api: use hashlib to validate algo parameter (#47685)

tests/test_api.py

@@ -151,6 +151,8 @@ def test_get_user_from_api_query_string_error_missing_algo(pub):
 def test_get_user_from_api_query_string_error_invalid_algo(pub):
     output = get_app(pub).get('/api/user/?format=json&orig=coucou&signature=xxx&algo=coin', status=403)
     assert output.json['err_desc'] == 'invalid algo'
+    output = get_app(pub).get('/api/user/?format=json&orig=coucou&signature=xxx&algo=__getattribute__', status=403)
+    assert output.json['err_desc'] == 'invalid algo'
 
 
 def test_get_user_from_api_query_string_error_invalid_signature(pub):

wcs/api_utils.py

@@ -55,6 +55,8 @@ def is_url_signed(utcnow=None, duration=DEFAULT_DURATION):
     algo = get_request().form.get('algo')
     if not isinstance(algo, six.string_types):
         raise AccessForbiddenError('missing/multiple algo field')
+    if algo not in hashlib.algorithms_guaranteed:
+        raise AccessForbiddenError('invalid algo')
     try:
         algo = getattr(hashlib, algo)
     except AttributeError: