API key validation

stripe · Feb 17, 2019 · 12506e3 · 12506e3
1 parent 8069bd3
commit 12506e3
Show file tree

Hide file tree

Showing 8 changed files with 111 additions and 10 deletions.
diff --git a/src/Stripe.net/Infrastructure/Public/StripeConfiguration.cs b/src/Stripe.net/Infrastructure/Public/StripeConfiguration.cs
@@ -70,10 +70,7 @@ public static string ApiKey
                 return apiKey;
             }
 
-            set
-            {
-                apiKey = value;
-            }
+            set => apiKey = StringUtils.ValidateApiKey(value);
         }
 
         /// <summary>Gets or sets the base URL for Stripe's OAuth API.</summary>
@@ -126,10 +123,7 @@ public static IStripeClient StripeClient
                 return stripeClient;
             }
 
-            set
-            {
-                stripeClient = value;
-            }
+            set => stripeClient = value;
         }
 
         /// <summary>Gets the version of the Stripe.net client library.</summary>

diff --git a/src/Stripe.net/Infrastructure/StringUtils.cs b/src/Stripe.net/Infrastructure/StringUtils.cs
@@ -6,6 +6,9 @@ namespace Stripe.Infrastructure
 
     internal static class StringUtils
     {
+        private static Regex apiKeyRegex
+            = new Regex(@"\A\w*\z", RegexOptions.Singleline | RegexOptions.CultureInvariant);
+
         /// <summary>Converts the string to snake case.</summary>
         /// <param name="str">The string to convert.</param>
         /// <returns>A string with the contents of the input string converted to snake_case.</returns>
@@ -52,5 +55,25 @@ public static bool SecureEquals(string a, string b)
 
             return result == 0;
         }
+
+        /// <summary>
+        /// Validates that the API key only contains valid characters (alphanumeric or underscores).
+        /// </summary>
+        /// <param name="apiKey">The API key.</param>
+        /// <returns>The API key, if valid.</returns>
+        /// <exception name="StripeException">
+        /// Thrown if the API key contains invalid characters.
+        /// </exception>
+        public static string ValidateApiKey(string apiKey)
+        {
+            if (!apiKeyRegex.IsMatch(apiKey ?? string.Empty))
+            {
+                var message = $"Invalid API key: \"{apiKey}\". API keys may only contain alphanumeric "
+                    + "characters and underscores.";
+                throw new StripeException(message);
+            }
+
+            return apiKey;
+        }
     }
 }
diff --git a/src/Stripe.net/Services/_base/Service.cs b/src/Stripe.net/Services/_base/Service.cs
@@ -18,7 +18,7 @@ protected Service()
 
         protected Service(string apiKey)
         {
-            this.ApiKey = apiKey;
+            this.ApiKey = StringUtils.ValidateApiKey(apiKey);
         }
 
         public string ApiKey { get; set; }

diff --git a/src/Stripe.net/Services/_common/RequestOptions.cs b/src/Stripe.net/Services/_common/RequestOptions.cs
@@ -1,9 +1,17 @@
 namespace Stripe
 {
+    using Stripe.Infrastructure;
+
     public class RequestOptions
     {
+        private string apiKey;
+
         /// <summary>The API key to use for the request.</summary>
-        public string ApiKey { get; set; }
+        public string ApiKey
+        {
+            get => this.apiKey;
+            set => this.apiKey = StringUtils.ValidateApiKey(value);
+        }
 
         /// <summary>Idempotency key for safely retrying requests.</summary>
         public string IdempotencyKey { get; set; }

diff --git a/src/StripeTests/Infrastructure/Public/StripeConfigurationTest.cs b/src/StripeTests/Infrastructure/Public/StripeConfigurationTest.cs
@@ -0,0 +1,14 @@
+namespace StripeTests
+{
+    using Stripe;
+    using Xunit;
+
+    public class StripeConfigurationTest : BaseStripeTest
+    {
+        [Fact]
+        public void ApiKey_Set_ThrowsOnInvalidKey()
+        {
+            Assert.Throws<StripeException>(() => StripeConfiguration.ApiKey = "sk_test_123\n");
+        }
+    }
+}
diff --git a/src/StripeTests/Infrastructure/StringUtilsTest.cs b/src/StripeTests/Infrastructure/StringUtilsTest.cs
@@ -1,5 +1,6 @@
 namespace StripeTests
 {
+    using Stripe;
     using Stripe.Infrastructure;
     using Xunit;
 
@@ -48,5 +49,36 @@ public void SecureEquals()
                     StringUtils.SecureEquals(testCase.data.a, testCase.data.b));
             }
         }
+
+        [Fact]
+        public void ValidateApiKey()
+        {
+            var testCases = new[]
+            {
+                new { data = "sk_test_123", throws = false },
+                new { data = "sk_test_4eC39HqLyjWDarjtT1zdp7dc", throws = false },
+                new { data = "abc", throws = false },
+                new { data = string.Empty, throws = false },
+                new { data = (string)null, throws = false },
+                new { data = "sk_test_123\n", throws = true },
+                new { data = "\nsk_test_123", throws = true },
+                new { data = "sk_test_\n123", throws = true },
+                new { data = "sk_test_123 ", throws = true },
+                new { data = " sk_test_123", throws = true },
+                new { data = "sk_test_ 123", throws = true },
+            };
+
+            foreach (var testCase in testCases)
+            {
+                if (testCase.throws)
+                {
+                    Assert.Throws<StripeException>(() => StringUtils.ValidateApiKey(testCase.data));
+                }
+                else
+                {
+                    Assert.Equal(testCase.data, StringUtils.ValidateApiKey(testCase.data));
+                }
+            }
+        }
     }
 }
diff --git a/src/StripeTests/Services/_base/ServiceTest.cs b/src/StripeTests/Services/_base/ServiceTest.cs
@@ -10,6 +10,12 @@ namespace StripeTests
 
     public class ServiceTest : BaseStripeTest
     {
+        [Fact]
+        public void Ctor_ThrowsOnInvalidApiKey()
+        {
+            Assert.Throws<StripeException>(() => new TestService("sk_test_123\n"));
+        }
+
         [Fact]
         public void Get_ExpandProperties()
         {
@@ -65,6 +71,16 @@ private class TestService : Service<TestEntity>,
             IListable<TestEntity, ListOptions>,
             IRetrievable<TestEntity>
         {
+            public TestService()
+                : base(null)
+            {
+            }
+
+            public TestService(string apiKey)
+                : base(apiKey)
+            {
+            }
+
             public override string BasePath => "/v1/test_entities";
 
             public bool ExpandSimple { get; set; }

diff --git a/src/StripeTests/Services/_common/RequestOptionsTest.cs b/src/StripeTests/Services/_common/RequestOptionsTest.cs
@@ -0,0 +1,14 @@
+namespace StripeTests
+{
+    using Stripe;
+    using Xunit;
+
+    public class RequestOptionsTest : BaseStripeTest
+    {
+        [Fact]
+        public void ApiKey_Set_ThrowsOnInvalidKey()
+        {
+            Assert.Throws<StripeException>(() => new RequestOptions { ApiKey = "sk_test_123\n" });
+        }
+    }
+}