Merge pull request #169 from AuthorizeNet/may-2020

Security issues fix
AuthorizeNet · Jul 2, 2020 · 487462d · 487462d
2 parents 94492cf + fb6d6aa
commit 487462d
Show file tree

Hide file tree

Showing 21 changed files with 251 additions and 177 deletions.
diff --git a/.classpath b/.classpath
@@ -1,17 +1,39 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <classpath>
-	<classpathentry kind="src" path="src/main/java"/>
-	<classpathentry kind="src" path="resources"/>
-	<classpathentry kind="src" path="src/test/java"/>
-	<classpathentry kind="lib" path="lib/commons-logging-1.1.1.jar"/>
-	<classpathentry kind="lib" path="lib/httpclient-4.5.3.jar"/>
-	<classpathentry kind="lib" path="lib/httpcore-4.4.6.jar"/>
+	<classpathentry kind="src" output="target/classes" path="src/main/java">
+		<attributes>
+			<attribute name="optional" value="true"/>
+			<attribute name="maven.pomderived" value="true"/>
+		</attributes>
+	</classpathentry>
+	<classpathentry excluding="**" kind="src" output="target/classes" path="resources">
+		<attributes>
+			<attribute name="maven.pomderived" value="true"/>
+		</attributes>
+	</classpathentry>
+	<classpathentry kind="src" output="target/test-classes" path="src/test/java">
+		<attributes>
+			<attribute name="optional" value="true"/>
+			<attribute name="maven.pomderived" value="true"/>
+		</attributes>
+	</classpathentry>
 	<classpathentry kind="lib" path="lib/junit-4.8.2.jar"/>
-	<classpathentry kind="lib" path="lib/log4j-1.2.16.jar"/>
-	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER"/>
+	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/J2SE-1.5">
+		<attributes>
+			<attribute name="maven.pomderived" value="true"/>
+		</attributes>
+	</classpathentry>
 	<classpathentry kind="lib" path="lib/hamcrest-core-1.3.jar"/>
 	<classpathentry kind="lib" path="lib/hamcrest-library-1.3.jar"/>
 	<classpathentry kind="lib" path="lib/jmock-2.6.0.jar"/>
 	<classpathentry kind="lib" path="lib/gson-2.3.1.jar"/>
+	<classpathentry kind="lib" path="lib/commons-logging-1.2.jar"/>
+	<classpathentry kind="lib" path="lib/httpclient-4.5.12.jar"/>
+	<classpathentry kind="lib" path="lib/httpcore-4.4.13.jar"/>
+	<classpathentry kind="con" path="org.eclipse.m2e.MAVEN2_CLASSPATH_CONTAINER">
+		<attributes>
+			<attribute name="maven.pomderived" value="true"/>
+		</attributes>
+	</classpathentry>
 	<classpathentry kind="output" path="target/classes"/>
 </classpath>
diff --git a/.project b/.project
@@ -10,8 +10,14 @@
 			<arguments>
 			</arguments>
 		</buildCommand>
+		<buildCommand>
+			<name>org.eclipse.m2e.core.maven2Builder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
 	</buildSpec>
 	<natures>
+		<nature>org.eclipse.m2e.core.maven2Nature</nature>
 		<nature>org.eclipse.jdt.core.javanature</nature>
 	</natures>
 </projectDescription>
diff --git a/lib/commons-logging-1.1.1.jar b/lib/commons-logging-1.1.1.jar
diff --git a/lib/commons-logging-1.2.jar b/lib/commons-logging-1.2.jar
diff --git a/lib/httpclient-4.5.12.jar b/lib/httpclient-4.5.12.jar
diff --git a/lib/httpclient-4.5.3.jar b/lib/httpclient-4.5.3.jar
diff --git a/lib/httpcore-4.4.13.jar b/lib/httpcore-4.4.13.jar
diff --git a/lib/httpcore-4.4.6.jar b/lib/httpcore-4.4.6.jar
diff --git a/pom.xml b/pom.xml
@@ -57,12 +57,34 @@
 			<version>4.4.6</version>
 			<scope>compile</scope>
 		</dependency>
+<!-- 		Log4j Dependencies -->
 		<dependency>
-			<groupId>log4j</groupId>
+			<groupId>org.apache.logging.log4j</groupId>
 			<artifactId>log4j</artifactId>
-			<version>1.2.16</version>
-			<scope>compile</scope>
+			<version>2.13.3</version>
+			<type>pom</type>
+		</dependency>
+		<dependency>
+			<groupId>org.apache.logging.log4j</groupId>
+			<artifactId>log4j-jcl</artifactId>
+			<version>2.13.3</version>
+		</dependency>
+		<dependency>
+			<groupId>org.apache.logging.log4j</groupId>
+			<artifactId>log4j-api</artifactId>
+			<version>2.13.3</version>
+		</dependency>
+		<dependency>
+			<groupId>org.apache.logging.log4j</groupId>
+			<artifactId>log4j-core</artifactId>
+			<version>2.13.3</version>
+		</dependency>
+		<dependency>
+			<groupId>org.apache.logging.log4j</groupId>
+			<artifactId>log4j-1.2-api</artifactId>
+			<version>2.13.3</version>
 		</dependency>
+<!-- 		Log4j Dependencies -->
 		<dependency>
 			<groupId>org.jmock</groupId>
 			<artifactId>jmock</artifactId>
@@ -151,7 +173,7 @@
 					<include>**/*.*</include>
 				</includes>
 				<excludes>
-					<exclude>log4j.properties</exclude>
+					<exclude>log4j2.xml</exclude>
 				</excludes>
 			</resource>
 		</resources>

