Merge pull request #180 from CyberSource/masking-password

Added code to mask password in log

Author: gnongsie

java/pom.xml

@@ -43,7 +43,7 @@
         <junit.version>4.13.1</junit.version>
         <xmlsec.version>2.3.4</xmlsec.version>
         <httpclient.version>4.5.13</httpclient.version>
-        <bouncycastle.version>1.74</bouncycastle.version>
+        <bouncycastle.version>1.78</bouncycastle.version>
         <wss4j.version>2.4.1</wss4j.version>
         <commonlang3.version>3.4</commonlang3.version>
         <mockito.version>1.10.19</mockito.version>

java/src/main/java/com/cybersource/ws/client/MerchantConfig.java

@@ -767,7 +767,7 @@ public String getLogString() {
         appendPair(sb, "merchantID", merchantID);
         appendPair(sb, "keysDirectory", keysDirectory);
         appendPair(sb, "keyAlias", keyAlias);
-        appendPair(sb, "keyPassword", keyPassword);
+        appendPair(sb, "keyPassword", keyPassword != null ? "(masked)" : null);
         appendPair(sb, "sendToProduction", sendToProduction);
         appendPair(sb, "sendToAkamai", sendToAkamai);
         appendPair(sb, "targetAPIVersion", targetAPIVersion);

java/src/main/java/com/cybersource/ws/client/Utility.java

@@ -47,7 +47,7 @@ private Utility() {
      */
     public static final String SERVER_ALIAS = "CyberSource_SJC_US";
     public static final String CYBS_CERT_AUTH = "CyberSourceCertAuth";
-    public static final String VERSION = "6.2.14";
+    public static final String VERSION = "6.2.15";
     public static final String ORIGIN_TIMESTAMP = "v-c-client-iat";
     public static final String SDK_ELAPSED_TIMESTAMP = "v-c-client-computetime";
     public static final String RESPONSE_TIME_REPLY = "v-c-response-time";

java/src/test/java/com/cybersource/ws/client/UtilityTest.java

@@ -1,18 +1,28 @@
 package com.cybersource.ws.client;
 
 import org.junit.Before;
+import org.junit.Rule;
 import org.junit.Test;
 import static org.junit.Assert.*;
+
+import org.junit.function.ThrowingRunnable;
+import org.junit.rules.ExpectedException;
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
+import org.w3c.dom.Text;
+import org.xml.sax.SAXException;
+import org.xml.sax.SAXParseException;
 
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.ParserConfigurationException;
 import java.io.*;
 import java.net.URL;
 import java.util.*;
 
 public class UtilityTest extends BaseTest {
     String propertiesFilename;
     Properties properties;
+    private static final String ELEM_NVP_REPLY = "nvpReply";
 
     @Before
     public void setUp() {
@@ -128,7 +138,64 @@ public void testMapToString_error() {
         assertTrue(result.isEmpty());
     }
 
+    @Test
+    public void testNewDocumentBuilder_validate() {
+        String testData1 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
+                "<!DOCTYPE example [\n" +
+                "  <!ENTITY file SYSTEM \"file:///secrets.txt\" >\n" +
+                "]>\n" +
+                "<example>&file;</example>";
+
+        String testData2 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
+                "<!DOCTYPE example [\n" +
+                "  <!ENTITY file SYSTEM \"file:////etc/shadow\" >\n" +
+                "]>\n" +
+                "<example>&file;</example>";
+
+        String testData3 = "<?xml version=\"1.0\"?>" +
+                "<w3resource>" +
+                "<design>html xhtml css svg xml</design>" +
+                "<programming>php mysql</programming>" +
+                "</w3resource>";
+
+        try {
+            DocumentBuilder docBuilder = Utility.newDocumentBuilder();
+
+            InputStream testStream = new ByteArrayInputStream(testData1.getBytes());
+            Document testDoc = docBuilder.parse(testStream);
+        } catch (ParserConfigurationException e) {
+            throw new RuntimeException(e);
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        } catch (SAXException e) {
+            assertSame(e.getClass(), SAXParseException.class);
+        }
 
