From e473667be1a21384246643df77e237171b175776 Mon Sep 17 00:00:00 2001
From: Thomas NOEL <tnoel@entrouvert.com>
Date: Thu, 25 Jul 2019 15:41:27 +0200
Subject: [PATCH] utils: forbid argument after signature (#35050)

---
 combo/utils/signature.py    | 4 +++-
 tests/test_lingo_payment.py | 6 ++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/combo/utils/signature.py b/combo/utils/signature.py
index bb56000f..bf6c5556 100644
--- a/combo/utils/signature.py
+++ b/combo/utils/signature.py
@@ -76,12 +76,14 @@ def check_query(query, keys, known_nonce=None, timedelta=30):
     if not ('signature' in parsed and 'algo' in parsed and
             'timestamp' in parsed and 'nonce' in parsed):
         return False
+    unsigned_query, end_of_query = query.split('&signature=', 1)
+    if '&' in end_of_query:  # nothing after signature
+        return False
     signature = base64.b64decode(parsed['signature'][0])
     algo = parsed['algo'][0]
     timestamp = parsed['timestamp'][0]
     timestamp = datetime.datetime.strptime(timestamp, '%Y-%m-%dT%H:%M:%SZ')
     nonce = parsed['nonce']
-    unsigned_query = query.split('&signature=')[0]
     if known_nonce is not None and known_nonce(nonce):
         return False
     if abs(datetime.datetime.utcnow() - timestamp) > datetime.timedelta(seconds=timedelta):
diff --git a/tests/test_lingo_payment.py b/tests/test_lingo_payment.py
index 902578b4..eff7703a 100644
--- a/tests/test_lingo_payment.py
+++ b/tests/test_lingo_payment.py
@@ -219,6 +219,8 @@ def test_add_amount_to_basket(app, key, regie, user):
     assert BasketItem.objects.filter(amount=amount).exists()
     assert BasketItem.objects.filter(amount=amount)[0].regie_id == regie.id
 
+    resp = app.post_json('%s&amount=10' % url, params=data, status=403)  # bad signature
+
     data['extra'] = {'amount': '22.22'}
     url = '%s?email=%s&orig=wcs' % (reverse('api-add-basket-item'), user_email)
     url = sign_url(url, key)
@@ -229,9 +231,9 @@ def test_add_amount_to_basket(app, key, regie, user):
 
     data['amount'] = [amount]
     data['extra'] = {'amount': ['22.22', '12']}
-    url = '%s?email=%s&orig=wcs' % (reverse('api-add-basket-item'), user_email)
+    url = '%s?email=%s&orig=wcs&amount=5' % (reverse('api-add-basket-item'), user_email)
     url = sign_url(url, key)
-    resp = app.post_json('%s&amount=5' % url, params=data)
+    resp = app.post_json(url, params=data)
     assert resp.status_code == 200
     assert json.loads(resp.content)['result'] == 'success'
     assert BasketItem.objects.filter(amount=Decimal('81.22')).exists()