utils: forbid argument after signature (#35050)

combo/utils/signature.py

@@ -76,12 +76,14 @@ def check_query(query, keys, known_nonce=None, timedelta=30):
     if not ('signature' in parsed and 'algo' in parsed and
             'timestamp' in parsed and 'nonce' in parsed):
         return False
+    unsigned_query, end_of_query = query.split('&signature=', 1)
+    if '&' in end_of_query:  # nothing after signature
+        return False
     signature = base64.b64decode(parsed['signature'][0])
     algo = parsed['algo'][0]
     timestamp = parsed['timestamp'][0]
     timestamp = datetime.datetime.strptime(timestamp, '%Y-%m-%dT%H:%M:%SZ')
     nonce = parsed['nonce']
-    unsigned_query = query.split('&signature=')[0]
     if known_nonce is not None and known_nonce(nonce):
         return False
     if abs(datetime.datetime.utcnow() - timestamp) > datetime.timedelta(seconds=timedelta):

tests/test_lingo_payment.py

@@ -219,6 +219,8 @@ def test_add_amount_to_basket(app, key, regie, user):
     assert BasketItem.objects.filter(amount=amount).exists()
     assert BasketItem.objects.filter(amount=amount)[0].regie_id == regie.id
 
+    resp = app.post_json('%s&amount=10' % url, params=data, status=403)  # bad signature
+
     data['extra'] = {'amount': '22.22'}
     url = '%s?email=%s&orig=wcs' % (reverse('api-add-basket-item'), user_email)
     url = sign_url(url, key)
@@ -229,9 +231,9 @@ def test_add_amount_to_basket(app, key, regie, user):
 
     data['amount'] = [amount]
     data['extra'] = {'amount': ['22.22', '12']}
-    url = '%s?email=%s&orig=wcs' % (reverse('api-add-basket-item'), user_email)
+    url = '%s?email=%s&orig=wcs&amount=5' % (reverse('api-add-basket-item'), user_email)
     url = sign_url(url, key)
-    resp = app.post_json('%s&amount=5' % url, params=data)
+    resp = app.post_json(url, params=data)
     assert resp.status_code == 200
     assert json.loads(resp.content)['result'] == 'success'
     assert BasketItem.objects.filter(amount=Decimal('81.22')).exists()