Skip to content

Commit

Permalink
SSRF fix: replace EscapeUriString with EscapeDataString
Browse files Browse the repository at this point in the history
  • Loading branch information
benjamin eckel committed Nov 8, 2017
1 parent cef02a8 commit 9eef460
Show file tree
Hide file tree
Showing 14 changed files with 52 additions and 52 deletions.
26 changes: 13 additions & 13 deletions Library/Account.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,7 @@ internal Account()
public void DeleteBillingInfo()
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Delete,
UrlPrefix + Uri.EscapeUriString(AccountCode) + "/billing_info");
UrlPrefix + Uri.EscapeDataString(AccountCode) + "/billing_info");
_billingInfo = null;
}

Expand All @@ -165,7 +165,7 @@ public void Update()
{
// PUT /accounts/<account code>
Client.Instance.PerformRequest(Client.HttpRequestMethod.Put,
UrlPrefix + Uri.EscapeUriString(AccountCode),
UrlPrefix + Uri.EscapeDataString(AccountCode),
WriteXml);
}

Expand Down Expand Up @@ -199,7 +199,7 @@ public Invoice InvoicePendingCharges(Invoice invoice = null)
{
var i = invoice ?? new Invoice();
Client.Instance.PerformRequest(Client.HttpRequestMethod.Post,
UrlPrefix + Uri.EscapeUriString(AccountCode) + "/invoices",
UrlPrefix + Uri.EscapeDataString(AccountCode) + "/invoices",
i.WriteXml,
i.ReadXml);

Expand All @@ -213,7 +213,7 @@ public Invoice PreviewInvoicePendingCharges(Invoice invoice = null)
{
var i = invoice ?? new Invoice();
Client.Instance.PerformRequest(Client.HttpRequestMethod.Post,
UrlPrefix + Uri.EscapeUriString(AccountCode) + "/invoices/preview",
UrlPrefix + Uri.EscapeDataString(AccountCode) + "/invoices/preview",
i.WriteXml,
i.ReadXml);

Expand All @@ -231,7 +231,7 @@ public RecurlyList<Adjustment> GetAdjustments(Adjustment.AdjustmentType type = A
{
var adjustments = new AdjustmentList();
var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Get,
UrlPrefix + Uri.EscapeUriString(AccountCode) + "/adjustments/"
UrlPrefix + Uri.EscapeDataString(AccountCode) + "/adjustments/"
+ Build.QueryStringWith(Adjustment.AdjustmentState.Any == state ? "" : "state=" + state.ToString().EnumNameToTransportCase())
.AndWith(Adjustment.AdjustmentType.All == type ? "" : "type=" + type.ToString().EnumNameToTransportCase())
, adjustments.ReadXmlList);
Expand All @@ -247,7 +247,7 @@ public RecurlyList<ShippingAddress> GetShippingAddresses()
{
var shippingAddresses = new ShippingAddressList(this);
var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Get,
UrlPrefix + Uri.EscapeUriString(AccountCode) + "/shipping_addresses/",
UrlPrefix + Uri.EscapeDataString(AccountCode) + "/shipping_addresses/",
shippingAddresses.ReadXmlList);

return statusCode == HttpStatusCode.NotFound ? null : shippingAddresses;
Expand All @@ -269,7 +269,7 @@ public RecurlyList<Invoice> GetInvoices()
/// <returns></returns>
public RecurlyList<Subscription> GetSubscriptions(Subscription.SubscriptionState state = Subscription.SubscriptionState.All)
{
return new SubscriptionList(UrlPrefix + Uri.EscapeUriString(AccountCode) + "/subscriptions/"
return new SubscriptionList(UrlPrefix + Uri.EscapeDataString(AccountCode) + "/subscriptions/"
+ Build.QueryStringWith(state.Equals(Subscription.SubscriptionState.All) ? "" : "state=" + state.ToString().EnumNameToTransportCase()));
}

