Fixes for security findings

Author: gnongsie

cybersource-rest-auth-netstandard/AuthenticationSdk/AuthenticationSdk/AuthenticationSdk.csproj

@@ -36,6 +36,7 @@
 
   <ItemGroup>
     <PackageReference Include="jose-jwt" Version="4.1.0" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageReference Include="NLog" Version="5.0.0" />
     <PackageReference Include="Portable.BouncyCastle" Version="1.9.0" />
     <PackageReference Include="System.Configuration.ConfigurationManager" Version="6.0.0" />

cybersource-rest-auth-netstandard/AuthenticationSdk/AuthenticationSdk/core/Authorize.cs

@@ -63,12 +63,12 @@ public HttpToken GetSignature()
                     _logger.Debug($"Date: {signatureObj.GmtDateTime}");
                     _logger.Debug($"Host: {signatureObj.HostName}");
 
-                    if (_merchantConfig.IsPostRequest || _merchantConfig.IsPutRequest || _merchantConfig.IsPatchRequest)
-                    {
-                        _logger.Debug($"digest: {signatureObj.Digest}");
-                    }
+                    //if (_merchantConfig.IsPostRequest || _merchantConfig.IsPutRequest || _merchantConfig.IsPatchRequest)
+                    //{
+                    //    _logger.Debug($"digest: {signatureObj.Digest}");
+                    //}
 
-                    logUtility.LogDebugMessage( _logger, $"Signature : {signatureObj.SignatureParam}");
+                    //logUtility.LogDebugMessage( _logger, $"Signature : {signatureObj.SignatureParam}");
 
                     return signatureObj;
                 }
@@ -112,7 +112,7 @@ public JwtToken GetToken()
                         _logger.Debug("Content-Type: application/hal+json");
                     }
 
-                    logUtility.LogDebugMessage(_logger, $"Authorization : Bearer {tokenObj.BearerToken}");
+                    //logUtility.LogDebugMessage(_logger, $"Authorization : Bearer {tokenObj.BearerToken}");
 
                     return tokenObj;
                 }
@@ -156,7 +156,7 @@ public OAuthToken GetOAuthToken()
                         _logger.Debug("Content-Type: application/hal+json");
                     }
 
-                    logUtility.LogDebugMessage(_logger, $"Authorization : Bearer {tokenObj.AccessToken}");
+                    //logUtility.LogDebugMessage(_logger, $"Authorization : Bearer {tokenObj.AccessToken}");
 
                     return tokenObj;
                 }

cybersource-rest-auth-netstandard/AuthenticationSdk/AuthenticationSdk/util/LogUtility.cs

@@ -1,4 +1,5 @@
-using NLog;
+using Newtonsoft.Json.Linq;
+using NLog;
 using System;
 using System.Collections.Generic;
 using System.Text;
@@ -9,6 +10,7 @@ namespace AuthenticationSdk.util
     public class LogUtility
     {
         private static Dictionary<string, string> sensitiveTags = new Dictionary<string, string>();
+        private static List<string> sensitiveTagsList = new List<string>();
         private static Dictionary<string, string> authenticationTags = new Dictionary<string, string>();
 
         public LogUtility()
@@ -34,9 +36,11 @@ private void LoadSensitiveDataConfiguration()
             lock(mutex)
             {
                 sensitiveTags.Clear();
+                sensitiveTagsList.Clear();
                 authenticationTags.Clear();
 
                 sensitiveTags = SensitiveTags.getSensitiveTags();
+                sensitiveTagsList = SensitiveTags.getSensitiveTagsList();
                 authenticationTags = AuthenticationTags.getAuthenticationTags();
 
                 loaded = true;
@@ -45,54 +49,67 @@ private void LoadSensitiveDataConfiguration()
 
         public string MaskSensitiveData(string str)
         {
+            bool isJsonString;
             try
             {
-                foreach (KeyValuePair<string, string> tag in sensitiveTags)
-                {
-                    //removing the space and hypen from PAN details before masking
-                    if (tag.Key.StartsWith("\\\"number\\\"") || tag.Key.StartsWith("\\\"cardNumber\\\"") || tag.Key.StartsWith("\\\"account\\\"")
-                         || tag.Key.StartsWith("\\\"prefix\\\"") || tag.Key.StartsWith("\\\"bin\\\""))
-                    {
-                        string[] splittedStr = tag.Key.Split(':');
-                        string tagName = splittedStr[0];
-                        string specialPatternForPAN = "(((\\s*[s/-]*\\s*)+)\\p{N}((\\s*[s/-]*\\s*)+))+";
+                JObject jsonObject = JObject.Parse(str);
+                isJsonString = true;
 
