Pingback validation is very broken #11
Description
This library is currently unusable because the Pingback class doesn't work for a variety of reasons. I'm in the middle of a project at the moment so unfortunately don't have the time to rewrite this class, but I'll detail the issues I came across here in the hopes that a kind soul can start on fixing them.
thisis not available in the functions in which it's used, which means that attempting to access this.parameters fails and everything falls apart. There's a PR (no access for this.parameters at isSignatureValid #10) that attempts to fix this but it doesn't work. I'm not sure how this class is supposed to be modeled but the functions/thisusage do not work in the way that it's intended.- The sortObject function by nature can't work because JS objects don't guarantee the order of keys. This means that signature verification will often fail because the keys need to be in order. Rather than trying to sort the parameters first it's better to just iterate over the sorted parameters and directly construct the baseString - example below.
In the meantime, I made a small function to validate pingbacks - input params and IP like the normal Pingback constructor. This works for sig version 2, "goods API" pingbacks.
function validatePingback(params,ip) {
// Check ip
var ipsWhitelist = [
'174.36.92.186',
'174.36.96.66',
'174.36.92.187',
'174.36.92.192',
'174.37.14.28'
];
if(!~ipsWhitelist.indexOf(ip)) return false; // IP address not whitelisted
// Check params
var baseString = "", sig = params.sig;
Object.keys(params).sort().forEach(function(key,i) {
if(key === "sig") return;
var value = params[key] || "";
baseString += key + '=' + value;
});
baseString += Payment.getPaymentwallKey();
var hash = crypto.createHash("md5").update(baseString).digest("hex");
if(hash !== sig) return false; // Signature mismatch
return true;
};