问题 / Problem
中文:verify_webhook_signature 会解析 t=...,v1=...,但只把时间戳拼入 HMAC,没有校验时间戳是否过期;任何被截获的有效 webhook 签名都可以在未来重复提交并继续返回 True。修复应增加可配置的最大时间偏移并拒绝过期签名,价值是降低重放攻击风险,保护业务事件处理的可信度和幂等成本。
English: verify_webhook_signature parses t=...,v1=... but only includes the timestamp in the HMAC input; it never checks whether the timestamp is stale. A captured valid webhook can be replayed later and still verify as True. Add a configurable freshness window and reject expired signatures to reduce replay risk and protect event-processing correctness and operational trust.
价值 / Value
修复该问题可以提升正确性、可靠性和用户信任,降低 missing timestamp freshness in verify_webhook_signature 带来的排障与运维成本。
Fixing this issue improves correctness, reliability, and user trust while reducing debugging and operational cost caused by missing timestamp freshness in verify_webhook_signature.
证据 / Evidence
File: src/globalrouter/_webhooks.py
Line: 13
Severity / 严重级别: high
Summary / 摘要: missing timestamp freshness in verify_webhook_signature
问题 / Problem
中文:
verify_webhook_signature会解析t=...,v1=...,但只把时间戳拼入 HMAC,没有校验时间戳是否过期;任何被截获的有效 webhook 签名都可以在未来重复提交并继续返回True。修复应增加可配置的最大时间偏移并拒绝过期签名,价值是降低重放攻击风险,保护业务事件处理的可信度和幂等成本。English:
verify_webhook_signatureparsest=...,v1=...but only includes the timestamp in the HMAC input; it never checks whether the timestamp is stale. A captured valid webhook can be replayed later and still verify asTrue. Add a configurable freshness window and reject expired signatures to reduce replay risk and protect event-processing correctness and operational trust.价值 / Value
修复该问题可以提升正确性、可靠性和用户信任,降低
missing timestamp freshness in verify_webhook_signature带来的排障与运维成本。Fixing this issue improves correctness, reliability, and user trust while reducing debugging and operational cost caused by
missing timestamp freshness in verify_webhook_signature.证据 / Evidence
File:
src/globalrouter/_webhooks.pyLine: 13
Severity / 严重级别: high
Summary / 摘要: missing timestamp freshness in verify_webhook_signature