Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pingback validation is very broken #11

Closed
tallytarik opened this issue Jun 19, 2016 · 1 comment
Closed

Pingback validation is very broken #11

tallytarik opened this issue Jun 19, 2016 · 1 comment

Comments

@tallytarik
Copy link

tallytarik commented Jun 19, 2016
edited
Loading

This library is currently unusable because the Pingback class doesn't work for a variety of reasons. I'm in the middle of a project at the moment so unfortunately don't have the time to rewrite this class, but I'll detail the issues I came across here in the hopes that a kind soul can start on fixing them.

  1. this is not available in the functions in which it's used, which means that attempting to access this.parameters fails and everything falls apart. There's a PR (no access for this.parameters at isSignatureValid #10) that attempts to fix this but it doesn't work. I'm not sure how this class is supposed to be modeled but the functions/this usage do not work in the way that it's intended.
  2. The sortObject function by nature can't work because JS objects don't guarantee the order of keys. This means that signature verification will often fail because the keys need to be in order. Rather than trying to sort the parameters first it's better to just iterate over the sorted parameters and directly construct the baseString - example below.

In the meantime, I made a small function to validate pingbacks - input params and IP like the normal Pingback constructor. This works for sig version 2, "goods API" pingbacks.

function validatePingback(params,ip) {
    // Check ip
    var ipsWhitelist = [
        '174.36.92.186',
        '174.36.96.66',
        '174.36.92.187',
        '174.36.92.192',
        '174.37.14.28'
    ];

    if(!~ipsWhitelist.indexOf(ip)) return false; // IP address not whitelisted

    // Check params
    var baseString = "", sig = params.sig;
    Object.keys(params).sort().forEach(function(key,i) {
        if(key === "sig") return;

        var value = params[key] || "";

        baseString += key + '=' + value;
    });
    baseString += Payment.getPaymentwallKey();

    var hash = crypto.createHash("md5").update(baseString).digest("hex");

    if(hash !== sig) return false; // Signature mismatch

    return true;
};
@osminushkin osminushkin mentioned this issue Sep 28, 2016
Closed
@liufanhhh
Copy link
Contributor

Updated it. Now it should work all the time.

Thanks for this suggestion!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tallytarik @liufanhhh