Permalink
Browse files

SSRF fix: replace EscapeUriString with EscapeDataString

  • Loading branch information...
bhelx committed Nov 8, 2017
1 parent cef02a8 commit 9eef460c0084afd5c24d66220c8b7a381cf9a1f1
View
@@ -145,7 +145,7 @@ internal Account()
public void DeleteBillingInfo()
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Delete,
UrlPrefix + Uri.EscapeUriString(AccountCode) + "/billing_info");
UrlPrefix + Uri.EscapeDataString(AccountCode) + "/billing_info");
_billingInfo = null;
}
@@ -165,7 +165,7 @@ public void Update()
{
// PUT /accounts/<account code>
Client.Instance.PerformRequest(Client.HttpRequestMethod.Put,
UrlPrefix + Uri.EscapeUriString(AccountCode),
UrlPrefix + Uri.EscapeDataString(AccountCode),
WriteXml);
}
@@ -199,7 +199,7 @@ public Invoice InvoicePendingCharges(Invoice invoice = null)
{
var i = invoice ?? new Invoice();
Client.Instance.PerformRequest(Client.HttpRequestMethod.Post,
UrlPrefix + Uri.EscapeUriString(AccountCode) + "/invoices",
UrlPrefix + Uri.EscapeDataString(AccountCode) + "/invoices",
i.WriteXml,
i.ReadXml);
@@ -213,7 +213,7 @@ public Invoice PreviewInvoicePendingCharges(Invoice invoice = null)
{
var i = invoice ?? new Invoice();
Client.Instance.PerformRequest(Client.HttpRequestMethod.Post,
UrlPrefix + Uri.EscapeUriString(AccountCode) + "/invoices/preview",
UrlPrefix + Uri.EscapeDataString(AccountCode) + "/invoices/preview",
i.WriteXml,
i.ReadXml);
@@ -231,7 +231,7 @@ public Invoice PreviewInvoicePendingCharges(Invoice invoice = null)
{
var adjustments = new AdjustmentList();
var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Get,
UrlPrefix + Uri.EscapeUriString(AccountCode) + "/adjustments/"
UrlPrefix + Uri.EscapeDataString(AccountCode) + "/adjustments/"
+ Build.QueryStringWith(Adjustment.AdjustmentState.Any == state ? "" : "state=" + state.ToString().EnumNameToTransportCase())
.AndWith(Adjustment.AdjustmentType.All == type ? "" : "type=" + type.ToString().EnumNameToTransportCase())
, adjustments.ReadXmlList);
@@ -247,7 +247,7 @@ public RecurlyList<ShippingAddress> GetShippingAddresses()
{
var shippingAddresses = new ShippingAddressList(this);
var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Get,
UrlPrefix + Uri.EscapeUriString(AccountCode) + "/shipping_addresses/",
UrlPrefix + Uri.EscapeDataString(AccountCode) + "/shipping_addresses/",
shippingAddresses.ReadXmlList);
return statusCode == HttpStatusCode.NotFound ? null : shippingAddresses;
@@ -269,7 +269,7 @@ public RecurlyList<Invoice> GetInvoices()
/// <returns></returns>
public RecurlyList<Subscription> GetSubscriptions(Subscription.SubscriptionState state = Subscription.SubscriptionState.All)
{
return new SubscriptionList(UrlPrefix + Uri.EscapeUriString(AccountCode) + "/subscriptions/"
return new SubscriptionList(UrlPrefix + Uri.EscapeDataString(AccountCode) + "/subscriptions/"
+ Build.QueryStringWith(state.Equals(Subscription.SubscriptionState.All) ? "" : "state=" + state.ToString().EnumNameToTransportCase()));
}
@@ -282,14 +282,14 @@ public RecurlyList<Subscription> GetSubscriptions(Subscription.SubscriptionState
public RecurlyList<Transaction> GetTransactions(TransactionList.TransactionState state = TransactionList.TransactionState.All,
TransactionList.TransactionType type = TransactionList.TransactionType.All)
{
return new TransactionList(UrlPrefix + Uri.EscapeUriString(AccountCode) + "/transactions/"
return new TransactionList(UrlPrefix + Uri.EscapeDataString(AccountCode) + "/transactions/"
