From d258a0e6bb605b3758ac34e1ee940a4c488534ba Mon Sep 17 00:00:00 2001 From: Kshitij Date: Mon, 30 Sep 2024 12:03:00 +0530 Subject: [PATCH 1/5] Added logging for razorpay callback error. --- .../graphql/builder/RazorPaymentRequestBuilder.java | 4 ++++ .../rest/RazorPaymentCallbackController.java | 13 +++++++++++++ 2 files changed, 17 insertions(+) diff --git a/platform/src/main/java/com/flickmatch/platform/graphql/builder/RazorPaymentRequestBuilder.java b/platform/src/main/java/com/flickmatch/platform/graphql/builder/RazorPaymentRequestBuilder.java index 93fcfd9d..bf2f0dd5 100644 --- a/platform/src/main/java/com/flickmatch/platform/graphql/builder/RazorPaymentRequestBuilder.java +++ b/platform/src/main/java/com/flickmatch/platform/graphql/builder/RazorPaymentRequestBuilder.java @@ -58,12 +58,16 @@ public RazorPaymentRequest createPaymentRequest(final String orderId, .build()) .collect(Collectors.toList()); + try { // Create or update the user with the provided phone number CreateUserInput createUserInput = CreateUserInput.builder() .email(email) // Assuming you have the email from the payment request .phoneNumber(phoneNumber) .build(); userBuilder.createUser(createUserInput); + } catch (Exception e) { + log.error("Error creating user: " + e.getMessage()); + } // System.out.println(orderId + " " + uniqueEventId + " " + " " + date + " " + location + " " + gameNumber + " " +email); RazorPaymentRequest razorPaymentRequest = RazorPaymentRequest.builder() diff --git a/platform/src/main/java/com/flickmatch/platform/rest/RazorPaymentCallbackController.java b/platform/src/main/java/com/flickmatch/platform/rest/RazorPaymentCallbackController.java index efb70072..95197845 100644 --- a/platform/src/main/java/com/flickmatch/platform/rest/RazorPaymentCallbackController.java +++ b/platform/src/main/java/com/flickmatch/platform/rest/RazorPaymentCallbackController.java @@ -53,6 +53,7 @@ public ResponseEntity processRazorCallback(@RequestParam("razorpay_order_id") @RequestParam("razorpay_payment_id") String paymentId, @RequestParam("razorpay_signature") String signature) { + log.info("Processing callback for order " + orderId); String uniqueEventId; int flag=0; try { @@ -62,6 +63,9 @@ public ResponseEntity processRazorCallback(@RequestParam("razorpay_order_id") options.put("razorpay_payment_id",paymentId); options.put("razorpay_signature", signature); RazorPaymentRequest paymentRequest = paymentRequestBuilder.getPaymentRequest(orderId); + + log.info("Processing callback for email " + paymentRequest.getEmail() + " and uniqueEventId " + paymentRequest.getUniqueEventId()); + uniqueEventId = paymentRequest.getUniqueEventId(); String[] parts =uniqueEventId.split("-"); @@ -72,6 +76,11 @@ public ResponseEntity processRazorCallback(@RequestParam("razorpay_order_id") // https://razorpay.com/docs/payments/server-integration/java/payment-gateway/build-integration/#generate-signature-on-your-server boolean status = Utils.verifyPaymentSignature(options, secret); + + log.info("OrderId: {}, PaymentId: {}, Signature: {}", orderId, paymentId, signature); + log.info("Secret key: {}", secret); + log.info("Status: {}", status); + if(status) { if(PAID_STATUS.equals(paymentRequest.getStatus())) { log.info("Ignoring duplicate payments."); @@ -91,6 +100,8 @@ public ResponseEntity processRazorCallback(@RequestParam("razorpay_order_id") } } + log.info("Proceeding for redirection part."); + try { eventDate = LocalDate.parse(dateStr, formatter); } catch (DateTimeParseException e) { @@ -107,10 +118,12 @@ public ResponseEntity processRazorCallback(@RequestParam("razorpay_order_id") catch (Exception e) { log.error("Error processing callback: {}", e.getLocalizedMessage()); return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body("Error processing callback"); +// log.error("Error processing callback: {}", e.getMessage(), e); } + // whatsAppProxy.sendNotification(eventBuilder.getEventDataForNotification(uniqueEventId)); HttpHeaders headers = new HttpHeaders(); if (flag==1) { From 4733ff93e59543ed667735dc36585069f5003308 Mon Sep 17 00:00:00 2001 From: Kshitij Date: Mon, 30 Sep 2024 12:04:21 +0530 Subject: [PATCH 2/5] Removed unecessary logs. --- .../com/flickmatch/platform/graphql/builder/EventBuilder.