Improve order secret handling (#4139)

- use hmac.compare_digest for all secret comparisons - use salted_hmac with sha256 instead of plain sha1 for hashed secrets - move secret handling into helper functions
2026-05-11 16:13:59 +00:00 · 2024-05-23 14:30:16 +02:00
parent e93e5c047c
commit 05a2f411db
8 changed files with 251 additions and 42 deletions
--- a/src/pretix/plugins/stripe/views.py
+++ b/src/pretix/plugins/stripe/views.py
@@ -32,7 +32,6 @@
 # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations under the License.

-import hashlib
 import json
 import logging
 import urllib.parse
@@ -486,15 +485,11 @@ def oauth_disconnect(request, **kwargs):
 class StripeOrderView:
    def dispatch(self, request, *args, **kwargs):
        try:
-            self.order = request.event.orders.get(code=kwargs['order'])
-            if hashlib.sha1(self.order.secret.lower().encode()).hexdigest() != kwargs['hash'].lower():
-                raise Http404('')
+            self.order = request.event.orders.get_with_secret_check(
+                code=kwargs['order'], received_secret=kwargs['hash'].lower(), tag='plugins:stripe'
+            )
        except Order.DoesNotExist:
-            # Do a hash comparison as well to harden timing attacks
-            if 'abcdefghijklmnopq'.lower() == hashlib.sha1('abcdefghijklmnopq'.encode()).hexdigest():
-                raise Http404('')
-            else:
-                raise Http404('')
+            raise Http404('Unknown order')
        self.payment = get_object_or_404(
            self.order.payments,
            pk=self.kwargs['payment'],