From 4f38e44aff4d7b2209e8e63fc28ed291695f857f Mon Sep 17 00:00:00 2001
From: Matthew <matthew.trostel@sentry.io>
Date: Wed, 9 Nov 2022 12:30:20 -0600
Subject: [PATCH 1/2] Update example to follow HMAC best practice

Update the Python example for the webhook signature comparison to follow best practices.

Using `hmac.compare_digest()` mitigates [timing-based attacks](https://en.wikipedia.org/wiki/Timing_attack) on the signature verification.

I've also a updated the line to pull the signature header value to use the `.get()` method in order to avoid a `KeyError` exception.
---
 .../product/integrations/integration-platform/webhooks.mdx    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/docs/product/integrations/integration-platform/webhooks.mdx b/src/docs/product/integrations/integration-platform/webhooks.mdx
index f5cbe2a8d4fba1..754a8b5cfcf120 100644
--- a/src/docs/product/integrations/integration-platform/webhooks.mdx
+++ b/src/docs/product/integrations/integration-platform/webhooks.mdx
@@ -65,7 +65,7 @@ import hashlib
 import hmac
 import json
 
-expected_digest = request.headers['sentry-hook-signature']
+expected_digest = request.headers.get('sentry-hook-signature') # returns None if header is missing
 body = json.dumps(request.body)
 
 digest = hmac.new(
@@ -75,7 +75,7 @@ digest = hmac.new(
 ).hexdigest()
 
 
-if digest != expected_digest:
+if expected_digest and not hmac.compare_digest(digest, expected_digest):
     raise UnauthorizedError
 ```
 

From d53fd28a7e91941524c27384b440d49cfe19f58e Mon Sep 17 00:00:00 2001
From: Matthew <matthew.trostel@sentry.io>
Date: Wed, 9 Nov 2022 18:05:19 -0600
Subject: [PATCH 2/2] Update webhooks.mdx

Separating the checks to provide more clarity
---
 .../product/integrations/integration-platform/webhooks.mdx  | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/docs/product/integrations/integration-platform/webhooks.mdx b/src/docs/product/integrations/integration-platform/webhooks.mdx
index 754a8b5cfcf120..f7e5cfb6451427 100644
--- a/src/docs/product/integrations/integration-platform/webhooks.mdx
+++ b/src/docs/product/integrations/integration-platform/webhooks.mdx
@@ -65,7 +65,7 @@ import hashlib
 import hmac
 import json
 
-expected_digest = request.headers.get('sentry-hook-signature') # returns None if header is missing
+expected_digest = request.headers.get('sentry-hook-signature')  # returns None if header is missing
 body = json.dumps(request.body)
 
 digest = hmac.new(
@@ -74,8 +74,10 @@ digest = hmac.new(
     digestmod=hashlib.sha256,
 ).hexdigest()
 
+if not expected_digest:  # The signature is missing
+    raise UnauthorizedError
 
-if expected_digest and not hmac.compare_digest(digest, expected_digest):
+if not hmac.compare_digest(digest, expected_digest):
     raise UnauthorizedError
 ```