paypal / permissions-sdk-php Goto Github PK

As title described. Upon using 3rd party token-based auth, error occurs.

After the permission is granted, then how can I get the basic personal data such as e-mail, etc. using this? Do you have any example that I can refer?

General information

• SDK/Library version:
• Environment:
• PayPal-Debug-ID values:
• Language, language version, and OS:

Issue description

Not getting personal data.

https://developer.paypal.com/docs/classic/api/permissions/GetBasicPersonalData_API_Operation/

object(GetAdvancedPersonalDataRequest) {
    requestEnvelope => object(RequestEnvelope) {
        errorLanguage => 'en_US'
    }
    attributeList => 'http://openid.net/schema/contact/internet/email'
}

and

response => object(PersonalDataList) {
        personalData => null
    }
    error => array(
        (int) 0 => object(ErrorData) {
            errorId => '580022'
            domain => 'PLATFORM'
            subdomain => 'Application'
            severity => 'Error'
            category => 'Application'
            message => 'Invalid request parameter: Requested Attributes are incorrect'
            exceptionId => null
            parameter => array(
                (int) 0 => object(ErrorParameter) {
                    name => null
                    value => 'PersonalAttributeList'
                }
            )
        }
    )

I used the permission sdk to get my balance but i stucked at the RequestPermissionsReceipt.php file it shows blank page i didn't get any error message how it will fixed

General information

• SDK/Library version: 3.9.1
• Environment: Sandbox and Production
• Language, language version, and OS: PHP 7.1 - but it does not matter

Issue description

Hello PayPal team

I catch the following issue - during the call of the method GetBasicPersonalData https://github.com/paypal/permissions-sdk-php/blob/master/lib/PayPal/Service/PermissionsService.php#L141
double urldecode in $ret->init(PPUtils::nvpToMap($resp)) will corrupt any data in the response that has '+' symbol. As this method returns a basic user info after authorization, it has user's email, and email can contain ‘+’, it is the major place where issue happens, user email is getting corrupted ( '+' symbol will be replaced with space symbol)

Those methods separately (PPMessage::init() and PPUtils::nvpToMap()) will not cause the issue, it really depends on the consumer, in our case, consumer https://github.com/paypal/permissions-sdk-php/blob/master/lib/PayPal/Service/PermissionsService.php#L141 . PermissionsService uses both those methods and it causes double urldecode which can affect any data with '+' symbol

Here is the flow of how issue appears:

• foo%2Bbar%40example.com came in response
• $ret->init(PPUtils::nvpToMap($resp)) will parse the response
• PPUtils::nvpToMap($resp) - https://github.com/paypal/sdk-core-php/blob/master/lib/PayPal/Core/PPUtils.php#L22 - will split the data in the response + url decode
• at this point email looks like this [email protected]
• then, $ret->init() is getting involved into the flow https://github.com/paypal/sdk-core-php/blob/master/lib/PayPal/Core/PPMessage.php#L68
• after init processed, email will look like this foo [email protected], as second urldecode will replace + symbol with the space symbol.

I have already added notes to the closed issue https://github.com/paypal/sdk-core-php/issues/59 , you can check it for additional info.
Currently I am preparing PR, but as far as I see I have to apply PR in 2 different repo's, paypal/sdk-core-php and paypal/permissions-sdk-php

1. modify PPUtils and add new method (that works without urldecode), it is located here https://github.com/paypal/sdk-core-php/blob/master/lib/PayPal/Core/PPUtils.php
   in this repo paypal/sdk-core-php
   Another possible option is to add new argument to PPUtils::nvpToMap , bool $urldecode = true, so inside method we can define if we need to do URL decode, but I decided to keep SDK interfaces unchanged, please correct me if I am wrong

2. Use method that I defined above here https://github.com/paypal/permissions-sdk-php/blob/master/lib/PayPal/Service/PermissionsService.php#L141 (instead of PPUtils::nvpToMap($resp) ) in this repo paypal/permissions-sdk-php

But this part of SDK relies on paypal/sdk-core-php , so we will need to specify version that we are going to release with another part of the fix

Current require in paypal/permissions-sdk-php
"paypal/sdk-core-php":"3.*"
Should be
"paypal/sdk-core-php":">=version with fix in PPUtils"

Can you provide a details about how we can properly handle such fix that affects two repos ?

Thanks in advance

I get following notice when I run the Paypal permissions service.

Runtime Notice: Declaration of PayPal\Service\PermissionsService::GetAccessToken() should be compatible with PayPal\Core\PPBaseService::getAccessToken() in /vendor/paypal/permissions-sdk-php/lib/PayPal/Service/PermissionsService.php line 16

Please solve this bug as soon as possible. My framewok (Symfony) does not allow me to proceed further until I resolve this notice.

Hello:
I have find a Reflected XSS vulnerability in this sdk.

The vulnerability exists due to insufficient filtration of user-supplied data in “verification_code” HTTP REQUEST parameter that will be passed to “permissions-sdk-php-master\samples\GetAccessToken.php”. The infected source code is line 24, there is no protection on$_REQUEST['verification_code']; if $_REQUEST['verification_code'] contains evil js code, line 24 will trigger untrusted code to be excuted on the browser side.

So if a attacker construct a special url as follow and send it to a victim, when the victim click the url, the code which is contained in the url will be executed on the victim's browser side to do some evil.
http://your-web-root/permissions-sdk-php-master/samples/GetAccessToken.php?verification_code="><script>alert(1);</script><"

The follow scrrenshot is the result to click the upper url ( win7 sp1 x64 + firefox 51.0.1 32bit ):

Discoverer: ADLab of Venustech

In documentation (https://github.com/paypal/sdk-core-php/wiki/Configuring-the-SDK) below configuration is shown:
acct3.UserName = certuser_biz_api1.paypal.com
acct3.Password = D6JNKKULHN3G5B8A
acct3.CertKey=password
acct3.CertPath=resource/sdk-cert.p12
acct3.AppId=APP-80W284485P519543T
acct3.accessToken = 'token from permissions API'
acct3.tokenSecret= 'token secret from permissions API'

However, upon tracking, in code level SDK reads for key {prefix}accessToken, eg:
acct3.UserName = certuser_biz_api1.paypal.com
acct3.Password = D6JNKKULHN3G5B8A
acct3.CertKey=password
acct3.CertPath=resource/sdk-cert.p12
acct3.AppId=APP-80W284485P519543T
acct3accessToken = 'token from permissions API'
acct3tokenSecret= 'token secret from permissions API'