Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

URL-encode untrusted data in URLs #5798

Merged
merged 7 commits into from
Nov 17, 2022
Merged

URL-encode untrusted data in URLs #5798

merged 7 commits into from
Nov 17, 2022

Conversation

awush-stripe
Copy link
Collaborator

@awush-stripe awush-stripe commented Nov 9, 2022
edited
Loading

Summary

Doyensec identified API injection vulnerabilities.

Motivation

https://jira.corp.stripe.com/browse/SAF-22964

Testing

  • Added tests
  • Modified tests
  • Manually verified

Changelog

  • [SECURITY]5798 URL-encode IDs used in URLs to prevent injection attacks.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 9, 2022
edited
Loading

Diffuse output:

OLD: paymentsheet-example-release-master.apk (signature: none)
NEW: paymentsheet-example-release-pr.apk (signature: none)

          │          compressed          │         uncompressed          
          ├──────────┬──────────┬────────┼───────────┬───────────┬───────
 APK      │ old      │ new      │ diff   │ old       │ new       │ diff  
──────────┼──────────┼──────────┼────────┼───────────┼───────────┼───────
      dex │  5.4 MiB │  5.4 MiB │ +406 B │    14 MiB │    14 MiB │ +80 B 
     arsc │  1.9 MiB │  1.9 MiB │    0 B │   1.9 MiB │   1.9 MiB │   0 B 
 manifest │  4.3 KiB │  4.3 KiB │    0 B │  19.9 KiB │  19.9 KiB │   0 B 
      res │    1 MiB │    1 MiB │    0 B │   1.8 MiB │   1.8 MiB │   0 B 
   native │  2.6 MiB │  2.6 MiB │    0 B │     6 MiB │     6 MiB │   0 B 
    asset │    3 MiB │    3 MiB │  +17 B │     3 MiB │     3 MiB │ +17 B 
    other │ 83.1 KiB │ 83.1 KiB │    0 B │ 158.3 KiB │ 158.3 KiB │   0 B 
──────────┼──────────┼──────────┼────────┼───────────┼───────────┼───────
    total │   14 MiB │   14 MiB │ +423 B │  26.9 MiB │  26.9 MiB │ +97 B 

         │          raw           │             unique             
         ├────────┬────────┬──────┼────────┬────────┬──────────────
 DEX     │ old    │ new    │ diff │ old    │ new    │ diff         
─────────┼────────┼────────┼──────┼────────┼────────┼──────────────
   files │      2 │      2 │    0 │        │        │              
 strings │  87233 │  87238 │   +5 │  72823 │  72824 │ +1 (+4 -3)   
   types │  22757 │  22757 │    0 │  20489 │  20489 │  0 (+2 -2)   
 classes │  18393 │  18393 │    0 │  18393 │  18393 │  0 (+2 -2)   
 methods │  97719 │  97723 │   +4 │  93518 │  93517 │ -1 (+11 -12) 
  fields │ 104446 │ 104445 │   -1 │ 103162 │ 103162 │  0 (+2 -2)   

 ARSC    │ old  │ new  │ diff 
─────────┼──────┼──────┼──────
 configs │  334 │  334 │  0   
 entries │ 6294 │ 6294 │  0
APK 
    compressed    │    uncompressed    │                               
─────────┬────────┼─────────┬──────────┤                               
 size    │ diff   │ size    │ diff     │ path                          
─────────┼────────┼─────────┼──────────┼───────────────────────────────
 3.3 MiB │ +878 B │ 8.2 MiB │ +1.4 KiB │ ∆ classes.dex                 
 2.1 MiB │ -472 B │ 5.8 MiB │ -1.3 KiB │ ∆ classes2.dex                
 8.1 KiB │  +17 B │ 7.9 KiB │    +17 B │ ∆ assets/dexopt/baseline.prof 
─────────┼────────┼─────────┼──────────┼───────────────────────────────
 5.4 MiB │ +423 B │  14 MiB │    +97 B │ (total)
DEX 
STRINGS:

   old   │ new   │ diff       
  ───────┼───────┼────────────
   72823 │ 72824 │ +1 (+4 -3) 
  + Lcom/stripe/android/core/utils/EncodeKt_json_1;
  + Lcom/stripe/android/core/utils/EncodeKt;
  + encode(value, Charsets.UTF_8.name())
  + ~~R8{backend:dex,compilation-mode:release,has-checksums:false,min-api:21,pg-map-id:bcc2e25,r8-mode:compatibility,version:3.3.83}
  
  - ~~R8{backend:dex,compilation-mode:release,has-checksums:false,min-api:21,pg-map-id:ea64ee2,r8-mode:compatibility,version:3.3.83}
  - Lcom/stripe/android/stripecardscan/framework/util/EncodeKt_json_1;
  - Lcom/stripe/android/stripecardscan/framework/util/EncodeKt;
  

