fix: reject malformed OpenNode hashed_order

Anshumancanrock · Anshumancanrock · commit e99c05545915 · 2026-04-11T17:08:52.000+05:30
diff --git a/src/controllers/callbacks/opennode-callback-controller.ts b/src/controllers/callbacks/opennode-callback-controller.ts
@@ -64,11 +64,24 @@ export class OpenNodeCallbackController implements IController {
 
     const expectedBuf = hmacSha256(openNodeApiKey, request.body.id)
     const actualHex = request.body.hashed_order
+    const expectedHexLength = expectedBuf.length * 2
+
+    if (
+      actualHex.length !== expectedHexLength
+      || !/^[0-9a-f]+$/i.test(actualHex)
+    ) {
+      debug('invalid hashed_order format from %s to /callbacks/opennode', remoteAddress)
+      response
+        .status(400)
+        .setHeader('content-type', 'text/plain; charset=utf8')
+        .send('Bad Request')
+      return
+    }
+
     const actualBuf = Buffer.from(actualHex, 'hex')
 
     if (
-      expectedBuf.length !== actualBuf.length
-      || !timingSafeEqual(expectedBuf, actualBuf)
+      !timingSafeEqual(expectedBuf, actualBuf)
     ) {
       debug('unauthorized request from %s to /callbacks/opennode: hashed_order mismatch', remoteAddress)
       response
diff --git a/test/unit/controllers/callbacks/opennode-callback-controller.spec.ts b/test/unit/controllers/callbacks/opennode-callback-controller.spec.ts
@@ -130,7 +130,7 @@ describe('OpenNodeCallbackController', () => {
     expect(updateInvoiceStatusStub).not.to.have.been.called
   })
 
-  it('rejects callbacks with mismatched hashed_order', async () => {
+  it('returns bad request for malformed hashed_order', async () => {
     request.body = {
       hashed_order: 'invalid',
       id: 'invoice-id',
@@ -139,6 +139,21 @@ describe('OpenNodeCallbackController', () => {
 
     await controller.handleRequest(request, response)
 
+    expect(statusStub).to.have.been.calledOnceWithExactly(400)
+    expect(setHeaderStub).to.have.been.calledOnceWithExactly('content-type', 'text/plain; charset=utf8')
+    expect(sendStub).to.have.been.calledOnceWithExactly('Bad Request')
+    expect(updateInvoiceStatusStub).not.to.have.been.called
+  })
+
+  it('rejects callbacks with mismatched hashed_order', async () => {
+    request.body = {
+      hashed_order: '0'.repeat(64),
+      id: 'invoice-id',
+      status: 'paid',
+    }
+
+    await controller.handleRequest(request, response)
+
     expect(statusStub).to.have.been.calledOnceWithExactly(403)
     expect(sendStub).to.have.been.calledOnceWithExactly('Forbidden')
     expect(updateInvoiceStatusStub).not.to.have.been.called