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/src/main/java/com/flickmatch/platform/graphql/builder/EventBuilder.java b/platform/src/main/java/com/flickmatch/platform/graphql/builder/EventBuilder.java index 6eeb0c32..4c7c4373 100644 --- a/platform/src/main/java/com/flickmatch/platform/graphql/builder/EventBuilder.java +++ b/platform/src/main/java/com/flickmatch/platform/graphql/builder/EventBuilder.java @@ -109,7 +109,7 @@ public List getEvents(String cityId, // Fetch all events within the date range List eventsInRange = eventRepository.findByEventIdCityIdAndEventIdDateBetween(cityId, startFormattedDate, endFormattedDate); - System.out.println("total events retrieved= " + eventsInRange.size()); +// System.out.println("total events retrieved= " + eventsInRange.size()); for (Event event : eventsInRange) { String eventDate = event.getDate(); From 809a4cfdef46f5d33efe0010bad3be94accc91b6 Mon Sep 17 00:00:00 2001 From: flickkshitij <160223447+flickkshitij@users.noreply.github.com> Date: Mon, 30 Sep 2024 12:08:51 +0530 Subject: [PATCH 3/5] Fix code scanning alert no. 12: Log Injection Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: flickkshitij <160223447+flickkshitij@users.noreply.github.com> --- .../platform/rest/RazorPaymentCallbackController.java | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/platform/src/main/java/com/flickmatch/platform/rest/RazorPaymentCallbackController.java b/platform/src/main/java/com/flickmatch/platform/rest/RazorPaymentCallbackController.java index 95197845..b46fbb00 100644 --- a/platform/src/main/java/com/flickmatch/platform/rest/RazorPaymentCallbackController.java +++ b/platform/src/main/java/com/flickmatch/platform/rest/RazorPaymentCallbackController.java @@ -53,7 +53,8 @@ public ResponseEntity processRazorCallback(@RequestParam("razorpay_order_id") @RequestParam("razorpay_payment_id") String paymentId, @RequestParam("razorpay_signature") String signature) { - log.info("Processing callback for order " + orderId); + String sanitizedOrderId = orderId.replace("\n", "").replace("\r", ""); + log.info("Processing callback for order {}", sanitizedOrderId); String uniqueEventId; int flag=0; try { @@ -77,7 +78,7 @@ public ResponseEntity processRazorCallback(@RequestParam("razorpay_order_id") boolean status = Utils.verifyPaymentSignature(options, secret); - log.info("OrderId: {}, PaymentId: {}, Signature: {}", orderId, paymentId, signature); + log.info("OrderId: {}, PaymentId: {}, Signature: {}", sanitizedOrderId, paymentId, signature); log.info("Secret key: {}", secret); log.info("Status: {}", status); @@ -94,7 +95,7 @@ public ResponseEntity processRazorCallback(@RequestParam("razorpay_order_id") else { if (orderId.matches("\\w+")) { - log.info("Invalid signature for orderId : " + orderId); + log.info("Invalid signature for orderId : {}", sanitizedOrderId); } else { log.info("Invalid signature for orderId :[INVALID]"); } @@ -127,10 +128,10 @@ public ResponseEntity processRazorCallback(@RequestParam("razorpay_order_id") // whatsAppProxy.sendNotification(eventBuilder.getEventDataForNotification(uniqueEventId)); HttpHeaders headers = new HttpHeaders(); if (flag==1) { - headers.add("Location", "https://play.flickmatch.in/event/" + uniqueEventId); + headers.add("Location", "https://play.flickmatch.in/event/" + sanitizedOrderId); } else { - headers.add("Location", "https://play.flickmatch.in/match-queues#"+uniqueEventId); + headers.add("Location", "https://play.flickmatch.in/match-queues#" + sanitizedOrderId); } return new ResponseEntity<>(headers, HttpStatus.FOUND); From 10dad73d66f4126d4d50e52ab4c3220ba1d7260c Mon Sep 17 00:00:00 2001 From: Kshitij Date: Mon, 30 Sep 2024 12:18:40 +0530 Subject: [PATCH 4/5] Removed code ql warnings. --- .../graphql/controller/PaymentController.java | 11 +++++++++-- .../platform/rest/RazorPaymentCallbackController.java | 8 ++++++-- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/platform/src/main/java/com/flickmatch/platform/graphql/controller/PaymentController.java b/platform/src/main/java/com/flickmatch/platform/graphql/controller/PaymentController.java index a42b7a4d..a879d2e3 100644 --- a/platform/src/main/java/com/flickmatch/platform/graphql/controller/PaymentController.java +++ b/platform/src/main/java/com/flickmatch/platform/graphql/controller/PaymentController.java @@ -66,6 +66,11 @@ public InitiatePaymentOutput initiatePayment(@Argument