Libs(PHP): check timestamp is not float in sign()

svix-onelson · svix-onelson · commit 85ba23dcc701 · 2024-07-05T12:23:24.000-07:00
We've got a unit test that checks to see if an exception is thrown when
the given timestamp is a float.

The test case (which is totally fair) uses an input ending in `.0` which
casts cleanly enough to an int with the existing "is_positive_integer"
check such that the exception isn't thrown.

Adding a call to `is_float()` to this check gets us back to the test
passing.

N.b. the `+ 0` there is to cast the `$timestamp` variable to an actual
numeric type instead of a string for the purpose of the call.
diff --git a/php/src/Webhook.php b/php/src/Webhook.php
@@ -70,7 +70,7 @@ public function verify($payload, $headers)
 
     public function sign($msgId, $timestamp, $payload)
     {
-        $is_positive_integer = is_numeric($timestamp) && (int) $timestamp == $timestamp && (int) $timestamp > 0;
+        $is_positive_integer = is_numeric($timestamp) && !is_float($timestamp + 0) && (int) $timestamp == $timestamp && (int) $timestamp > 0;
         if (!$is_positive_integer) {
             throw new Exception\WebhookSigningException("Invalid timestamp");
         }

Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ public function verify($payload, $headers)`
`70`	`70`
`71`	`71`	`public function sign($msgId, $timestamp, $payload)`
`72`	`72`	`{`
`73`		`- $is_positive_integer = is_numeric($timestamp) && (int) $timestamp == $timestamp && (int) $timestamp > 0;`
	`73`	`+ $is_positive_integer = is_numeric($timestamp) && !is_float($timestamp + 0) && (int) $timestamp == $timestamp && (int) $timestamp > 0;`
`74`	`74`	`if (!$is_positive_integer) {`
`75`	`75`	`throw new Exception\WebhookSigningException("Invalid timestamp");`
`76`	`76`	`}`