Expand All @@ -282,14 +282,14 @@ public RecurlyList<Subscription> GetSubscriptions(Subscription.SubscriptionState
public RecurlyList<Transaction> GetTransactions(TransactionList.TransactionState state = TransactionList.TransactionState.All,
TransactionList.TransactionType type = TransactionList.TransactionType.All)
{
return new TransactionList(UrlPrefix + Uri.EscapeUriString(AccountCode) + "/transactions/"
return new TransactionList(UrlPrefix + Uri.EscapeDataString(AccountCode) + "/transactions/"
+ Build.QueryStringWith(state != TransactionList.TransactionState.All ? "state=" + state.ToString().EnumNameToTransportCase() : "")
.AndWith(type != TransactionList.TransactionType.All ? "type=" + type.ToString().EnumNameToTransportCase() : ""));
}

public RecurlyList<Note> GetNotes()
{
return new NoteList(UrlPrefix + Uri.EscapeUriString(AccountCode) + "/notes/");
return new NoteList(UrlPrefix + Uri.EscapeDataString(AccountCode) + "/notes/");
}

/// <summary>
Expand Down Expand Up @@ -328,7 +328,7 @@ public RecurlyList<CouponRedemption> GetActiveRedemptions()
var redemptions = new CouponRedemptionList();

var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Get,
UrlPrefix + Uri.EscapeUriString(AccountCode) + "/redemptions",
UrlPrefix + Uri.EscapeDataString(AccountCode) + "/redemptions",
redemptions.ReadXmlList);

return statusCode == HttpStatusCode.NotFound ? null : redemptions;
Expand Down Expand Up @@ -560,7 +560,7 @@ public static Account Get(string accountCode)
var account = new Account();
// GET /accounts/<account code>
var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Get,
UrlPrefix + Uri.EscapeUriString(accountCode),
UrlPrefix + Uri.EscapeDataString(accountCode),
account.ReadXml);

return statusCode == HttpStatusCode.NotFound ? null : account;
Expand All @@ -575,7 +575,7 @@ public static void Close(string accountCode)
{
// DELETE /accounts/<account code>
Client.Instance.PerformRequest(Client.HttpRequestMethod.Delete,
Account.UrlPrefix + Uri.EscapeUriString(accountCode));
Account.UrlPrefix + Uri.EscapeDataString(accountCode));
}

/// <summary>
Expand All @@ -586,7 +586,7 @@ public static void Reopen(string accountCode)
{
// PUT /accounts/<account code>/reopen
Client.Instance.PerformRequest(Client.HttpRequestMethod.Put,
Account.UrlPrefix + Uri.EscapeUriString(accountCode) + "/reopen");
Account.UrlPrefix + Uri.EscapeDataString(accountCode) + "/reopen");
}

/// <summary>
Expand Down
2 changes: 1 addition & 1 deletion Library/AccountBalance.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ public static AccountBalance Get(string accountCode)
var accountBalance = new AccountBalance();

var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Get,
UrlPrefix + Uri.EscapeUriString(accountCode) + "/balance", accountBalance.ReadXml);
UrlPrefix + Uri.EscapeDataString(accountCode) + "/balance", accountBalance.ReadXml);

return statusCode == HttpStatusCode.NotFound ? null : accountBalance;
}
Expand Down
6 changes: 3 additions & 3 deletions Library/AddOn.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ internal AddOn(string planCode, string addOnCode, string name)
public void Create()
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Post,
UrlPrefix + Uri.EscapeUriString(PlanCode) + UrlPostfix,
UrlPrefix + Uri.EscapeDataString(PlanCode) + UrlPostfix,
WriteXml,
ReadXml);
}
Expand All @@ -75,7 +75,7 @@ public void Create()
public void Update()
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Put,
UrlPrefix + Uri.EscapeUriString(PlanCode) + UrlPostfix + Uri.EscapeUriString(AddOnCode),
UrlPrefix + Uri.EscapeDataString(PlanCode) + UrlPostfix + Uri.EscapeDataString(AddOnCode),
WriteXml,
ReadXml);
}
Expand All @@ -86,7 +86,7 @@ public void Update()
public void Delete()
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Delete,
UrlPrefix + Uri.EscapeUriString(PlanCode) + UrlPostfix + Uri.EscapeUriString(AddOnCode));
UrlPrefix + Uri.EscapeDataString(PlanCode) + UrlPostfix + Uri.EscapeDataString(AddOnCode));
}


Expand Down
6 changes: 3 additions & 3 deletions Library/Adjustment.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ public void Create()
{
// POST /accounts/<account code>/adjustments
Client.Instance.PerformRequest(Client.HttpRequestMethod.Post,
UrlPrefix + Uri.EscapeUriString(AccountCode) + UrlPostfix,
UrlPrefix + Uri.EscapeDataString(AccountCode) + UrlPostfix,
WriteXml,
ReadXml);
}
Expand All @@ -129,7 +129,7 @@ public void Delete()
{
// DELETE /adjustments/<uuid>
Client.Instance.PerformRequest(Client.HttpRequestMethod.Delete,
UrlPostfix + Uri.EscapeUriString(Uuid));
UrlPostfix + Uri.EscapeDataString(Uuid));
}


