Merge pull request #42 from CyberSource/future

Future

Author: shamirwasia

CyberSource/Client/CustomTextMessageEncoder.cs

@@ -61,9 +61,15 @@ public override Message ReadMessage(Stream stream, int maxSizeOfHeaders, string
         {
             var sr = new StreamReader(stream);
             var wireResponse = sr.ReadToEnd();
-           
+
+            // Fix for Xml external entity injection violation in fortify report
+            XmlReaderSettings settings = new XmlReaderSettings();
+            settings.DtdProcessing = DtdProcessing.Prohibit;
+            settings.XmlResolver = null;
+
             XmlDocument doc = new XmlDocument();
-            doc.LoadXml(wireResponse);
+            XmlReader reader = XmlReader.Create(new StringReader(wireResponse), settings);
+            doc.Load(reader);
             //We need to get rid of the security header because it is not signed by the web service.
             //The whole reason for the custom Encoder is to do this. the client rejected the unsigned header.
             //Our WCF client is set up to allow the absence of a security header but if the header exists then it must be signed.
@@ -73,7 +79,7 @@ public override Message ReadMessage(Stream stream, int maxSizeOfHeaders, string
             {
                 n.DeleteSelf();
             }
-            XmlReader reader = XmlReader.Create(new StringReader(doc.InnerXml));
+            reader = XmlReader.Create(new StringReader(doc.InnerXml), settings);
             return Message.CreateMessage(reader, maxSizeOfHeaders, MessageVersion.Soap11);
         }
 

CyberSource/Client/NVPClient.cs

@@ -80,13 +80,13 @@ public static Hashtable RunTransaction(
 
 
                     string keyFilePath = Path.Combine(config.KeysDirectory, config.EffectiveKeyFilename);
-                    proc.ClientCredentials.ClientCertificate.Certificate = new X509Certificate2(keyFilePath, config.EffectivePassword, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
+                    proc.ClientCredentials.ClientCertificate.Certificate = new X509Certificate2(keyFilePath, config.EffectivePassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
 
                     proc.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
 
                     // Changes for SHA2 certificates support
                     X509Certificate2Collection collection = new X509Certificate2Collection();
-                    collection.Import(keyFilePath, config.EffectivePassword, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
+                    collection.Import(keyFilePath, config.EffectivePassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
 
                     foreach (X509Certificate2 cert1 in collection)
                     {

CyberSource/Client/SoapClient.cs

@@ -80,13 +80,13 @@ public static ReplyMessage RunTransaction(
 
                     //add certificate credentials
                     string keyFilePath = Path.Combine(config.KeysDirectory,config.EffectiveKeyFilename);
-                    proc.ClientCredentials.ClientCertificate.Certificate = new X509Certificate2(keyFilePath,config.EffectivePassword, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
+                    proc.ClientCredentials.ClientCertificate.Certificate = new X509Certificate2(keyFilePath,config.EffectivePassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
 
                     proc.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
 
                     // Changes for SHA2 certificates support
                     X509Certificate2Collection collection = new X509Certificate2Collection();
-                    collection.Import(keyFilePath, config.EffectivePassword, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
+                    collection.Import(keyFilePath, config.EffectivePassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
 
                     foreach (X509Certificate2 cert1 in collection)
                     {
@@ -174,7 +174,14 @@ private static XmlNode SerializeObjectToXmlNode(Object obj)
                 }
                 memoryStream.Position = 0;
                 XmlDocument doc = new XmlDocument();
-                doc.Load(memoryStream);
+
+                // Fix for Xml external entity injection violation in fortify report
+                XmlReaderSettings settings = new XmlReaderSettings();
+                settings.DtdProcessing = DtdProcessing.Prohibit;
+                settings.XmlResolver = null;
+                XmlReader reader = XmlReader.Create(memoryStream, settings);
+                doc.Load(reader);
+
                 resultNode = doc.DocumentElement;
             }
 

CyberSource/Client/XmlClient.cs

@@ -27,11 +27,15 @@ public class XmlClient : BaseClient
         static XmlClient()
         {
             // load the SOAP envelope document.
-            mSoapEnvelope = new XmlDocument();
-
-
-
-            mSoapEnvelope.LoadXml(SOAP_ENVELOPE);
+            mSoapEnvelope = new XmlDocument();
+
+            // Fix for Xml external entity injection violation in fortify report
+            XmlReaderSettings settings = new XmlReaderSettings();
+            settings.DtdProcessing = DtdProcessing.Prohibit;
+            settings.XmlResolver = null;
+            XmlReader reader = XmlReader.Create(new StringReader(SOAP_ENVELOPE), settings);
+
+            mSoapEnvelope.Load(reader);
         }
 
         private XmlClient() { }
@@ -90,7 +94,7 @@ public static XmlDocument RunTransaction(
                 X509Certificate2 cybsCert = null;
 
