API: validate payment_info (#5944)

* API: validate payment_info * improve dict-check * Apply suggestions from code review Co-authored-by: Raphael Michel <michel@pretix.eu> --------- Co-authored-by: Raphael Michel <michel@pretix.eu>
2026-05-04 15:04:03 +00:00 · 2026-03-02 12:28:47 +01:00
parent 876ddf1321
commit 959e926a67
2 changed files with 48 additions and 0 deletions
--- a/src/pretix/api/serializers/order.py
+++ b/src/pretix/api/serializers/order.py
@@ -19,6 +19,7 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
+import json
 import logging
 import os
 from collections import Counter, defaultdict
@@ -1215,6 +1216,18 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
            raise ValidationError('The given payment provider is not known.')
        return pp

+    def validate_payment_info(self, info):
+        if info:
+            try:
+                obj = json.loads(info)
+            except ValueError:
+                raise ValidationError('payment_info must be valid JSON.')
+
+            if not isinstance(obj, dict):
+                # only objects are allowed
+                raise ValidationError('payment_info must be a JSON object.')
+        return info
+
    def validate_expires(self, expires):
        if expires < now():
            raise ValidationError('Expiration date must be in the future.')