fixing the security issues (#94)

Author: karen-avetisyan-mc

pom.xml

@@ -13,10 +13,9 @@
     <name>client-encryption</name>
 
     <properties>
-        <okhttp2-version>2.7.5</okhttp2-version>
         <okhttp3-version>4.12.0</okhttp3-version>
-        <google-api-client-version>2.3.0</google-api-client-version>
-        <feign-version>9.7.0</feign-version>
+        <google-api-client-version>2.4.0</google-api-client-version>
+        <feign-version>13.2.1</feign-version>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <gpg.signature.skip>false</gpg.signature.skip>
     </properties>
@@ -69,13 +68,6 @@
             <scope>provided</scope>
         </dependency>
 
-        <dependency>
-            <groupId>com.squareup.okhttp</groupId>
-            <artifactId>okhttp</artifactId>
-            <version>${okhttp2-version}</version>
-            <scope>provided</scope>
-        </dependency>
-
         <dependency>
             <groupId>com.google.api-client</groupId>
             <artifactId>google-api-client</artifactId>

src/main/java/com/mastercard/developer/interceptors/OkHttp2EncryptionInterceptor.java

@@ -2,11 +2,11 @@
 
 import com.mastercard.developer.encryption.EncryptionConfig;
 import com.mastercard.developer.encryption.EncryptionException;
-import com.squareup.okhttp.Request;
-import com.squareup.okhttp.RequestBody;
-import com.squareup.okhttp.Response;
-import com.squareup.okhttp.ResponseBody;
-import com.squareup.okhttp.Interceptor;
+import okhttp3.Request;
+import okhttp3.RequestBody;
+import okhttp3.Response;
+import okhttp3.ResponseBody;
+import okhttp3.Interceptor;
 import okio.Buffer;
 import java.io.IOException;
 import static com.mastercard.developer.utils.StringUtils.isNullOrEmpty;
@@ -15,7 +15,7 @@ public abstract class OkHttp2EncryptionInterceptor implements Interceptor {
 
     protected abstract String encryptPayload(Request request, Request.Builder newBuilder, String requestPayload) throws EncryptionException;
 
-    protected abstract String decryptPayload(com.squareup.okhttp.Response response, com.squareup.okhttp.Response.Builder newBuilder, String responsePayload) throws EncryptionException;
+    protected abstract String decryptPayload(Response response, Response.Builder newBuilder, String responsePayload) throws EncryptionException;
 
     public static OkHttp2EncryptionInterceptor from(EncryptionConfig config) {
         return config.getScheme().equals(EncryptionConfig.Scheme.JWE) ? new OkHttp2JweInterceptor(config) : new OkHttp2FieldLevelEncryptionInterceptor(config);
@@ -48,7 +48,7 @@ private Request handleRequest(Request request) throws IOException {
             Request.Builder requestBuilder = request.newBuilder();
             String encryptedPayload = encryptPayload(request, requestBuilder, requestPayload);
 
-            RequestBody encryptedBody = RequestBody.create(requestBody.contentType(), encryptedPayload);
+            RequestBody encryptedBody = RequestBody.create(encryptedPayload.getBytes(), requestBody.contentType());
             return requestBuilder
                     .method(request.method(), encryptedBody)
                     .header("Content-Length", String.valueOf(encryptedBody.contentLength()))
@@ -79,7 +79,7 @@ private Response handleResponse(Response response) throws IOException {
             Response.Builder responseBuilder = response.newBuilder();
             String decryptedPayload = decryptPayload(response, responseBuilder, responsePayload);
 
-            try (ResponseBody decryptedBody = ResponseBody.create(responseBody.contentType(), decryptedPayload)) {
+            try (ResponseBody decryptedBody = ResponseBody.create(decryptedPayload.getBytes(), responseBody.contentType())) {
                 return responseBuilder
                         .body(decryptedBody)
                         .header("Content-Length", String.valueOf(decryptedBody.contentLength()))
@@ -89,4 +89,5 @@ private Response handleResponse(Response response) throws IOException {
             throw new IOException("Failed to intercept and decrypt response!", e);
         }
     }
+
 }

src/main/java/com/mastercard/developer/interceptors/OkHttp2FieldLevelEncryptionInterceptor.java

@@ -1,7 +1,9 @@
 package com.mastercard.developer.interceptors;
 
 import com.mastercard.developer.encryption.*;
-import com.squareup.okhttp.*;
+import okhttp3.Request;
+import okhttp3.Response;
+
 
 /**
  * An OkHttp2 interceptor for encrypting/decrypting parts of HTTP payloads.

src/main/java/com/mastercard/developer/interceptors/OkHttp2JweInterceptor.java

@@ -4,8 +4,9 @@
 import com.mastercard.developer.encryption.EncryptionException;
 import com.mastercard.developer.encryption.JweConfig;
 import com.mastercard.developer.encryption.JweEncryption;
-import com.squareup.okhttp.Request;
-import com.squareup.okhttp.Response;
+import okhttp3.Request;
+import okhttp3.Response;
+
 
