search

activemerchant / active_merchant

Active Merchant is a simple payment abstraction library extracted from Shopify. The aim of the project is to feel natural to Ruby users and to abstract as many parts as possible away from the user to offer a consistent interface across all supported gateways.
http://activemerchant.org
MIT License
4.53k stars 2.5k forks source link

CVE-2024-39908 DoS in REXML #5180

Open 23tux opened 1 month ago

23tux commented 1 month ago

REXML has a CVE

I tried updating REXML to 3.3.2 in my fork, but when running the tests I get errors like this

Error: test_failed_create_profile(PaypalTest):
  REXML::ParseException: Malformed XML: Extra content at the end of the document (got '"
  ')
  Line: 28
  Position: 2305
  Last 80 unconsumed characters:
/Users/user/.rbenv/versions/3.1.6/lib/ruby/gems/3.1.0/gems/rexml-3.3.2/lib/rexml/parsers/baseparser.rb:487:in `pull_event'
/Users/user/.rbenv/versions/3.1.6/lib/ruby/gems/3.1.0/gems/rexml-3.3.2/lib/rexml/parsers/baseparser.rb:225:in `pull'
/Users/user/.rbenv/versions/3.1.6/lib/ruby/gems/3.1.0/gems/rexml-3.3.2/lib/rexml/parsers/treeparser.rb:22:in `parse'
/Users/user/.rbenv/versions/3.1.6/lib/ruby/gems/3.1.0/gems/rexml-3.3.2/lib/rexml/document.rb:448:in `build'
/Users/user/.rbenv/versions/3.1.6/lib/ruby/gems/3.1.0/gems/rexml-3.3.2/lib/rexml/document.rb:101:in `initialize'
/Users/user/projects/active_merchant/lib/active_merchant/billing/gateways/paypal/paypal_common_api.rb:481:in `new'
/Users/user/projects/active_merchant/lib/active_merchant/billing/gateways/paypal/paypal_common_api.rb:481:in `legacy_parse'
/Users/user/projects/active_merchant/lib/active_merchant/billing/gateways/paypal/paypal_common_api.rb:456:in `parse'
/Users/user/projects/active_merchant/lib/active_merchant/billing/gateways/paypal/paypal_common_api.rb:663:in `commit'
/Users/user/projects/active_merchant/lib/active_merchant/billing/gateways/paypal/paypal_recurring_api.rb:33:in `recurring'
/Users/user/projects/active_merchant/test/unit/gateways/paypal_test.rb:400:in `block in test_failed_create_profile'
     397:   def test_failed_create_profile
     398:     @gateway.expects(:ssl_post).returns(failed_create_profile_paypal_response)
     399:     response = assert_deprecation_warning(Gateway::RECURRING_DEPRECATION_MESSAGE) do
  => 400:       @gateway.recurring(@amount, @credit_card, description: 'some description', start_date: Time.now, frequency: 12, period: 'Month')
     401:     end
     402:     assert_instance_of Response, response
     403:     assert !response.success?
/Users/user/projects/active_merchant/test/test_helper.rb:106:in `assert_deprecation_warning'
/Users/user/projects/active_merchant/test/unit/gateways/paypal_test.rb:399:in `test_failed_create_profile'

Any idea how to fix this?

raymzag commented 1 month ago

submitted my attempt https://github.com/activemerchant/active_merchant/pull/5181 to fix