+ Build.QueryStringWith(state != TransactionList.TransactionState.All ? "state=" + state.ToString().EnumNameToTransportCase() : "")
.AndWith(type != TransactionList.TransactionType.All ? "type=" + type.ToString().EnumNameToTransportCase() : ""));
}
public RecurlyList<Note> GetNotes()
{
return new NoteList(UrlPrefix + Uri.EscapeUriString(AccountCode) + "/notes/");
return new NoteList(UrlPrefix + Uri.EscapeDataString(AccountCode) + "/notes/");
}
/// <summary>
@@ -328,7 +328,7 @@ public RecurlyList<CouponRedemption> GetActiveRedemptions()
var redemptions = new CouponRedemptionList();
var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Get,
UrlPrefix + Uri.EscapeUriString(AccountCode) + "/redemptions",
UrlPrefix + Uri.EscapeDataString(AccountCode) + "/redemptions",
redemptions.ReadXmlList);
return statusCode == HttpStatusCode.NotFound ? null : redemptions;
@@ -560,7 +560,7 @@ public static Account Get(string accountCode)
var account = new Account();
// GET /accounts/<account code>
var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Get,
UrlPrefix + Uri.EscapeUriString(accountCode),
UrlPrefix + Uri.EscapeDataString(accountCode),
account.ReadXml);
return statusCode == HttpStatusCode.NotFound ? null : account;
@@ -575,7 +575,7 @@ public static void Close(string accountCode)
{
// DELETE /accounts/<account code>
Client.Instance.PerformRequest(Client.HttpRequestMethod.Delete,
Account.UrlPrefix + Uri.EscapeUriString(accountCode));
Account.UrlPrefix + Uri.EscapeDataString(accountCode));
}
/// <summary>
@@ -586,7 +586,7 @@ public static void Reopen(string accountCode)
{
// PUT /accounts/<account code>/reopen
Client.Instance.PerformRequest(Client.HttpRequestMethod.Put,
Account.UrlPrefix + Uri.EscapeUriString(accountCode) + "/reopen");
Account.UrlPrefix + Uri.EscapeDataString(accountCode) + "/reopen");
}
/// <summary>
@@ -19,7 +19,7 @@ public static AccountBalance Get(string accountCode)
var accountBalance = new AccountBalance();
var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Get,
UrlPrefix + Uri.EscapeUriString(accountCode) + "/balance", accountBalance.ReadXml);
UrlPrefix + Uri.EscapeDataString(accountCode) + "/balance", accountBalance.ReadXml);
return statusCode == HttpStatusCode.NotFound ? null : accountBalance;
}
View
@@ -64,7 +64,7 @@ internal AddOn(string planCode, string addOnCode, string name)
public void Create()
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Post,
UrlPrefix + Uri.EscapeUriString(PlanCode) + UrlPostfix,
UrlPrefix + Uri.EscapeDataString(PlanCode) + UrlPostfix,
WriteXml,
ReadXml);
}
@@ -75,7 +75,7 @@ public void Create()
public void Update()
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Put,
UrlPrefix + Uri.EscapeUriString(PlanCode) + UrlPostfix + Uri.EscapeUriString(AddOnCode),
UrlPrefix + Uri.EscapeDataString(PlanCode) + UrlPostfix + Uri.EscapeDataString(AddOnCode),
WriteXml,
ReadXml);
}
@@ -86,7 +86,7 @@ public void Update()
public void Delete()
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Delete,
UrlPrefix + Uri.EscapeUriString(PlanCode) + UrlPostfix + Uri.EscapeUriString(AddOnCode));
UrlPrefix + Uri.EscapeDataString(PlanCode) + UrlPostfix + Uri.EscapeDataString(AddOnCode));
}
View
@@ -115,7 +115,7 @@ public void Create()
{
// POST /accounts/<account code>/adjustments
Client.Instance.PerformRequest(Client.HttpRequestMethod.Post,
UrlPrefix + Uri.EscapeUriString(AccountCode) + UrlPostfix,
UrlPrefix + Uri.EscapeDataString(AccountCode) + UrlPostfix,
WriteXml,
ReadXml);
}
@@ -129,7 +129,7 @@ public void Delete()
{
// DELETE /adjustments/<uuid>