+        try {
+            DocumentBuilder docBuilder = Utility.newDocumentBuilder();
+
+            InputStream testStream = new ByteArrayInputStream(testData2.getBytes());
+            Document testDoc = docBuilder.parse(testStream);
+        } catch (ParserConfigurationException e) {
+            throw new RuntimeException(e);
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        } catch (SAXException e) {
+            assertSame(e.getClass(), SAXParseException.class);
+        }
 
-
+        try {
+            DocumentBuilder docBuilder = Utility.newDocumentBuilder();
+
+            InputStream testStream = new ByteArrayInputStream(testData3.getBytes());
+            Document testDoc = docBuilder.parse(testStream);
+            assertNotNull(testDoc);
+        } catch (ParserConfigurationException e) {
+            throw new RuntimeException(e);
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        } catch (SAXException e) {
+            throw new RuntimeException(e);
+        }
+    }
 }

pom.xml

@@ -12,7 +12,7 @@
 
     <groupId>com.cybersource</groupId>
     <artifactId>cybersource-sdk-master</artifactId>
-    <version>6.2.14-SNAPSHOT</version>
+    <version>6.2.15-SNAPSHOT</version>
     <name>cybersource-sdk-java-master</name>
     <packaging>pom</packaging>
 

samples/nvp/compileSample.bat

@@ -7,10 +7,10 @@ rem If using this scripts outside zip package then give maven clean install.
 rem This will generate all required dependencies under target/dependencies.These dependencies are used in CLASSPATH.
 rem ----------------------------------------------------------------------------
 
-if exist ../../lib set LOCAL_CP=%LOCAL_CP%;../../lib/cybersource-sdk-java-6.2.14.jar
+if exist ../../lib set LOCAL_CP=%LOCAL_CP%;../../lib/cybersource-sdk-java-6.2.15.jar
 if not exist ../../lib (
 	if not exist target goto error
-	set LOCAL_CP=%LOCAL_CP%;target/dependencies/cybersource-sdk-java-6.2.14.jar
+	set LOCAL_CP=%LOCAL_CP%;target/dependencies/cybersource-sdk-java-6.2.15.jar
 )
 
 if not exist classes mkdir classes

samples/nvp/pom.xml

@@ -8,7 +8,7 @@
     <name>RunSample</name>
     <url>http://maven.apache.org</url>
      <properties>
-         <javasdk.version>[6.2.0, 6.2.14-SNAPSHOT]</javasdk.version>
+         <javasdk.version>[6.2.0, 6.2.15-SNAPSHOT]</javasdk.version>
          <httpclient.version>4.5.13</httpclient.version>
          <bouncycastle.version>1.67</bouncycastle.version>
          <wss4j.version>2.4.1</wss4j.version>

samples/xml/compileSample.bat

@@ -7,10 +7,10 @@ rem If using this scripts outside zip package then give maven clean install.
 rem This will generate all required dependencies under target/dependencies.These dependencies are used in CLASSPATH.
 rem ----------------------------------------------------------------------------
 
-if exist ../../lib set LOCAL_CP=%LOCAL_CP%;../../lib/cybersource-sdk-java-6.2.14.jar
+if exist ../../lib set LOCAL_CP=%LOCAL_CP%;../../lib/cybersource-sdk-java-6.2.15-SNAPSHOT.jar
 if not exist ../../lib (
 	if not exist target goto error
-	set LOCAL_CP=%LOCAL_CP%;target/dependencies/cybersource-sdk-java-6.2.14.jar
+	set LOCAL_CP=%LOCAL_CP%;target/dependencies/cybersource-sdk-java-6.2.15-SNAPSHOT.jar
 )
 
 if not exist classes mkdir classes

samples/xml/pom.xml

@@ -8,7 +8,7 @@
     <name>RunSample</name>
     <url>http://maven.apache.org</url>
     <properties>
-        <javasdk.version>[6.2.0, 6.2.14-SNAPSHOT]</javasdk.version>
+        <javasdk.version>[6.2.0, 6.2.15-SNAPSHOT]</javasdk.version>
         <httpclient.version>4.5.13</httpclient.version>
         <bouncycastle.version>1.67</bouncycastle.version>
         <wss4j.version>2.4.1</wss4j.version>

zip/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>cybersource-sdk-master</artifactId>
         <groupId>com.cybersource</groupId>
-        <version>6.2.14-SNAPSHOT</version>
+        <version>6.2.15-SNAPSHOT</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>