InitiatePaymentInput inpu @Autowired RazorPayProxy razorPayProxy; + public String sanitizeLog(String input) { + return input.replaceAll("[\r\n]", ""); // Remove line breaks to prevent log injection + } + + String formatDateToString(LocalDate date) { return date.format(DateTimeFormatter.ofPattern("yyyy-MM-dd")); @@ -86,8 +91,10 @@ public RazorPayOutput initiateRazorPayment(@Argument RazorPayInput input) { String phoneNumber = input.getPhoneNumber(); // Log the phone number before creating the payment request - log.info("Phone number to be saved: {}", phoneNumber); - log.info("Razorpay OrderId Generated", orderId); +// log.info("Phone number to be saved: {}", phoneNumber); +// log.info("Razorpay OrderId Generated", orderId); + log.info("Phone number to be saved: {}", sanitizeLog(phoneNumber)); + log.info("Razorpay OrderId Generated", sanitizeLog(orderId)); razorPaymentRequestBuilder.createPaymentRequest(orderId, input.getUniqueEventId(), input.getPlayerInputList(), dateString, location, gameNumber,email, phoneNumber); diff --git a/platform/src/main/java/com/flickmatch/platform/rest/RazorPaymentCallbackController.java b/platform/src/main/java/com/flickmatch/platform/rest/RazorPaymentCallbackController.java index 95197845..cdc8b323 100644 --- a/platform/src/main/java/com/flickmatch/platform/rest/RazorPaymentCallbackController.java +++ b/platform/src/main/java/com/flickmatch/platform/rest/RazorPaymentCallbackController.java @@ -77,8 +77,12 @@ public ResponseEntity processRazorCallback(@RequestParam("razorpay_order_id") boolean status = Utils.verifyPaymentSignature(options, secret); - log.info("OrderId: {}, PaymentId: {}, Signature: {}", orderId, paymentId, signature); - log.info("Secret key: {}", secret); + // Sanitize user inputs to avoid log injection + String sanitizedOrderId = orderId.replaceAll("[\n\r]", ""); + String sanitizedPaymentId = paymentId.replaceAll("[\n\r]", ""); + String sanitizedSignature = signature.replaceAll("[\n\r]", ""); + + log.info("OrderId: {}, PaymentId: {}, Signature: {}", sanitizedOrderId, sanitizedPaymentId, sanitizedSignature); log.info("Status: {}", status); if(status) { From c8a11257f868543d90d981c481200eaef7b3ccc3 Mon Sep 17 00:00:00 2001 From: Kshitij Date: Mon, 30 Sep 2024 12:29:22 +0530 Subject: [PATCH 5/5] Sanitized logs. --- .../rest/RazorPaymentCallbackController.java | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/platform/src/main/java/com/flickmatch/platform/rest/RazorPaymentCallbackController.java b/platform/src/main/java/com/flickmatch/platform/rest/RazorPaymentCallbackController.java index 60381180..cb9c7760 100644 --- a/platform/src/main/java/com/flickmatch/platform/rest/RazorPaymentCallbackController.java +++ b/platform/src/main/java/com/flickmatch/platform/rest/RazorPaymentCallbackController.java @@ -43,6 +43,13 @@ public class RazorPaymentCallbackController { @Value("${razorpay.key.secret}") private String secret; + // Utility method to sanitize inputs for logging + private String sanitizeForLog(String input) { + if (input == null) return ""; // Avoid NullPointerException + return input.replaceAll("[\n\r\t]", "_") // Replace newline, carriage return, tab with underscore + .replaceAll("[^\\p{Print}]", ""); // Remove non-printable characters + } + // @Autowired // WhatsAppProxy whatsAppProxy; @@ -53,7 +60,7 @@ public ResponseEntity processRazorCallback(@RequestParam("razorpay_order_id") @RequestParam("razorpay_payment_id") String paymentId, @RequestParam("razorpay_signature") String signature) { - String sanitizedOrderId = orderId.replace("\n", "").replace("\r", ""); + String sanitizedOrderId = sanitizeForLog(orderId); log.info("Processing callback for order {}", sanitizedOrderId); String uniqueEventId; int flag=0; @@ -80,8 +87,8 @@ public ResponseEntity processRazorCallback(@RequestParam("razorpay_order_id") // Sanitize user inputs to avoid log injection // String sanitizedOrderId = orderId.replaceAll("[\n\r]", ""); - String sanitizedPaymentId = paymentId.replaceAll("[\n\r]", ""); - String sanitizedSignature = signature.replaceAll("[\n\r]", ""); + String sanitizedPaymentId = sanitizeForLog(paymentId); + String sanitizedSignature = sanitizeForLog(signature); log.info("OrderId: {}, PaymentId: {}, Signature: {}", sanitizedOrderId, sanitizedPaymentId, sanitizedSignature); log.info("Status: {}", status);