-
Notifications
You must be signed in to change notification settings - Fork 730
fix: #1108 - Replace ecdsa with cryptography #1114
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
Thanks for raising this PR. I can review this. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR replaces the ecdsa
library with the cryptography
library for handling ECDSA signature verification in the SendGrid Python SDK. This change affects the event webhook functionality that validates incoming webhook signatures from SendGrid.
Key changes:
- Replaces
ecdsa
dependency withcryptography
in package requirements - Updates imports and signature verification logic in the EventWebhook class
- Updates documentation references across README and CONTRIBUTING files
Reviewed Changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
File | Description |
---|---|
setup.py | Replaces ecdsa dependency with cryptography>=45.0.6 |
sendgrid/helpers/eventwebhook/init.py | Updates signature verification implementation to use cryptography library |
README.rst | Updates dependency documentation reference |
README.md | Updates dependency documentation reference |
CONTRIBUTING.md | Updates development dependency reference |
I see the verify signature test is passing. So it seems to be fine. Can you please do the above mentioned changes so that we can merge it? Thanks! |
@tiwarishubham635 Fixed |
Hey @tiwarishubham635 , is there anything pending to merge this? One would expect security fixes to be a high priority for Twilio... |
@tiwarishubham635 @twilio-product-security Hi, is there anything I can do to help speed up merging this security fix? Kind regards, |
Hi, any update on this PR? Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR successfully addresses the security vulnerabilities in the ecdsa dependency by migrating to the industry-standard cryptography library. The implementation is clean and maintains backward compatibility.
Minor Suggestion:
Version Constraint: Consider if cryptography>=45.0.6 is too restrictive - you might want to allow a broader range like >=45.0.6,<46 to avoid forcing users to upgrade to very recent versions.
This is a breaking change as it adds a new client requirement for a Rust toolchain that never existed before. Please can such things be put behind a Major version change, this broke our build as we now have to explicitly mark this "patch" version as incompatible. |
Fixes #1108
Fixes
A short description of what this PR does.
Checklist
If you have questions, please file a support ticket.