Client.Instance.PerformRequest(Client.HttpRequestMethod.Delete,
UrlPostfix + Uri.EscapeUriString(Uuid));
UrlPostfix + Uri.EscapeDataString(Uuid));
}
@@ -284,7 +284,7 @@ public static Adjustment Get(string uuid)
{
var adjustment = new Adjustment();
Client.Instance.PerformRequest(Client.HttpRequestMethod.Get,
"/adjustments/" + Uri.EscapeUriString(uuid),
"/adjustments/" + Uri.EscapeDataString(uuid),
adjustment.ReadXml);
return adjustment;
}
View
@@ -186,7 +186,7 @@ public void Update()
private static string BillingInfoUrl(string accountCode)
{
return UrlPrefix + Uri.EscapeUriString(accountCode) + UrlPostfix;
return UrlPrefix + Uri.EscapeDataString(accountCode) + UrlPostfix;
}
internal override void ReadXml(XmlTextReader reader)
View
@@ -175,14 +175,14 @@ public void Create()
public void Update()
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Put,
UrlPrefix + Uri.EscapeUriString(CouponCode),
UrlPrefix + Uri.EscapeDataString(CouponCode),
WriteXmlUpdate);
}
public void Restore()
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Put,
UrlPrefix + Uri.EscapeUriString(CouponCode) + "/restore",
UrlPrefix + Uri.EscapeDataString(CouponCode) + "/restore",
WriteXmlUpdate);
}
@@ -192,7 +192,7 @@ public void Restore()
public void Deactivate()
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Delete,
UrlPrefix + Uri.EscapeUriString(CouponCode));
UrlPrefix + Uri.EscapeDataString(CouponCode));
}
public RecurlyList<Coupon> GetUniqueCouponCodes()
@@ -535,7 +535,7 @@ public static Coupon Get(string couponCode)
var coupon = new Coupon();
var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Get,
Coupon.UrlPrefix + Uri.EscapeUriString(couponCode),
Coupon.UrlPrefix + Uri.EscapeDataString(couponCode),
coupon.ReadXml);
return statusCode == HttpStatusCode.NotFound ? null : coupon;
@@ -46,7 +46,7 @@ internal static CouponRedemption Redeem(string accountCode, string couponCode, s
var cr = new CouponRedemption {AccountCode = accountCode, Currency = currency, SubscriptionUuid = subscriptionUuid};
var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Post,
"/coupons/" + Uri.EscapeUriString(couponCode) + "/redeem",
"/coupons/" + Uri.EscapeDataString(couponCode) + "/redeem",
cr.WriteXml,
cr.ReadXml);
@@ -60,8 +60,8 @@ internal static CouponRedemption Redeem(string accountCode, string couponCode, s
public void Delete()
{
var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Delete,
"/accounts/" + Uri.EscapeUriString(AccountCode) +
"/redemptions/" + Uri.EscapeUriString(Uuid));
"/accounts/" + Uri.EscapeDataString(AccountCode) +
"/redemptions/" + Uri.EscapeDataString(Uuid));
AccountCode = null;
CouponCode = null;
Currency = null;
View
@@ -111,7 +111,7 @@ public static ExportFile DownloadExportFile(DateTime date, string fileName)
{
var exportFile = new ExportFile();
var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Get,
string.Format(ExportFile.FileUrlPrefix, date.ToString("yyyy-MM-dd"), Uri.EscapeUriString(fileName)),
string.Format(ExportFile.FileUrlPrefix, date.ToString("yyyy-MM-dd"), Uri.EscapeDataString(fileName)),
exportFile.ReadXml);
return statusCode != HttpStatusCode.NotFound ? exportFile : null;
View
@@ -324,7 +324,7 @@ public static GiftCard Get(long id)
var giftCard = new GiftCard();
// GET /gift_cards/<id>
var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Get,
UrlPrefix + Uri.EscapeUriString(id.ToString()),
UrlPrefix + Uri.EscapeDataString(id.ToString()),
giftCard.ReadXml);
return statusCode == HttpStatusCode.NotFound ? null : giftCard;
View