TYPES:

   old   │ new   │ diff      
  ───────┼───────┼───────────
   20489 │ 20489 │ 0 (+2 -2) 
  + Lcom/stripe/android/core/utils/EncodeKt_json_1;
  + Lcom/stripe/android/core/utils/EncodeKt;
  
  - Lcom/stripe/android/stripecardscan/framework/util/EncodeKt_json_1;
  - Lcom/stripe/android/stripecardscan/framework/util/EncodeKt;
  

METHODS:

   old   │ new   │ diff         
  ───────┼───────┼──────────────
   93518 │ 93517 │ -1 (+11 -12) 
  + com.stripe.android.core.utils.EncodeKt_json_1 <clinit>()
  + com.stripe.android.core.utils.EncodeKt_json_1 <init>()
  + com.stripe.android.core.utils.EncodeKt_json_1 invoke(Object) → Object
  + com.stripe.android.core.utils.EncodeKt_json_1 invoke(d)
  + com.stripe.android.core.utils.EncodeKt <clinit>()
  + com.stripe.android.core.utils.EncodeKt b64Encode(String) → String
  + com.stripe.android.core.utils.EncodeKt b64Encode(byte[]) → String
  + com.stripe.android.core.utils.EncodeKt decodeFromJson(a, String) → Object
  + com.stripe.android.core.utils.EncodeKt encodeToJson(k, Object) → String
  + com.stripe.android.core.utils.EncodeKt encodeToXWWWFormUrl(k, Object) → String
  + com.stripe.android.core.utils.EncodeKt urlEncode(String) → String
  
  - com.stripe.android.core.storage.SharedPreferencesStorage_Companion getLogTag() → String
  - com.stripe.android.core.storage.SharedPreferencesStorage access_getLogTag_cp() → String
  - com.stripe.android.stripecardscan.framework.util.EncodeKt_json_1 <clinit>()
  - com.stripe.android.stripecardscan.framework.util.EncodeKt_json_1 <init>()
  - com.stripe.android.stripecardscan.framework.util.EncodeKt_json_1 invoke(Object) → Object
  - com.stripe.android.stripecardscan.framework.util.EncodeKt_json_1 invoke(d)
  - com.stripe.android.stripecardscan.framework.util.EncodeKt <clinit>()
  - com.stripe.android.stripecardscan.framework.util.EncodeKt b64Encode(String) → String
  - com.stripe.android.stripecardscan.framework.util.EncodeKt b64Encode(byte[]) → String
  - com.stripe.android.stripecardscan.framework.util.EncodeKt decodeFromJson(a, String) → Object
  - com.stripe.android.stripecardscan.framework.util.EncodeKt encodeToJson(k, Object) → String
  - com.stripe.android.stripecardscan.framework.util.EncodeKt encodeToXWWWFormUrl(k, Object) → String
  

FIELDS:

   old    │ new    │ diff      
  ────────┼────────┼───────────
   103162 │ 103162 │ 0 (+2 -2) 
  + com.stripe.android.core.utils.EncodeKt_json_1 INSTANCE: EncodeKt_json_1
  + com.stripe.android.core.utils.EncodeKt json: a
  
  - com.stripe.android.stripecardscan.framework.util.EncodeKt_json_1 INSTANCE: EncodeKt_json_1
  - com.stripe.android.stripecardscan.framework.util.EncodeKt json: a

@awush-stripe awush-stripe force-pushed the awush/SAF-22964/url-encode_untrusted_data branch from 952bc66 to 1d6a933 Compare November 10, 2022 20:48
@awush-stripe awush-stripe force-pushed the awush/SAF-22964/url-encode_untrusted_data branch from bf41b0e to 55ae2ed Compare November 15, 2022 17:00
@awush-stripe awush-stripe enabled auto-merge (squash) November 15, 2022 19:53
@awush-stripe awush-stripe merged commit 264d791 into master Nov 17, 2022
@awush-stripe awush-stripe deleted the awush/SAF-22964/url-encode_untrusted_data branch November 17, 2022 19:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jaynewstrom-stripe jaynewstrom-stripe jaynewstrom-stripe left review comments

@ccen-stripe ccen-stripe ccen-stripe approved these changes

@tillh-stripe tillh-stripe Awaiting requested review from tillh-stripe

@jameswoo-stripe jameswoo-stripe Awaiting requested review from jameswoo-stripe

@carlosmuvi-stripe carlosmuvi-stripe Awaiting requested review from carlosmuvi-stripe

Assignees

@ccen-stripe ccen-stripe

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@awush-stripe @ccen-stripe @jaynewstrom-stripe