Fix NumberFormatException in Webhook.Signature.getTimestamp

devin-ai-integration[bot] · kllyjsn · devin-ai-integration[bot] · commit 3f1997f2ff5e · 2026-04-12T19:45:56.000Z
Webhook.Signature.getTimestamp() calls Long.parseLong() on the raw timestamp value from the signature header without any error handling. If a malformed webhook header arrives with a non-numeric timestamp (e.g. t=abc,v1=sig...), the SDK throws an unhandled NumberFormatException instead of a proper SignatureVerificationException. This change wraps the Long.parseLong() call in a try-catch that returns -1 on NumberFormatException, which the caller (verifyHeader) already handles by throwing a SignatureVerificationException with a descriptive message. Added tests for: - Non-numeric timestamp values - Empty timestamp values - Overflow timestamp values (exceeding Long.MAX_VALUE) Fixes stripe#2149 Co-Authored-By: Jason Kelley <kllyjsn@gmail.com>
diff --git a/src/main/java/com/stripe/net/Webhook.java b/src/main/java/com/stripe/net/Webhook.java
@@ -183,7 +183,11 @@ private static long getTimestamp(String sigHeader) {
       for (String item : items) {
         String[] itemParts = item.split("=", 2);
         if (itemParts[0].equals("t")) {
-          return Long.parseLong(itemParts[1]);
+          try {
+            return Long.parseLong(itemParts[1]);
+          } catch (NumberFormatException e) {
+            return -1;
+          }
         }
       }
 
diff --git a/src/test/java/com/stripe/net/WebhookTest.java b/src/test/java/com/stripe/net/WebhookTest.java
@@ -160,6 +160,45 @@ public void testMalformedHeader() throws SignatureVerificationException {
     assertEquals("Unable to extract timestamp and signatures from header", exception.getMessage());
   }
 
+  @Test
+  public void testNonNumericTimestamp() throws SignatureVerificationException {
+    final String sigHeader = "t=not_a_number,v1=some_signature";
+
+    Throwable exception =
+        assertThrows(
+            SignatureVerificationException.class,
+            () -> {
+              Webhook.Signature.verifyHeader(payload, sigHeader, secret, 0, null);
+            });
+    assertEquals("Unable to extract timestamp and signatures from header", exception.getMessage());
+  }
+
+  @Test
+  public void testEmptyTimestampValue() throws SignatureVerificationException {
+    final String sigHeader = "t=,v1=some_signature";
+
+    Throwable exception =
+        assertThrows(
+            SignatureVerificationException.class,
+            () -> {
+              Webhook.Signature.verifyHeader(payload, sigHeader, secret, 0, null);
+            });
+    assertEquals("Unable to extract timestamp and signatures from header", exception.getMessage());
+  }
+
+  @Test
+  public void testOverflowTimestampValue() throws SignatureVerificationException {
+    final String sigHeader = "t=99999999999999999999,v1=some_signature";
+
+    Throwable exception =
+        assertThrows(
+            SignatureVerificationException.class,
+            () -> {
+              Webhook.Signature.verifyHeader(payload, sigHeader, secret, 0, null);
+            });
+    assertEquals("Unable to extract timestamp and signatures from header", exception.getMessage());
+  }
+
   @Test
   public void testNoSignaturesWithExpectedScheme()
       throws SignatureVerificationException, NoSuchAlgorithmException, InvalidKeyException {

Original file line number	Diff line number	Diff line change
`@@ -183,7 +183,11 @@ private static long getTimestamp(String sigHeader) {`
`183`	`183`	`for (String item : items) {`
`184`	`184`	`String[] itemParts = item.split("=", 2);`
`185`	`185`	`if (itemParts[0].equals("t")) {`
`186`		`- return Long.parseLong(itemParts[1]);`
	`186`	`+ try {`
	`187`	`+ return Long.parseLong(itemParts[1]);`
	`188`	`+ } catch (NumberFormatException e) {`
	`189`	`+ return -1;`
	`190`	`+ }`
`187`	`191`	`}`
`188`	`192`	`}`
`189`	`193`