-                        // match the patters for PAN number
-                        MatchCollection matches = Regex.Matches(str, $"{tagName}:\\\"{specialPatternForPAN}\\\"");
+                MaskSensitiveData(jsonObject);
 
-                        //remove space and dash from the all matched pattern
-                        foreach (Match match in matches)
-                        {
-                            String strr = match.ToString();
-                            strr = strr.Replace(" ", "");
-                            strr = strr.Replace("-", "");
-                            //replace original value in str with match
-                            str = str.Replace(match.ToString(), strr);
-                        }
-                    }
-                    str = Regex.Replace(str, tag.Key, tag.Value);
-                }
+                return jsonObject.ToString();
             }
-            catch (Exception e)
+            catch (Exception)
             {
-                throw e;
+                isJsonString = false;
             }
 
-            try
+            if (!isJsonString)
             {
-                foreach (KeyValuePair<string, string> tag in authenticationTags)
+                try
                 {
-                    str = Regex.Replace(str, tag.Key, tag.Value);
+                    foreach (KeyValuePair<string, string> tag in authenticationTags)
+                    {
+                        str = Regex.Replace(str, tag.Key, tag.Value);
+                    }
                 }
-            }
-            catch (Exception e)
-            {
-                throw e;
+                catch (Exception e)
+                {
+                    throw e;
+                } 
             }
 
             return str;
         }
 
+        public void MaskSensitiveData(JObject jsonMsg)
+        {
+            foreach (var prop in jsonMsg.Properties())
+            {
+                bool isFieldSensitive = sensitiveTagsList.Contains(prop.Name);
+                if (isFieldSensitive)
+                {
+                    if (prop.Value != null && prop.Value.Type != JTokenType.Null)
+                    {
+                        if (prop.Value.Type == JTokenType.String)
+                        {
+                            string originalValue = prop.Value.ToString();
+                            prop.Value = new string('X', originalValue.Length);
+                        }
+                        else if (prop.Value.Type == JTokenType.Object)
+                        {
+                            MaskSensitiveData((JObject)prop.Value);
+                        }
+                    }
+                }
+                else if (prop.Value.Type == JTokenType.Object)
+                {
+                    MaskSensitiveData((JObject)prop.Value);
+                }
+            }
+        }
+
+
         public void LogDebugMessage(Logger logger, String debugMessage)
         {
             if (IsMaskingEnabled(logger))

cybersource-rest-auth-netstandard/AuthenticationSdk/AuthenticationSdk/util/SensitiveDataConfigurationType.cs