                 X509Certificate2Collection collection = new X509Certificate2Collection();
-                collection.Import(keyFilePath, config.EffectivePassword, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
+                collection.Import(keyFilePath, config.EffectivePassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
 
                 foreach (X509Certificate2 cert1 in collection)
                 {
@@ -262,9 +266,18 @@ private static void SignDocument(X509Certificate2 cert, XmlDocument doc)
 
             doc.DocumentElement.FirstChild.FirstChild.AppendChild(doc.ImportNode(xmlDigitalSignature, true));
 
-            // Add KeyInfo Node with reference to the X509 cert
+            // Add KeyInfo Node with reference to the X509 cert
+            string keyInfoTags = "<root xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" ><ds:KeyInfo><SecurityTokenReference xmlns=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\"><wsse:Reference URI=\"#X509Token\" ValueType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3\"/></SecurityTokenReference></ds:KeyInfo></root>";
             XmlDocument keyInfo = new XmlDocument();
-            keyInfo.LoadXml("<root xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" ><ds:KeyInfo><SecurityTokenReference xmlns=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\"><wsse:Reference URI=\"#X509Token\" ValueType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3\"/></SecurityTokenReference></ds:KeyInfo></root>");
+
+            // Fix for Xml external entity injection violation in fortify report
+            XmlReaderSettings settings = new XmlReaderSettings();
+            settings.DtdProcessing = DtdProcessing.Prohibit;
+            settings.XmlResolver = null;
+            XmlReader reader = XmlReader.Create(new StringReader(keyInfoTags), settings);
+
+            //keyInfo.LoadXml("<root xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" ><ds:KeyInfo><SecurityTokenReference xmlns=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\"><wsse:Reference URI=\"#X509Token\" ValueType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3\"/></SecurityTokenReference></ds:KeyInfo></root>");
+            keyInfo.Load(reader);
             doc.DocumentElement.FirstChild.FirstChild.LastChild.AppendChild(doc.ImportNode(keyInfo.FirstChild.FirstChild, true));
 
             //Add The Base64 representation of the X509 cert to BinarySecurityToken Node
@@ -283,7 +296,14 @@ private static void encryptDocument(X509Certificate2 cert, XmlDocument doc)
                              "<xenc:ReferenceList><xenc:DataReference URI=\"#Body\"></xenc:DataReference></xenc:ReferenceList></xenc:EncryptedKey></root>";
 
             XmlDocument encryptedDataTags = new XmlDocument();
-            encryptedDataTags.LoadXml(encData);
+
+            // Fix for Xml external entity injection violation in fortify report
+            XmlReaderSettings settings = new XmlReaderSettings();
+            settings.DtdProcessing = DtdProcessing.Prohibit;
+            settings.XmlResolver = null;
+            XmlReader reader = XmlReader.Create(new StringReader(encData), settings);
+
+            encryptedDataTags.Load(reader);
             doc.DocumentElement.FirstChild.FirstChild.PrependChild(doc.ImportNode(encryptedDataTags.FirstChild.FirstChild, true));
 
             XmlElement elementToEncrypt = doc.GetElementsByTagName(REQUEST_MESSAGE)[0] as XmlElement;
@@ -403,11 +423,17 @@ private static XmlDocument ReadXml(WebResponse webResponse)
         {
             Stream stream = null;
             try
-            {
-                XmlDocument xmlDoc = new XmlDocument();
-                xmlDoc.PreserveWhitespace = true;
-                stream = webResponse.GetResponseStream();
-                xmlDoc.Load(stream);
+            {
+                XmlDocument xmlDoc = new XmlDocument();
+                xmlDoc.PreserveWhitespace = true;
+                stream = webResponse.GetResponseStream();
+
+                // Fix for Xml external entity injection violation in fortify report
+                XmlReaderSettings settings = new XmlReaderSettings();
+                settings.DtdProcessing = DtdProcessing.Prohibit;
+                settings.XmlResolver = null;
+                XmlReader reader = XmlReader.Create(stream, settings);
+                xmlDoc.Load(reader);
                 return (xmlDoc);
             }
             finally

