From f2be6b850d6c5b3b74b912ea64d181bc7a781f9f Mon Sep 17 00:00:00 2001 From: Codex Microtask Operator Date: Sat, 13 Jun 2026 01:36:03 +0200 Subject: [PATCH] Reject malformed CoinPay webhook timestamps --- apps/logicsrc-web/contract/logicsrc-web.contract.test.ts | 4 ++++ apps/logicsrc-web/src/lib/coinpay.ts | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/apps/logicsrc-web/contract/logicsrc-web.contract.test.ts b/apps/logicsrc-web/contract/logicsrc-web.contract.test.ts index e14773f..7e2d63f 100644 --- a/apps/logicsrc-web/contract/logicsrc-web.contract.test.ts +++ b/apps/logicsrc-web/contract/logicsrc-web.contract.test.ts @@ -411,6 +411,10 @@ describe("POST /api/webhooks/coinpay", () => { expect(verifyCoinPayWebhook(payload, `t=${timestamp},v1=${signature}`, secret)).toBe(true); expect(verifyCoinPayWebhook(payload, `t=${timestamp}, v1=${signature}`, secret)).toBe(true); + const malformedTimestamp = `${timestamp}abc`; + const malformedSignature = createHmac("sha256", secret).update(`${malformedTimestamp}.${payload}`).digest("hex"); + expect(verifyCoinPayWebhook(payload, `t=${malformedTimestamp},v1=${malformedSignature}`, secret)).toBe(false); + const response = await coinpayWebhook( new NextRequest("http://localhost/api/webhooks/coinpay", { method: "POST", diff --git a/apps/logicsrc-web/src/lib/coinpay.ts b/apps/logicsrc-web/src/lib/coinpay.ts index dae83d7..4c270ca 100644 --- a/apps/logicsrc-web/src/lib/coinpay.ts +++ b/apps/logicsrc-web/src/lib/coinpay.ts @@ -117,7 +117,7 @@ export function verifyCoinPayWebhook( const parts = signatureHeader.split(",").map((part) => part.trim()); const timestamp = parts.find((part) => part.startsWith("t="))?.slice(2); const signature = parts.find((part) => part.startsWith("v1="))?.slice(3); - if (!timestamp || !signature) { + if (!timestamp || !signature || !/^\d+$/.test(timestamp)) { return false; }