@@ -5,22 +5,22 @@ public class SensitiveDataConfigurationType
     {
         public static SensitiveTag[] sensitiveTags = new SensitiveTag[]
         {
-            new SensitiveTag("securityCode", "[0-9]{3,4}", "xxxxx", false),
-            new SensitiveTag("number", "(\\s*\\p{N}\\s*)+(\\p{N}{4})(\\s*)", "xxxxx$2", false),
-            new SensitiveTag("cardNumber", "(\\s*\\p{N}\\s*)+(\\p{N}{4})(\\s*)", "xxxxx$2", false),
-            new SensitiveTag("expirationMonth", "[0-1][0-9]", "xxxx", false),
-            new SensitiveTag("expirationYear", "2[0-9][0-9][0-9]", "xxxx", false),
-            new SensitiveTag("account", "(\\s*\\p{N}\\s*)+(\\p{N}{4})(\\s*)", "xxxxx$2", false),
-            new SensitiveTag("routingNumber", "[0-9]+", "xxxxx", false),
-            new SensitiveTag("email", "[a-z0-9!#$%&'*+\\/=?^_`{|}~-]+(?:.[a-z0-9!#$%&'*+\\/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?", "xxxxx", false),
-            new SensitiveTag("firstName", "([a-zA-Z]+( )?[a-zA-Z]*'?-?[a-zA-Z]*( )?([a-zA-Z]*)?)", "xxxxx", false),
-            new SensitiveTag("lastName", "([a-zA-Z]+( )?[a-zA-Z]*'?-?[a-zA-Z]*( )?([a-zA-Z]*)?)", "xxxxx", false),
-            new SensitiveTag("phoneNumber", "(\\+[0-9]{1,2} )?\\(?[0-9]{3}\\)?[ .-]?[0-9]{3}[ .-]?[0-9]{4}", "xxxxx", false),
-            new SensitiveTag("type", "[-A-Za-z0-9 ]+", "xxxxx", false),
-            new SensitiveTag("token", "[-.A-Za-z0-9 ]+", "xxxxx", false),
-            new SensitiveTag("signature", "[-.A-Za-z0-9 ]+", "xxxxx", false),
-            new SensitiveTag("prefix", "(\\s*)(\\p{N}{4})(\\s*)(\\p{N}{2})(\\s*\\p{N}*\\s*)", "$2$4xxxxx", false),
-            new SensitiveTag("bin", "(\\s*)(\\p{N}{4})(\\s*)(\\p{N}{2})(\\s*\\p{N}*\\s*)", "$2$4xxxxx", false)
+            new SensitiveTag("securityCode", "", "", false),
+            new SensitiveTag("number", "", "", false),
+            new SensitiveTag("cardNumber", "", "", false),
+            new SensitiveTag("expirationMonth", "", "", false),
+            new SensitiveTag("expirationYear", "", "", false),
+            new SensitiveTag("account", "", "", false),
+            new SensitiveTag("routingNumber", "", "", false),
+            new SensitiveTag("email", "", "", false),
+            new SensitiveTag("firstName", "", "", false),
+            new SensitiveTag("lastName", "", "", false),
+            new SensitiveTag("phoneNumber", "", "", false),
+            new SensitiveTag("type", "", "", false),
+            new SensitiveTag("token", "", "", false),
+            new SensitiveTag("signature", "", "", false),
+            new SensitiveTag("prefix", "", "", false),
+            new SensitiveTag("bin", "", "", false)
         };
 
         public static AuthenticationSchemeTag[] authenticationTags = new AuthenticationSchemeTag[]

cybersource-rest-auth-netstandard/AuthenticationSdk/AuthenticationSdk/util/SensitiveTags.cs

@@ -5,8 +5,10 @@ namespace AuthenticationSdk.util
     public class SensitiveTags
     {
         private static Dictionary<string, string> sensitiveTags = new Dictionary<string, string>();
+        private static List<string> sensitiveTagsList = new List<string>();
         private static bool isLoaded = false;
-        
+        private static bool isTagsListLoaded = false;
+
         public static Dictionary<string, string> getSensitiveTags()
         {
             if (isLoaded)
@@ -40,5 +42,26 @@ public static Dictionary<string, string> getSensitiveTags()
 
             return sensitiveTags;
         }
+
+        public static List<string> getSensitiveTagsList()
+        {
+            if (isTagsListLoaded)
+            {
+                return sensitiveTagsList;
+            }
+
+            int sensitiveTagsCount = SensitiveDataConfigurationType.sensitiveTags.Length;
+
+            for (int i = 0; i < sensitiveTagsCount; i++)
+            {
+                string tagName = SensitiveDataConfigurationType.sensitiveTags[i].tagName;
+
+                sensitiveTagsList.Add(tagName);
+            }
+
+            isTagsListLoaded = true;
+
+            return sensitiveTagsList;
+        }
     }
 }

cybersource-rest-client-netstandard/cybersource-rest-client-netstandard/Api/BatchesApi.cs

