Adyen has utility methods for validating notification HMAC signatures. The is_valid_hmac
and is_valid_hmac_notification
methods are vulnerable to a timing attack, you should compare the hash of the HMACs instead.
github.com/Adyen/adyen-python-api-library
github.com/Adyen/adyen-python-api-library/commit/3292133dbc00ffc4cccfb92de672a76eaa587ca5
github.com/Adyen/adyen-python-api-library/issues/168
github.com/Adyen/adyen-python-api-library/pull/170
github.com/pypa/advisory-database/tree/main/vulns/adyen/PYSEC-2023-1.yaml