(self.event, 'plugins:stripe:sca.return', kwargs={
                    'order': payment.order.code,
                    'payment': payment.pk,
-                    'hash': hashlib.sha1(payment.order.secret.lower().encode()).hexdigest(),
+                    'hash': payment.order.tagged_secret('plugins:stripe'),
                }),
                expand=["latest_charge"],
                **self.api_kwargs
@@ -1829,7 +1828,7 @@ class StripeMultibanco(StripeSourceMethod):
                'return_url': build_absolute_uri(self.event, 'plugins:stripe:return', kwargs={
                    'order': payment.order.code,
                    'payment': payment.pk,
-                    'hash': hashlib.sha1(payment.order.secret.lower().encode()).hexdigest(),
+                    'hash': payment.order.tagged_secret('plugins:stripe'),
                })
            },
            **self.api_kwargs