@@ -410,7 +410,7 @@ public ApiResponse< InlineResponse2007 > GetBatchReportWithHttpInfo (string batc
             {
                 localVarPathParams.Add("batchId", Configuration.ApiClient.ParameterToString(batchId)); // path parameter
             }
-            logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarPathParams)}");
+            //logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarPathParams)}");
             if (Method.Get == Method.Post)
             {
                 localVarPostBody = "{}";
@@ -505,7 +505,7 @@ public async System.Threading.Tasks.Task<ApiResponse<InlineResponse2007>> GetBat
             {
                 localVarPathParams.Add("batchId", Configuration.ApiClient.ParameterToString(batchId)); // path parameter
             }
-            logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarPathParams)}");
+            //logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarPathParams)}");
             if (Method.Get == Method.Post)
             {
                 localVarPostBody = "{}";
@@ -598,7 +598,7 @@ public ApiResponse< InlineResponse2006 > GetBatchStatusWithHttpInfo (string batc
             {
                 localVarPathParams.Add("batchId", Configuration.ApiClient.ParameterToString(batchId)); // path parameter
             }
-            logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarPathParams)}");
+            //logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarPathParams)}");
             if (Method.Get == Method.Post)
             {
                 localVarPostBody = "{}";
@@ -693,7 +693,7 @@ public async System.Threading.Tasks.Task<ApiResponse<InlineResponse2006>> GetBat
             {
                 localVarPathParams.Add("batchId", Configuration.ApiClient.ParameterToString(batchId)); // path parameter
             }
-            logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarPathParams)}");
+            //logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarPathParams)}");
             if (Method.Get == Method.Post)
             {
                 localVarPostBody = "{}";
@@ -798,10 +798,10 @@ public ApiResponse< InlineResponse2005 > GetBatchesListWithHttpInfo (long? offse
             {
                 localVarQueryParams.Add("toDate", Configuration.ApiClient.ParameterToString(toDate)); // query parameter
             }
-            logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarQueryParams)}");
-            logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarQueryParams)}");
-            logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarQueryParams)}");
-            logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarQueryParams)}");
+            //logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarQueryParams)}");
+            //logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarQueryParams)}");
+            //logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarQueryParams)}");
+            //logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarQueryParams)}");
             if (Method.Get == Method.Post)
             {
                 localVarPostBody = "{}";
@@ -908,10 +908,10 @@ public async System.Threading.Tasks.Task<ApiResponse<InlineResponse2005>> GetBat
             {
                 localVarQueryParams.Add("toDate", Configuration.ApiClient.ParameterToString(toDate)); // query parameter
             }
-            logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarQueryParams)}");
-            logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarQueryParams)}");
-            logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarQueryParams)}");
-            logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarQueryParams)}");
+            //logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarQueryParams)}");
+            //logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarQueryParams)}");
+            //logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarQueryParams)}");
+            //logger.Debug($"HTTP Request Body :\n{logUtility.ConvertDictionaryToString(localVarQueryParams)}");
             if (Method.Get == Method.Post)
             {
                 localVarPostBody = "{}";
@@ -1011,14 +1011,14 @@ public ApiResponse< InlineResponse202 > PostBatchWithHttpInfo (Body body)
                 localVarPostBody = body; // byte array
             }
 
-            if (logUtility.IsMaskingEnabled(logger))
-            {
-                logger.Debug($"HTTP Request Body :\n{logUtility.MaskSensitiveData(localVarPostBody.ToString())}");
-            }
-            else
-            {
-                logger.Debug($"HTTP Request Body :\n{localVarPostBody}");
-            }
+            //if (logUtility.IsMaskingEnabled(logger))
+            //{
+            //    logger.Debug($"HTTP Request Body :\n{logUtility.MaskSensitiveData(localVarPostBody.ToString())}");
+            //}
+            //else
+            //{
+            //    logger.Debug($"HTTP Request Body :\n{localVarPostBody}");
+            //}
 
 
             // make the HTTP request
@@ -1112,14 +1112,14 @@ public async System.Threading.Tasks.Task<ApiResponse<InlineResponse202>> PostBat
                 localVarPostBody = body; // byte array
             }
 
-            if (logUtility.IsMaskingEnabled(logger))
-            {
-                logger.Debug($"HTTP Request Body :\n{logUtility.MaskSensitiveData(localVarPostBody.ToString())}");
-            }
-            else
-            {
-                logger.Debug($"HTTP Request Body :\n{localVarPostBody}");
-            }
+            //if (logUtility.IsMaskingEnabled(logger))
+            //{
+            //    logger.Debug($"HTTP Request Body :\n{logUtility.MaskSensitiveData(localVarPostBody.ToString())}");
+            //}
+            //else
+            //{
+            //    logger.Debug($"HTTP Request Body :\n{localVarPostBody}");
+            //}
 
 
             // make the HTTP request