CyberSourceSamples/src/nvp/nvpSamples/androidPayAuth.csv

@@ -0,0 +1,23 @@
+"merchantID","your_merchant_id"
+"merchantReferenceCode","your_merchant_reference_code"
+"billTo_firstName","John"
+"billTo_lastName","Doe"
+"billTo_street1","1295CharlestonRoad"
+"billTo_city","MountainView"
+"billTo_postalCode","94043"
+"billTo_state","CA"
+"billTo_country","US"
+"billTo_email","[email protected]"
+"billTo_ipAddress","10.7.111.111"
+"purchaseTotals_currency","USD"
+"item_0_unitPrice","12.34"
+"item_1_unitPrice","56.78"
+"card_accountNumber","4111111111111111"
+"card_expirationMonth","12"
+"card_expirationYear","2020"
+"ccAuthService_run","true"
+"ccAuthService_cavv","ABCDEFabcdefABCDEFabcdef0987654321234567"
+"ccAuthService_commerceIndicator","internet"
+"ccAuthService_xid","ABCDEFabcdefABCDEFabcdef0987654321234567"
+"paymentNetworkToken_transactionType","1"
+"paymentSolution","006"

CyberSourceSamples/src/nvp/nvpSamples/applePayAuth.csv

@@ -0,0 +1,23 @@
+"merchantID","your_merchant_id"
+"merchantReferenceCode","your_merchant_reference_code"
+"billTo_firstName","John"
+"billTo_lastName","Doe"
+"billTo_street1","1295CharlestonRoad"
+"billTo_city","MountainView"
+"billTo_postalCode","94043"
+"billTo_state","CA"
+"billTo_country","US"
+"billTo_email","[email protected]"
+"billTo_ipAddress","10.7.111.111"
+"purchaseTotals_currency","USD"
+"item_0_unitPrice","12.34"
+"item_1_unitPrice","56.78"
+"card_accountNumber","4111111111111111"
+"card_expirationMonth","12"
+"card_expirationYear","2020"
+"ccAuthService_run","true"
+"ccAuthService_cavv","ABCDEFabcdefABCDEFabcdef0987654321234567"
+"ccAuthService_commerceIndicator","internet"
+"ccAuthService_xid","ABCDEFabcdefABCDEFabcdef0987654321234567"
+"paymentNetworkToken_transactionType","1"
+"paymentSolution","001"

CyberSourceSamples/src/nvp/nvpSamples/auth.csv

@@ -0,0 +1,18 @@
+"merchantID","your_merchant_id"
+"merchantReferenceCode","your_merchant_reference_code"
+"billTo_firstName","John"
+"billTo_lastName","Doe"
+"billTo_street1","1295CharlestonRoad"
+"billTo_city","MountainView"
+"billTo_postalCode","94043"
+"billTo_state","CA"
+"billTo_country","US"
+"billTo_email","[email protected]"
+"billTo_ipAddress","10.7.111.111"
+"purchaseTotals_currency","USD"
+"item_0_unitPrice","12.34"
+"item_1_unitPrice","56.78"
+"card_accountNumber","4111111111111111"
+"card_expirationMonth","12"
+"card_expirationYear","2020"
+"ccAuthService_run","true"

CyberSourceSamples/src/nvp/nvpSamples/authrev.csv

@@ -0,0 +1,6 @@
+"merchantReferenceCode","your_merchant_reference_code"
+"purchaseTotals_currency","USD"
+"item_0_unitPrice","12.34"
+"item_1_unitPrice","56.78"
+"ccAuthReversalService_run","true"
+"ccAuthReversalService_authRequestID","authreqId"

CyberSourceSamples/src/nvp/nvpSamples/capture.csv

@@ -0,0 +1,7 @@
+"merchantID","your_merchant_id"
+"merchantReferenceCode","your_merchant_reference_code"
+"item_0_unitPrice","12.34"
+"item_1_unitPrice","56.78"
+"purchaseTotals_currency","USD"
+"ccCaptureService_run",true"
+"ccCaptureService_authRequestID","4803123601076369401011"

CyberSourceSamples/src/nvp/nvpSamples/credit.csv

@@ -0,0 +1,7 @@
+"merchantID","your_merchant_id"
+"merchantReferenceCode","your_merchant_reference_code"
+"purchaseTotals_currency","USD"
+"item_0_unitPrice","12.34"
+"item_1_unitPrice","56.78"
+"ccCreditService_run","true"
+"ccCreditService_captureRequestID","4803124484286005701019"