 /**
  * An OkHttp2 JWE interceptor for encrypting/decrypting parts of HTTP payloads.

src/main/java/com/mastercard/developer/interceptors/OpenFeignDecoderExecutor.java

@@ -42,7 +42,7 @@ public Object decode(Response response, Type type) throws IOException {
             }
 
             // Read response payload
-            String responsePayload = Util.toString(body.asReader());
+            String responsePayload = Util.toString(body.asReader(StandardCharsets.UTF_8));
 
             // Decrypt fields & update headers
             String decryptedPayload = decryptPayload(response, responsePayload);
@@ -53,7 +53,7 @@ public Object decode(Response response, Type type) throws IOException {
                     .body(decryptedPayload, StandardCharsets.UTF_8)
                     .build();
         } catch (EncryptionException e) {
-            throw new DecodeException("Failed to intercept and decrypt response!", e);
+            throw new DecodeException(response.status(), "Failed to intercept and decrypt response!", response.request(), e);
         }
 
         // Call the regular decoder

src/test/java/com/mastercard/developer/interceptors/OkHttp2FieldLevelEncryptionInterceptorTest.java

@@ -4,7 +4,12 @@
 import com.mastercard.developer.encryption.EncryptionException;
 import com.mastercard.developer.encryption.FieldLevelEncryptionConfig;
 import com.mastercard.developer.test.TestUtils;
-import com.squareup.okhttp.*;
+import okhttp3.MediaType;
+import okhttp3.Protocol;
+import okhttp3.Request;
+import okhttp3.RequestBody;
+import okhttp3.Response;
+import okhttp3.ResponseBody;
 import okio.Buffer;
 import org.junit.Rule;
 import org.junit.Test;
@@ -15,11 +20,12 @@
 
 import static com.mastercard.developer.test.TestUtils.assertPayloadEquals;
 import static com.mastercard.developer.test.TestUtils.getTestFieldLevelEncryptionConfigBuilder;
-import static com.squareup.okhttp.Interceptor.Chain;
+import static okhttp3.Interceptor.Chain;
 import static org.hamcrest.core.Is.isA;
 import static org.junit.Assert.*;
 import static org.mockito.Mockito.*;
 
+
 public class OkHttp2FieldLevelEncryptionInterceptorTest {
 
     private static final MediaType JSON_MEDIA_TYPE = MediaType.parse("application/json; charset=utf-8");
@@ -143,6 +149,7 @@ public void testIntercept_ShouldDecryptResponsePayloadAndUpdateContentLengthHead
                 .request(request)
                 .code(200)
                 .protocol(Protocol.HTTP_1_1)
+                .message("")
                 .build();
         Chain chain = mock(Chain.class);
         when(request.body()).thenReturn(null);

src/test/java/com/mastercard/developer/interceptors/OkHttp2JweInterceptorTest.java

@@ -1,7 +1,14 @@
 package com.mastercard.developer.interceptors;
 
-import com.mastercard.developer.encryption.*;
-import com.squareup.okhttp.*;
+import com.mastercard.developer.encryption.EncryptionConfig;
+import com.mastercard.developer.encryption.EncryptionException;
+import com.mastercard.developer.encryption.JweConfig;
+import okhttp3.Protocol;
+import okhttp3.Request;
+import okhttp3.RequestBody;
+import okhttp3.Response;
+import okhttp3.ResponseBody;
+import okhttp3.MediaType;
 import okio.Buffer;
 import org.junit.Rule;
 import org.junit.Test;
@@ -12,10 +19,16 @@
 
 import static com.mastercard.developer.test.TestUtils.assertPayloadEquals;
 import static com.mastercard.developer.test.TestUtils.getTestJweConfigBuilder;
-import static com.squareup.okhttp.Interceptor.Chain;
+import static okhttp3.Interceptor.Chain;
 import static org.hamcrest.core.Is.isA;
-import static org.junit.Assert.*;
-import static org.mockito.Mockito.*;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
+import static org.mockito.Mockito.when;
 
 public class OkHttp2JweInterceptorTest {
 
@@ -106,6 +119,7 @@ public void testIntercept_ShouldDecryptResponsePayloadAndUpdateContentLengthHead
                 .request(request)
                 .code(200)
                 .protocol(Protocol.HTTP_1_1)
+                .message("")
                 .build();
         Chain chain = mock(Chain.class);
         when(request.body()).thenReturn(null);
@@ -136,6 +150,7 @@ public void testInterceptResponse_ShouldDecryptWithA128CBC_HS256Encryption() thr
                 .body(ResponseBody.create(JSON_MEDIA_TYPE, encryptedPayload))
                 .request(request)
                 .code(200)
+                .message("")
                 .protocol(Protocol.HTTP_1_1)
                 .build();
         Chain chain = mock(Chain.class);

src/test/java/com/mastercard/developer/interceptors/OkHttpFieldLevelEncryptionInterceptorTest.java

