Fix unhandled NumberFormatException in webhook timestamp parsing

Nepomuk5665 · Nepomuk5665 · commit bdcd8475eec3 · 2026-01-24T15:00:02.000+01:00
When parsing the Stripe-Signature header, getTimestamp() calls Long.parseLong()
on the timestamp value without catching NumberFormatException. If a malformed
header contains a non-numeric timestamp value (e.g., 't=not_a_number'), the
exception propagates up uncaught, rather than being wrapped in a
SignatureVerificationException as documented.

This commit catches NumberFormatException and returns -1, which causes
verifyHeader() to throw the expected SignatureVerificationException with
the message 'Unable to extract timestamp and signatures from header'.

Also adds a test case for malformed timestamp values.
diff --git a/src/main/java/com/stripe/net/Webhook.java b/src/main/java/com/stripe/net/Webhook.java
@@ -176,7 +176,11 @@ private static long getTimestamp(String sigHeader) {
       for (String item : items) {
         String[] itemParts = item.split("=", 2);
         if (itemParts[0].equals("t")) {
-          return Long.parseLong(itemParts[1]);
+          try {
+            return Long.parseLong(itemParts[1]);
+          } catch (NumberFormatException e) {
+            return -1;
+          }
         }
       }
 
diff --git a/src/test/java/com/stripe/net/WebhookTest.java b/src/test/java/com/stripe/net/WebhookTest.java
@@ -160,6 +160,21 @@ public void testMalformedHeader() throws SignatureVerificationException {
     assertEquals("Unable to extract timestamp and signatures from header", exception.getMessage());
   }
 
+  @Test
+  public void testMalformedTimestampValue() throws SignatureVerificationException {
+    // Test with non-numeric timestamp value - should throw SignatureVerificationException,
+    // not NumberFormatException
+    final String sigHeader = "t=not_a_number,v1=somesignature";
+
+    Throwable exception =
+        assertThrows(
+            SignatureVerificationException.class,
+            () -> {
+              Webhook.Signature.verifyHeader(payload, sigHeader, secret, 0, null);
+            });
+    assertEquals("Unable to extract timestamp and signatures from header", exception.getMessage());
+  }
+
   @Test
   public void testNoSignaturesWithExpectedScheme()
       throws SignatureVerificationException, NoSuchAlgorithmException, InvalidKeyException {

Original file line number	Diff line number	Diff line change
`@@ -176,7 +176,11 @@ private static long getTimestamp(String sigHeader) {`
`176`	`176`	`for (String item : items) {`
`177`	`177`	`String[] itemParts = item.split("=", 2);`
`178`	`178`	`if (itemParts[0].equals("t")) {`
`179`		`- return Long.parseLong(itemParts[1]);`
	`179`	`+ try {`
	`180`	`+ return Long.parseLong(itemParts[1]);`
	`181`	`+ } catch (NumberFormatException e) {`
	`182`	`+ return -1;`
	`183`	`+ }`
`180`	`184`	`}`
`181`	`185`	`}`
`182`	`186`