Check webhook signature before constructing Event from the payload

[rfk]

Hi!

I happened to be poking around in the details of your webhook signature-checking code, and I noticed that it does some processing on the event payload before checking the signature, in particular calling stripe.Event.construct_from on the not-yet-authenticated data:

stripe-python/stripe/webhook.py

Lines 23 to 26 in 15d0338

	data = json.loads(payload)
	event = stripe.Event.construct_from(data, api_key)
	WebhookSignature.verify_header(payload, sig_header, secret, tolerance)

I don't have any reason to believe that this can be used to trigger bad behaviour, but Event.construct_from seems to do quite a lot of dynamic work to hydrate the data into live objects. Calling WebhookSignature.verify_header before doing that work could be a nice defense-in-depth measure against bugs elsewhere in the codebase.

Just a small suggestion that I wanted to pass along; thanks for providing this nice library, and for an API that seems to strongly encourage the webhook-handling code down the right path security-wise!

[ob-stripe]

Hi @rfk! You are entirely correct, we've made a similar change to most of our client libraries for other languages, but it looks like we never updated stripe-python.

I'll open a PR and we'll release a fix promptly. Thanks for bringing this to our attention!

[ob-stripe]

Fixed in 2.29.1.