search

Vantiv / cnp-sdk-for-dotnet

.NET SDK to ease XML integrations with the Vantiv eCommerce platform
Other
3 stars 39 forks source link

Unsafe Dictionary access introduced in pr #72? #73

Open yerald-mora opened 5 days ago

yerald-mora commented 5 days ago

Cnp.Sdk.CnpOnline has the method private cnpOnlineResponse SendToCnp(cnpOnlineRequest request), this class receives a dictionary in the constructor that contains configurations, the changes merged in PR #72 adds a direct access to a new configuration in that method:

            if (_config["encryptOltpPayload"] == "true")
            {
                String payloadTobeEncrypted = ReplaceXMLTxnWithEncryptedPayload(xmlRequest);
                xmlResponse = _communication.HttpPost(payloadTobeEncrypted);
            }

So, if the configuration is not set by the caller a KeyNotFoundException is generated, so an unsafe access is being performed in the dictionary what will led to client's systems to get break when this method gets called.

VantivSDK commented 3 days ago

Hi Yerald,

Thank you for bringing this to our attention. I have thoroughly tested the changes on my end, and everything appears to be functioning correctly without setting 'encryptOltpPayload' property in property file. Are you able to recreate the problem ? If yes please share details with us.

Looking forward to your response.

Thanks & Regards, Sushama Ghadage

From: yerald-mora @.> Sent: Saturday, October 19, 2024 5:07 AM To: Vantiv/cnp-sdk-for-dotnet @.> Cc: Subscribed @.***> Subject: [Vantiv/cnp-sdk-for-dotnet] Unsafe Dictionary access introduced in pr #72? (Issue #73)

Cnp.Sdk.CnpOnline has the method private cnpOnlineResponse SendToCnp(cnpOnlineRequest request), this class receives a dictionary in the constructor that contains configurations, the changes merged in PR #72https://github.com/Vantiv/cnp-sdk-for-dotnet/pull/72 adds a direct access to a new configuration in that method:

        if (_config["encryptOltpPayload"] == "true")
        {
            String payloadTobeEncrypted = ReplaceXMLTxnWithEncryptedPayload(xmlRequest);
            xmlResponse = _communication.HttpPost(payloadTobeEncrypted);
        }

So, if the configuration is not set by the caller a KeyNotFoundException is generated, so an unsafe access is being performed in the dictionary what will led to client's systems to get break when this method gets called.

— Reply to this email directly, view it on GitHubhttps://github.com/Vantiv/cnp-sdk-for-dotnet/issues/73, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AALKCBZLT6VGI3NGJLINI2TZ4GLU3AVCNFSM6AAAAABQG3ZRDSVHI2DSMVQWIX3LMV43ASLTON2WKOZSGU4TQNJVHA4TGNA. You are receiving this because you are subscribed to this thread.