diff --git a/resources/log4j.properties b/resources/log4j.properties
diff --git a/resources/log4j2.xml b/resources/log4j2.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!-- 
+################################################################################################################
+	For information on how to change this configuration file, 
+	refer to https://logging.apache.org/log4j/2.x/manual/configuration.html
+	
+	To enable masking of sensitive data, replace `%m` with `%maskedMessage` in the patterns below
+################################################################################################################ 
+-->
+
+<Configuration status="FATAL">
+	<Properties>
+		<Property name="log-path">./logs</Property>
+		<Property name="logFileName">net.authorize.java</Property>
+	</Properties>
+	<Appenders>
+		<Console name="LogToConsole" target="SYSTEM_OUT">
+			<PatternLayout pattern="%d{MM/dd/yy HH:mm:ss,SS:} [%t] %5p (%C:%-1L) - %m%n"/>
+		</Console>
+		<RollingFile name="RollingFile"
+			fileName="${log-path}/${logFileName}.log"
+			filePattern="${log-path}/${logFileName}-%d{yyyy-MM-dd}-%i.log">
+			<PatternLayout>
+				<pattern>%d{MM/dd/yy HH:mm:ss,SS:} [%t] %5p (%C:%-1L) - %m%n</pattern>
+			</PatternLayout>
+			<Policies>
+				<TimeBasedTriggeringPolicy interval="1" modulate="true"/>
+			</Policies>
+			<DefaultRolloverStrategy max="4"/>
+		</RollingFile>
+	</Appenders>
+	<Loggers>
+		<Logger name="net.authorize" level="fatal" additivity="true">
+			<AppenderRef ref="LogToConsole" level="fatal" />
+		</Logger>
+		<Root level="fatal" additivity="true">
+			<AppenderRef ref="RollingFile" />
+		</Root>
+	</Loggers>
+</Configuration>
diff --git a/src/main/java/net/authorize/api/controller/base/ApiOperationBase.java b/src/main/java/net/authorize/api/controller/base/ApiOperationBase.java
@@ -19,16 +19,16 @@
 import net.authorize.util.HttpUtility;
 import net.authorize.util.LogHelper;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 
 /**
  * @author ramittal
  *
  */
 public abstract class ApiOperationBase<Q extends ANetApiRequest, S extends ANetApiResponse> implements IApiOperation<Q, S> {
 