@@ -121,7 +121,7 @@ public byte[] GetPdf(string acceptLanguage = "en-US")
public void Create(string accountCode)
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Post,
"/accounts/" + Uri.EscapeUriString(accountCode) + Invoice.UrlPrefix,
"/accounts/" + Uri.EscapeDataString(accountCode) + Invoice.UrlPrefix,
WriteXml,
ReadXml);
}
@@ -132,7 +132,7 @@ public void Create(string accountCode)
public void Preview(string accountCode)
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Post,
"/accounts/" + Uri.EscapeUriString(accountCode) + Invoice.UrlPrefix + "preview",
"/accounts/" + Uri.EscapeDataString(accountCode) + Invoice.UrlPrefix + "preview",
WriteXml,
ReadXml);
}
@@ -453,7 +453,7 @@ public sealed class Invoices
{
public static RecurlyList<Invoice> List(string accountCode)
{
return new InvoiceList("/accounts/" + Uri.EscapeUriString(accountCode) + "/invoices");
return new InvoiceList("/accounts/" + Uri.EscapeDataString(accountCode) + "/invoices");
}
public static RecurlyList<Invoice> List()
@@ -504,7 +504,7 @@ public static Invoice Create(string accountCode)
var invoice = new Invoice();
var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Post,
"/accounts/" + Uri.EscapeUriString(accountCode) + Invoice.UrlPrefix,
"/accounts/" + Uri.EscapeDataString(accountCode) + Invoice.UrlPrefix,
invoice.ReadXml);
return (int)statusCode == ValidationException.HttpStatusCode ? null : invoice;
View
@@ -56,7 +56,7 @@ public void Create()
public void Update()
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Put,
UrlPrefix + Uri.EscapeUriString(Id.ToString()),
UrlPrefix + Uri.EscapeDataString(Id.ToString()),
WriteXml);
}
@@ -66,7 +66,7 @@ public void Update()
public void Delete()
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Delete,
UrlPrefix + Uri.EscapeUriString(Id.ToString()));
UrlPrefix + Uri.EscapeDataString(Id.ToString()));
}
#region Read and Write XML documents
View
@@ -58,7 +58,7 @@ public RecurlyList<AddOn> AddOns
{
if (_addOns == null)
{
var url = UrlPrefix + Uri.EscapeUriString(PlanCode) + "/add_ons/";
var url = UrlPrefix + Uri.EscapeDataString(PlanCode) + "/add_ons/";
_addOns = new AddOnList(url);
}
return _addOns;
@@ -120,7 +120,7 @@ public void Create()
public void Update()
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Put,
UrlPrefix + Uri.EscapeUriString(PlanCode),
UrlPrefix + Uri.EscapeDataString(PlanCode),
WriteXml);
}
@@ -129,7 +129,7 @@ public void Update()
/// </summary>
public void Deactivate()
{
Client.Instance.PerformRequest(Client.HttpRequestMethod.Delete, UrlPrefix + Uri.EscapeUriString(PlanCode));
Client.Instance.PerformRequest(Client.HttpRequestMethod.Delete, UrlPrefix + Uri.EscapeDataString(PlanCode));
}
/// <summary>
@@ -149,7 +149,7 @@ public AddOn GetAddOn(string addOnCode)
var addOn = new AddOn();
var status = Client.Instance.PerformRequest(Client.HttpRequestMethod.Get,
UrlPrefix + Uri.EscapeUriString(PlanCode) + "/add_ons/" + Uri.EscapeUriString(addOnCode),
UrlPrefix + Uri.EscapeDataString(PlanCode) + "/add_ons/" + Uri.EscapeDataString(addOnCode),
addOn.ReadXml);
if (status != HttpStatusCode.OK) return null;
@@ -445,7 +445,7 @@ public static Plan Get(string planCode)
var plan = new Plan();
var statusCode = Client.Instance.PerformRequest(Client.HttpRequestMethod.Get,
Plan.UrlPrefix + Uri.EscapeUriString(planCode),
Plan.UrlPrefix + Uri.EscapeDataString(planCode),
plan.ReadXml);
return statusCode == HttpStatusCode.NotFound ? null : plan;
Oops, something went wrong.

0 comments on commit 9eef460

Please sign in to comment.