Skip to content

Commit 40f1a7f

Browse files
mahmishrmahmishr
authored
Merge pull request #168 from CyberSource/feature/security-fix
security vulnerability fix code
2 parents e78f816 + 094788f commit 40f1a7f

File tree

3 files changed

+41
-42
lines changed

3 files changed

+41
-42
lines changed

package.json

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -25,8 +25,7 @@
2525
"promise": "^8.3.0",
2626
"winston": "^3.11.0",
2727
"winston-daily-rotate-file": "^4.7.1",
28-
"node-jose": "^2.2.0",
29-
"jwk-to-pem": "^2.0.7"
28+
"node-jose": "^2.2.0"
3029
},
3130
"keywords": [
3231
"nodeJS"

src/index.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7703,7 +7703,7 @@
77037703
OAuthApi: OAuthApi
77047704
};
77057705

7706-
exports.TokenVerification = require('./utilities/flex/TokenVerification.js');
7706+
// exports.TokenVerification = require('./utilities/flex/TokenVerification.js');
77077707
exports.Authorization = require('./authentication/core/Authorization.js');
77087708
exports.MerchantConfig = require('./authentication/core/MerchantConfig.js');
77097709
exports.Logger = require('./authentication/logging/Logger.js');

src/utilities/flex/TokenVerification.js

Lines changed: 39 additions & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -1,50 +1,50 @@
1-
'use strict';
1+
// 'use strict';
22

3-
const crypto = require('crypto');
4-
const jwkToPem = require('jwk-to-pem');
3+
// const crypto = require('crypto');
4+
// const jwkToPem = require('jwk-to-pem');
55

6-
/**
7-
* This function has all the merchentConfig properties getters and setters methods
8-
*
9-
* @param result
10-
*/
11-
function TokenVerification() {
6+
// /**
7+
// * This function has all the merchentConfig properties getters and setters methods
8+
// *
9+
// * @param result
10+
// */
11+
// function TokenVerification() {
1212

13-
}
13+
// }
1414

15-
function isPemFormattedString(input) {
16-
return typeof input === 'string' && /^-----BEGIN PUBLIC KEY-----[\S\s]*-----END PUBLIC KEY-----/.test(input);
17-
}
15+
// function isPemFormattedString(input) {
16+
// return typeof input === 'string' && /^-----BEGIN PUBLIC KEY-----[\S\s]*-----END PUBLIC KEY-----/.test(input);
17+
// }
1818

19-
function isBase64String(input) {
20-
return typeof input === 'string' && /^[a-zA-Z0-9+/=]*$/g.test(input);
21-
}
19+
// function isBase64String(input) {
20+
// return typeof input === 'string' && /^[a-zA-Z0-9+/=]*$/g.test(input);
21+
// }
2222

23-
function base64toPem(base64) {
24-
const urlDecoded = base64.replace(/-/g, '+').replace(/_/g, '/');
23+
// function base64toPem(base64) {
24+
// const urlDecoded = base64.replace(/-/g, '+').replace(/_/g, '/');
2525

26-
return [
27-
'-----BEGIN PUBLIC KEY-----',
28-
...urlDecoded.match(/.{1,64}/g),
29-
'-----END PUBLIC KEY-----',
30-
].join('\n');
31-
}
26+
// return [
27+
// '-----BEGIN PUBLIC KEY-----',
28+
// ...urlDecoded.match(/.{1,64}/g),
29+
// '-----END PUBLIC KEY-----',
30+
// ].join('\n');
31+
// }
3232

33-
TokenVerification.prototype.verifyToken = function verifyToken(publicKey, token) {
34-
if (typeof token !== 'object' || !token) throw new Error('Invalid token object');
35-
if (!Object.prototype.hasOwnProperty.call(token, 'signature')) throw new Error('token.signature is missing');
36-
if (!Object.prototype.hasOwnProperty.call(token, 'signedFields')) throw new Error('token.signedFields is missing');
33+
// TokenVerification.prototype.verifyToken = function verifyToken(publicKey, token) {
34+
// if (typeof token !== 'object' || !token) throw new Error('Invalid token object');
35+
// if (!Object.prototype.hasOwnProperty.call(token, 'signature')) throw new Error('token.signature is missing');
36+
// if (!Object.prototype.hasOwnProperty.call(token, 'signedFields')) throw new Error('token.signedFields is missing');
3737

38-
let pem;
39-
if (typeof publicKey === 'object') pem = jwkToPem(publicKey);
40-
else if (isPemFormattedString(publicKey)) pem = publicKey;
41-
else if (isBase64String(publicKey)) pem = base64toPem(publicKey);
42-
else {
43-
throw new Error('Invalid publicKey parameter');
44-
}
38+
// let pem;
39+
// if (typeof publicKey === 'object') pem = jwkToPem(publicKey);
40+
// else if (isPemFormattedString(publicKey)) pem = publicKey;
41+
// else if (isBase64String(publicKey)) pem = base64toPem(publicKey);
42+
// else {
43+
// throw new Error('Invalid publicKey parameter');
44+
// }
4545

46-
const dataToVerify = token.signedFields.split(',').map(field => token[field]).join(',');
47-
return crypto.createVerify('RSA-SHA512').update(dataToVerify).verify(pem, token.signature, 'base64');
48-
};
46+
// const dataToVerify = token.signedFields.split(',').map(field => token[field]).join(',');
47+
// return crypto.createVerify('RSA-SHA512').update(dataToVerify).verify(pem, token.signature, 'base64');
48+
// };
4949

50-
module.exports = TokenVerification;
50+
// module.exports = TokenVerification;

0 commit comments

Comments
 (0)