fix hmac.compare_digest under python277

fix indent

implement tscmp for preventing timing attack

remove semicolon

apply flake8

apply flake8

refactoring using hasattr

refactoring using len2 directly

add test and refactoring

add test and refactoring

change docstring

Author: charsyam

linebot/utils.py

@@ -45,3 +45,25 @@ def to_camel_case(text):
     """
     split = text.split('_')
     return split[0] + "".join(x.title() for x in split[1:])
+
+
+def safe_compare_digest(val1, val2):
+    """safe_compare_digest method.
+
+    :param val1: string or bytes for compare
+    :type val1: str | bytes
+    :param val2: string or bytes for compare
+    :type val2: str | bytes
+    """
+    if len(val1) != len(val2):
+        return False
+
+    result = 0
+    if PY3 and isinstance(val1, bytes) and isinstance(val2, bytes):
+        for i, j in zip(val1, val2):
+            result |= i ^ j
+    else:
+        for i, j in zip(val1, val2):
+            result |= (ord(i) ^ ord(j))
+
+    return result == 0

linebot/webhook.py

@@ -32,7 +32,33 @@
     PostbackEvent,
     BeaconEvent
 )
-from .utils import LOGGER, PY3
+from .utils import LOGGER, PY3, safe_compare_digest
+
+
+if hasattr(hmac, "compare_digest"):
+    def compare_digest(val1, val2):
+        """compare_digest method.
+
+        :param val1: string or bytes for compare
+        :type val1: str | bytes
+        :param val2: string or bytes for compare
+        :type val2: str | bytes
+        :rtype: bool
+        :return: result
+        """
+        return hmac.compare_digest(val1, val2)
+else:
+    def compare_digest(val1, val2):
+        """compare_digest method.
+
+        :param val1: string or bytes for compare
+        :type val1: str | bytes
+        :param val2: string or bytes for compare
+        :type val2: str | bytes
+        :rtype: bool
+        :return: result
+        """
+        return safe_compare_digest(val1, val2)
 
 
 class SignatureValidator(object):
@@ -64,8 +90,8 @@ def validate(self, body, signature):
             hashlib.sha256
         ).digest()
 
-        return hmac.compare_digest(
-            signature.encode('utf-8'), base64.b64encode(gen_signature)
+        return compare_digest(
+                signature.encode('utf-8'), base64.b64encode(gen_signature)
         )
 
 

tests/test_utils.py

@@ -16,7 +16,7 @@
 
 import unittest
 
-from linebot.utils import to_camel_case, to_snake_case
+from linebot.utils import to_camel_case, to_snake_case, safe_compare_digest
 
 
 class TestUtils(unittest.TestCase):
@@ -26,6 +26,15 @@ def test_to_snake_case(self):
     def test_to_camel_case(self):
         self.assertEqual(to_camel_case('hoge_bar'), 'hogeBar')
 
+    def test_safe_compare_digest_true(self):
+        self.assertTrue(safe_compare_digest('/gg9a+LvFevTH1sd7', '/gg9a+LvFevTH1sd7'))
+
+    def test_safe_compare_digest_false_same_size(self):
+        self.assertFalse(safe_compare_digest('/gg9a+LvFevTH1sd7', '/gg9a+LvFevTH1sd8'))
+
+    def test_safe_compare_digest_false_different_size(self):
+        self.assertFalse(safe_compare_digest('/gg9a+LvFevTH1sd7', '/gg9a+LvFevTH1sd78'))
+
 
 if __name__ == '__main__':
     unittest.main()