@@ -4,7 +4,12 @@
 import com.mastercard.developer.encryption.EncryptionException;
 import com.mastercard.developer.encryption.FieldLevelEncryptionConfig;
 import com.mastercard.developer.test.TestUtils;
-import okhttp3.*;
+import okhttp3.Protocol;
+import okhttp3.Request;
+import okhttp3.RequestBody;
+import okhttp3.Response;
+import okhttp3.ResponseBody;
+import okhttp3.MediaType;
 import okio.Buffer;
 import org.junit.Rule;
 import org.junit.Test;

src/test/java/com/mastercard/developer/interceptors/OkHttpJweInterceptorTest.java

@@ -3,7 +3,12 @@
 import com.mastercard.developer.encryption.EncryptionConfig;
 import com.mastercard.developer.encryption.EncryptionException;
 import com.mastercard.developer.encryption.JweConfig;
-import okhttp3.*;
+import okhttp3.Protocol;
+import okhttp3.Request;
+import okhttp3.RequestBody;
+import okhttp3.Response;
+import okhttp3.ResponseBody;
+import okhttp3.MediaType;
 import okio.Buffer;
 import org.junit.Rule;
 import org.junit.Test;

src/test/java/com/mastercard/developer/interceptors/OpenFeignFieldLevelEncryptionDecoderTest.java

@@ -12,18 +12,23 @@
 import org.mockito.ArgumentCaptor;
 
 import java.lang.reflect.Type;
-import java.nio.charset.StandardCharsets;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
 
 import static com.mastercard.developer.test.TestUtils.assertPayloadEquals;
 import static com.mastercard.developer.test.TestUtils.getTestFieldLevelEncryptionConfigBuilder;
 import static com.mastercard.developer.utils.FeignUtils.readHeader;
+import static com.mastercard.developer.utils.HttpHelpers.buildDummyRequest;
+import static com.mastercard.developer.utils.HttpHelpers.buildResponse;
 import static org.hamcrest.core.Is.isA;
-import static org.junit.Assert.*;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
 import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.*;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
+import static org.mockito.Mockito.when;
 
 public class OpenFeignFieldLevelEncryptionDecoderTest {
 
@@ -52,11 +57,7 @@ public void testDecode_ShouldDecryptResponsePayloadAndUpdateContentLengthHeader(
                 put("content-length", Collections.singleton("100"));
             }
         };
-        Response response = Response.builder()
-                .status(200)
-                .headers(headers)
-                .body(encryptedPayload, StandardCharsets.UTF_8)
-                .build();
+        Response response = buildResponse(encryptedPayload);
         Decoder delegate = mock(Decoder.class);
 
         // WHEN
@@ -99,7 +100,7 @@ public void testDecode_ShouldDoNothing_WhenEmptyPayload() throws Exception {
         FieldLevelEncryptionConfig config = getTestFieldLevelEncryptionConfigBuilder().build();
         Type type = mock(Type.class);
         Response response = mock(Response.class);
-        when(response.body()).thenReturn(buildResponseBody(""));
+        when(response.body()).thenReturn(buildResponse("").body());
         Decoder delegate = mock(Decoder.class);
 
         // WHEN
@@ -128,7 +129,8 @@ public void testDecode_ShouldThrowDecodeException_WhenDecryptionFails() throws E
                 .build();
         Type type = mock(Type.class);
         Response response = mock(Response.class);
-        when(response.body()).thenReturn(buildResponseBody(encryptedPayload));
+        when(response.body()).thenReturn(buildResponse(encryptedPayload).body());
+        when(response.request()).thenReturn(buildDummyRequest(encryptedPayload));
         Decoder delegate = mock(Decoder.class);
 
         // THEN
@@ -170,11 +172,7 @@ public void testDecode_ShouldDecryptResponsePayloadAndRemoveEncryptionHttpHeader
                 put("x-encryption-certificate-fingerprint", Collections.singleton("80810fc13a8319fcf0e2ec322c82a4c304b782cc3ce671176343cfe8160c2279"));
             }
         };
-        Response response = Response.builder()
-                .status(200)
-                .headers(headers)
-                .body(encryptedPayload, StandardCharsets.UTF_8)
-                .build();
+        Response response = buildResponse(encryptedPayload, headers);
         Decoder delegate = mock(Decoder.class);
 
         // WHEN
@@ -195,12 +193,4 @@ public void testDecode_ShouldDecryptResponsePayloadAndRemoveEncryptionHttpHeader
         assertNull(readHeader(responseValue, "x-encryption-certificate-fingerprint"));
     }
 
-    private static Response.Body buildResponseBody(String payload) {
-        Response response = Response.builder()
-                .status(200)
-                .headers(new HashMap<>())
-                .body(payload, StandardCharsets.UTF_8)
-                .build();
-        return response.body();
-    }
 }