fix: support duplicate query param values (#615)

childish-sambino · web-flow · commit dd225d4fb3bd · 2022-08-26T09:06:46.000-05:00
diff --git a/tests/requirements.txt b/tests/requirements.txt
@@ -10,3 +10,5 @@ wheel>=0.22.0
 cryptography
 twine
 recommonmark
+django
+multidict
diff --git a/tests/unit/test_request_validator.py b/tests/unit/test_request_validator.py
@@ -1,12 +1,19 @@
 # -*- coding: utf-8 -*-
 import unittest
 
+from django.conf import settings
+from django.http import QueryDict
+from multidict import MultiDict
+
 from twilio.request_validator import RequestValidator
 
 
 class ValidationTest(unittest.TestCase):
 
     def setUp(self):
+        if not settings.configured:
+            settings.configure()
+
         token = "12345"
         self.validator = RequestValidator(token)
 
@@ -22,9 +29,10 @@ def setUp(self):
         self.body = "{\"property\": \"value\", \"boolean\": true}"
         self.bodyHash = "0a1ff7634d9ab3b95db5c9a2dfe9416e41502b283a80c7cf19632632f96e6620"
         self.uriWithBody = self.uri + "&bodySHA256=" + self.bodyHash
+        self.duplicate_expected = 'IK+Dwps556ElfBT0I3Rgjkr1wJU='
 
     def test_compute_signature(self):
-        expected = (self.expected)
+        expected = self.expected
         signature = self.validator.compute_signature(self.uri, self.params)
         assert signature == expected
 
@@ -34,6 +42,23 @@ def test_compute_hash_unicode(self):
 
         assert expected == body_hash
 
+    def test_compute_signature_duplicate_multi_dict(self):
+        expected = self.duplicate_expected
+        params = MultiDict([
+            ("Sid", "CA123"),
+            ("SidAccount", "AC123"),
+            ("Digits", "1234"),
+            ("Digits", "5678"),
+        ])
+        signature = self.validator.compute_signature(self.uri, params)
+        assert signature == expected
+
+    def test_compute_signature_duplicate_query_dict(self):
+        expected = self.duplicate_expected
+        params = QueryDict('Sid=CA123&SidAccount=AC123&Digits=1234&Digits=5678', encoding='utf-8')
+        signature = self.validator.compute_signature(self.uri, params)
+        assert signature == expected
+
     def test_validation(self):
         assert self.validator.validate(self.uri, self.params, self.expected)
 
diff --git a/twilio/request_validator.py b/twilio/request_validator.py
@@ -73,8 +73,11 @@ def compute_signature(self, uri, params):
         """
         s = uri
         if params:
-            for k, v in sorted(params.items()):
-                s += k + v
+            for param_name in sorted(set(params)):
+                values = self.get_values(params, param_name)
+
+                for value in sorted(values):
+                    s += param_name + value
 
         # compute signature and compare signatures
         mac = hmac.new(self.token, s.encode("utf-8"), sha1)
@@ -83,6 +86,18 @@ def compute_signature(self, uri, params):
 
         return computed.strip()
 
+    def get_values(self, param_dict, param_name):
+        try:
+            # Support MultiDict used by Flask.
+            return param_dict.getall(param_name)
+        except AttributeError:
+            try:
+                # Support QueryDict used by Django.
+                return param_dict.getlist(param_name)
+            except AttributeError:
+                # Fallback to a standard dict.
+                return [param_dict[param_name]]
+
     def compute_hash(self, body):
         computed = sha256(body.encode("utf-8")).hexdigest()
 
@@ -104,8 +119,6 @@ def validate(self, uri, params, signature):
         uri_with_port = add_port(parsed_uri)
         uri_without_port = remove_port(parsed_uri)
 
-        valid_signature = False  # Default fail
-        valid_signature_with_port = False
         valid_body_hash = True  # May not receive body hash, so default succeed
 
         query = parse_qs(parsed_uri.query)
