fix: Vulnerability fix for starkbank-ecdsa 2.2.0 dependency (#1085)

ranjanprasad1996 · tiwarishubham635 · web-flow · commit 6eb4375f4d1e · 2025-05-09T20:54:52.000+05:30
* Updated webhook helper to use a different edcsa library

* chore: dummy commit

* Update dependencies

---------

Co-authored-by: Shubham &lt;tiwarishubham635@gmail.com&gt;
diff --git a/requirements.txt b/requirements.txt
@@ -1,6 +1,6 @@
-Flask==1.1.2
+Flask==3.1.0
 PyYAML>=4.2b1
 python-http-client>=3.2.1
-six==1.11.0
-starkbank-ecdsa>=2.0.1
+six==1.17.0
+ecdsa>=0.19.1,<1
 more-itertools==5.0.0
diff --git a/sendgrid/helpers/eventwebhook/__init__.py b/sendgrid/helpers/eventwebhook/__init__.py
@@ -1,8 +1,7 @@
-from ellipticcurve.ecdsa import Ecdsa
-from ellipticcurve.publicKey import PublicKey
-from ellipticcurve.signature import Signature
-
-from .eventwebhook_header import EventWebhookHeader
+from ecdsa import VerifyingKey, BadSignatureError
+from ecdsa.util import sigdecode_der
+import base64
+import hashlib
 
 class EventWebhook:
     """
@@ -20,14 +19,15 @@ def __init__(self, public_key=None):
 
     def convert_public_key_to_ecdsa(self, public_key):
         """
-        Convert the public key string to a ECPublicKey.
+        Convert the public key string to a VerifyingKey object.
 
         :param public_key: verification key under Mail Settings
         :type public_key string
-        :return: public key using the ECDSA algorithm
-        :rtype PublicKey
+        :return: VerifyingKey object using the ECDSA algorithm
+        :rtype VerifyingKey
         """
-        return PublicKey.fromPem('\n-----BEGIN PUBLIC KEY-----\n'+public_key+'\n-----END PUBLIC KEY-----\n')
+        pem_key = "-----BEGIN PUBLIC KEY-----\n" + public_key + "\n-----END PUBLIC KEY-----"
+        return VerifyingKey.from_pem(pem_key)
 
     def verify_signature(self, payload, signature, timestamp, public_key=None):
         """
@@ -40,11 +40,15 @@ def verify_signature(self, payload, signature, timestamp, public_key=None):
         :param timestamp: value obtained from the 'X-Twilio-Email-Event-Webhook-Timestamp' header
         :type timestamp: string
         :param public_key: elliptic curve public key
-        :type public_key: PublicKey
+        :type public_key: VerifyingKey
         :return: true or false if signature is valid
         """
-        timestamped_payload = timestamp + payload
-        decoded_signature = Signature.fromBase64(signature)
+        timestamped_payload = (timestamp + payload).encode('utf-8')
+        decoded_signature = base64.b64decode(signature)
 
         key = public_key or self.public_key
-        return Ecdsa.verify(timestamped_payload, decoded_signature, key)
+        try:
+            key.verify(decoded_signature, timestamped_payload, hashfunc=hashlib.sha256, sigdecode=sigdecode_der)
+            return True
+        except BadSignatureError:
+            return False