-	protected static Log logger = LogFactory.getLog(ApiOperationBase.class);
+	protected static Logger logger = LogManager.getLogger(ApiOperationBase.class);
 
 	private static Environment environment = null;
 	private static MerchantAuthenticationType merchantAuthentication = null;

diff --git a/src/main/java/net/authorize/util/HttpCallTask.java b/src/main/java/net/authorize/util/HttpCallTask.java
@@ -15,8 +15,8 @@
 import net.authorize.api.contract.v1.MessagesType;
 import net.authorize.api.contract.v1.MessagesType.Message;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.apache.http.HttpEntity;
 import org.apache.http.HttpResponse;
 import org.apache.http.client.ClientProtocolException;
@@ -30,7 +30,7 @@
  *
  */
 public class HttpCallTask implements Callable<ANetApiResponse> {
-	private static Log logger = LogFactory.getLog(HttpCallTask.class);
+	private static Logger logger = LogManager.getLogger(HttpCallTask.class);
 
 	Environment env = null;
 	ANetApiRequest request = null;

diff --git a/src/main/java/net/authorize/util/HttpClient.java b/src/main/java/net/authorize/util/HttpClient.java
@@ -9,8 +9,8 @@
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManagerFactory;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.apache.http.HttpHost;
 import org.apache.http.auth.AuthScope;
 import org.apache.http.auth.Credentials;
@@ -33,7 +33,7 @@
  *
  */
 public class HttpClient {
-	private static Log logger = LogFactory.getLog(HttpClient.class);
+	private static Logger logger = LogManager.getLogger(HttpClient.class);
 
 	public static final String ENCODING = "UTF-8";
 	static boolean proxySet = false;

diff --git a/src/main/java/net/authorize/util/HttpUtility.java b/src/main/java/net/authorize/util/HttpUtility.java
@@ -15,8 +15,8 @@
 
 import javax.xml.bind.JAXBException;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.apache.http.client.methods.HttpPost;
 import org.apache.http.entity.StringEntity;
 import org.apache.http.params.CoreProtocolPNames;
@@ -34,7 +34,7 @@
  */
 public final class HttpUtility {
 
-	private static Log logger = LogFactory.getLog(HttpUtility.class);	
+	private static Logger logger = LogManager.getLogger(HttpUtility.class);	
 
 	static int httpConnectionTimeout = Environment.getIntProperty(Constants.HTTP_CONNECTION_TIME_OUT);
 	static int httpReadTimeout = Environment.getIntProperty(Constants.HTTP_READ_TIME_OUT);

diff --git a/src/main/java/net/authorize/util/LogHelper.java b/src/main/java/net/authorize/util/LogHelper.java
@@ -1,6 +1,6 @@
 package net.authorize.util;
 
-import org.apache.commons.logging.Log;
+import org.apache.logging.log4j.Logger;
 
 public final class LogHelper {
 
@@ -9,27 +9,27 @@ public final class LogHelper {
 	private LogHelper() {
 	}
 
-	public static void debug(Log logger, String format, Object... arguments) {
+	public static void debug(Logger logger, String format, Object... arguments) {
 		String logMessage = getMessage(logger, format, arguments);
 		if ( null != logMessage) { logger.debug(logMessage); }
 	}
 
-	public static void error(Log logger, String format, Object... arguments) {
+	public static void error(Logger logger, String format, Object... arguments) {
 		String logMessage = getMessage(logger, format, arguments);
 		if ( null != logMessage) { logger.error(logMessage); }
 	}
 
-	public static void info(Log logger, String format, Object... arguments) {
+	public static void info(Logger logger, String format, Object... arguments) {
 		String logMessage = getMessage(logger, format, arguments);
 		if ( null != logMessage) { logger.info(logMessage); }
 	}
 
-	public static void warn(Log logger, String format, Object... arguments) {
+	public static void warn(Logger logger, String format, Object... arguments) {
 		String logMessage = getMessage(logger, format, arguments);
 		if ( null != logMessage) { logger.warn(logMessage); }
 	}
 
-	private static String getMessage(Log logger, String format, Object... arguments) {
+	private static String getMessage(Logger logger, String format, Object... arguments) {
 		String logMessage = null;
 
 		if ( null != logger && null != format && 0 < format.trim().length()) {