Expand Down Expand Up @@ -284,7 +284,7 @@ public static Adjustment Get(string uuid)
{
var adjustment = new Adjustment();
Client.Instance.PerformRequest(Client.HttpRequestMethod.Get,
"/adjustments/" + Uri.EscapeUriString(uuid),
"/adjustments/" + Uri.EscapeDataString(uuid),
adjustment.ReadXml);
return adjustment;
}
Expand Down
2 changes: 1 addition & 1 deletion Library/BillingInfo.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@ public void Update()

private static string BillingInfoUrl(string accountCode)
{
return UrlPrefix + Uri.EscapeUriString(accountCode) + UrlPostfix;
return UrlPrefix + Uri.EscapeDataString(accountCode) + UrlPostfix;
}

internal override void ReadXml(XmlTextReader reader)
Expand Down
8 changes: 4 additions & 4 deletions Library/Coupon.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,14 +175,14 @@ public void Create()
public void Update()
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Put,
UrlPrefix + Uri.EscapeUriString(CouponCode),
UrlPrefix + Uri.EscapeDataString(CouponCode),
WriteXmlUpdate);
}

public void Restore()
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Put,
UrlPrefix + Uri.EscapeUriString(CouponCode) + "/restore",
UrlPrefix + Uri.EscapeDataString(CouponCode) + "/restore",
WriteXmlUpdate);
}

Expand All @@ -192,7 +192,7 @@ public void Restore()
public void Deactivate()
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Delete,
UrlPrefix + Uri.EscapeUriString(CouponCode));
UrlPrefix + Uri.EscapeDataString(CouponCode));
}

public RecurlyList<Coupon> GetUniqueCouponCodes()
Expand Down Expand Up @@ -535,7 +535,7 @@ public static Coupon Get(string couponCode)
var coupon = new Coupon();

var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Get,
Coupon.UrlPrefix + Uri.EscapeUriString(couponCode),
Coupon.UrlPrefix + Uri.EscapeDataString(couponCode),
coupon.ReadXml);

return statusCode == HttpStatusCode.NotFound ? null : coupon;
Expand Down
6 changes: 3 additions & 3 deletions Library/CouponRedemption.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ internal static CouponRedemption Redeem(string accountCode, string couponCode, s
var cr = new CouponRedemption {AccountCode = accountCode, Currency = currency, SubscriptionUuid = subscriptionUuid};

var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Post,
"/coupons/" + Uri.EscapeUriString(couponCode) + "/redeem",
"/coupons/" + Uri.EscapeDataString(couponCode) + "/redeem",
cr.WriteXml,
cr.ReadXml);

Expand All @@ -60,8 +60,8 @@ internal static CouponRedemption Redeem(string accountCode, string couponCode, s
public void Delete()
{
var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Delete,
"/accounts/" + Uri.EscapeUriString(AccountCode) +
"/redemptions/" + Uri.EscapeUriString(Uuid));
"/accounts/" + Uri.EscapeDataString(AccountCode) +
"/redemptions/" + Uri.EscapeDataString(Uuid));
AccountCode = null;
CouponCode = null;
Currency = null;
Expand Down
2 changes: 1 addition & 1 deletion Library/Export.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ public static ExportFile DownloadExportFile(DateTime date, string fileName)
{
var exportFile = new ExportFile();
var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Get,
string.Format(ExportFile.FileUrlPrefix, date.ToString("yyyy-MM-dd"), Uri.EscapeUriString(fileName)),
string.Format(ExportFile.FileUrlPrefix, date.ToString("yyyy-MM-dd"), Uri.EscapeDataString(fileName)),
exportFile.ReadXml);

return statusCode != HttpStatusCode.NotFound ? exportFile : null;
Expand Down
2 changes: 1 addition & 1 deletion Library/GiftCard.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -324,7 +324,7 @@ public static GiftCard Get(long id)
var giftCard = new GiftCard();
// GET /gift_cards/<id>
var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Get,
UrlPrefix + Uri.EscapeUriString(id.ToString()),
UrlPrefix + Uri.EscapeDataString(id.ToString()),
giftCard.ReadXml);

