From c6ac24972182b95a05b14dbe0145e5559659a9aa Mon Sep 17 00:00:00 2001
From: Li Yao Dong <liyaodong@Lis-MacBook-Pro.local>
Date: Wed, 10 Jul 2024 15:08:54 +0800
Subject: [PATCH] fix: possible panic case if ios payment callback comes from
 unauthorised party

---
 appstore/cert.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/appstore/cert.go b/appstore/cert.go
index a64ade2..1ebef24 100644
--- a/appstore/cert.go
+++ b/appstore/cert.go
@@ -52,7 +52,9 @@ func (c *Cert) extractCertByIndex(tokenStr string, index int) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-
+	if len(header.X5c) <= 0 || index >= len(header.X5c) {
+		return nil, errors.New("failed to extract cert from x5c header, possible unauthorised request detected")
+	}
 	certByte, err := base64.StdEncoding.DecodeString(header.X5c[index])
 	if err != nil {
 		return nil, err