return statusCode == HttpStatusCode.NotFound ? null : giftCard;
Expand Down
8 changes: 4 additions & 4 deletions Library/Invoice.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ public byte[] GetPdf(string acceptLanguage = "en-US")
public void Create(string accountCode)
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Post,
"/accounts/" + Uri.EscapeUriString(accountCode) + Invoice.UrlPrefix,
"/accounts/" + Uri.EscapeDataString(accountCode) + Invoice.UrlPrefix,
WriteXml,
ReadXml);
}
Expand All @@ -132,7 +132,7 @@ public void Create(string accountCode)
public void Preview(string accountCode)
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Post,
"/accounts/" + Uri.EscapeUriString(accountCode) + Invoice.UrlPrefix + "preview",
"/accounts/" + Uri.EscapeDataString(accountCode) + Invoice.UrlPrefix + "preview",
WriteXml,
ReadXml);
}
Expand Down Expand Up @@ -453,7 +453,7 @@ public sealed class Invoices
{
public static RecurlyList<Invoice> List(string accountCode)
{
return new InvoiceList("/accounts/" + Uri.EscapeUriString(accountCode) + "/invoices");
return new InvoiceList("/accounts/" + Uri.EscapeDataString(accountCode) + "/invoices");
}

public static RecurlyList<Invoice> List()
Expand Down Expand Up @@ -504,7 +504,7 @@ public static Invoice Create(string accountCode)
var invoice = new Invoice();

var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Post,
"/accounts/" + Uri.EscapeUriString(accountCode) + Invoice.UrlPrefix,
"/accounts/" + Uri.EscapeDataString(accountCode) + Invoice.UrlPrefix,
invoice.ReadXml);

return (int)statusCode == ValidationException.HttpStatusCode ? null : invoice;
Expand Down
4 changes: 2 additions & 2 deletions Library/MeasuredUnit.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ public void Create()
public void Update()
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Put,
UrlPrefix + Uri.EscapeUriString(Id.ToString()),
UrlPrefix + Uri.EscapeDataString(Id.ToString()),
WriteXml);
}

Expand All @@ -66,7 +66,7 @@ public void Update()
public void Delete()
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Delete,
UrlPrefix + Uri.EscapeUriString(Id.ToString()));
UrlPrefix + Uri.EscapeDataString(Id.ToString()));
}

#region Read and Write XML documents
Expand Down
10 changes: 5 additions & 5 deletions Library/Plan.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ public RecurlyList<AddOn> AddOns
{
if (_addOns == null)
{
var url = UrlPrefix + Uri.EscapeUriString(PlanCode) + "/add_ons/";
var url = UrlPrefix + Uri.EscapeDataString(PlanCode) + "/add_ons/";
_addOns = new AddOnList(url);
}
return _addOns;
Expand Down Expand Up @@ -120,7 +120,7 @@ public void Create()
public void Update()
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Put,
UrlPrefix + Uri.EscapeUriString(PlanCode),
UrlPrefix + Uri.EscapeDataString(PlanCode),
WriteXml);
}

Expand All @@ -129,7 +129,7 @@ public void Update()
/// </summary>
public void Deactivate()
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Delete, UrlPrefix + Uri.EscapeUriString(PlanCode));
Client.Instance.PerformRequest(Client.HttpRequestMethod.Delete, UrlPrefix + Uri.EscapeDataString(PlanCode));
}

/// <summary>
Expand All @@ -149,7 +149,7 @@ public AddOn GetAddOn(string addOnCode)
var addOn = new AddOn();

var status = Client.Instance.PerformRequest(Client.HttpRequestMethod.Get,
UrlPrefix + Uri.EscapeUriString(PlanCode) + "/add_ons/" + Uri.EscapeUriString(addOnCode),
UrlPrefix + Uri.EscapeDataString(PlanCode) + "/add_ons/" + Uri.EscapeDataString(addOnCode),
addOn.ReadXml);

if (status != HttpStatusCode.OK) return null;
Expand Down Expand Up @@ -445,7 +445,7 @@ public static Plan Get(string planCode)
var plan = new Plan();

var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Get,
Plan.UrlPrefix + Uri.EscapeUriString(planCode),
Plan.UrlPrefix + Uri.EscapeDataString(planCode),
plan.ReadXml);

return statusCode == HttpStatusCode.NotFound ? null : plan;
Expand Down
Loading

0 comments on commit 9eef460

Please sign in to comment.