Skip to content

Commit

Permalink
Upgrade rexml to 3.3.4 to address CVE-2024-39908, 41123, 41946 (#5181)
Browse files Browse the repository at this point in the history
* Upgrade rexml to 3.3.2

This resolves CVE-2024-39908 : DoS in REXML

* Apply suggestion

* Fix tests

* Upgrade rexml to 3.3.4
  • Loading branch information
raymzag authored Aug 2, 2024
1 parent f788fd8 commit f2ed5b6
Show file tree
Hide file tree
Showing 4 changed files with 5 additions and 15 deletions.
2 changes: 1 addition & 1 deletion activemerchant.gemspec
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ Gem::Specification.new do |s|
s.add_dependency('builder', '>= 2.1.2', '< 4.0.0')
s.add_dependency('i18n', '>= 0.6.9')
s.add_dependency('nokogiri', '~> 1.4')
s.add_dependency('rexml', '~> 3.2.5')
s.add_dependency('rexml', '~> 3.3', '>= 3.3.4')

s.add_development_dependency('mocha', '~> 1')
s.add_development_dependency('pry')
Expand Down
6 changes: 3 additions & 3 deletions test/unit/gateways/mercury_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@ def test_transcript_scrubbing

def successful_purchase_response
<<~RESPONSE
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><CreditTransactionResponse xmlns="http://www.mercurypay.com"><CreditTransactionResult><?xml version="1.0"?>
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><CreditTransactionResponse xmlns="http://www.mercurypay.com"><CreditTransactionResult>
<RStream>
<CmdResponse>
<ResponseOrigin>Processor</ResponseOrigin>
Expand Down Expand Up @@ -163,7 +163,7 @@ def successful_purchase_response

def failed_purchase_response
<<~RESPONSE
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><CreditTransactionResponse xmlns="http://www.mercurypay.com"><CreditTransactionResult><?xml version="1.0"?>
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><CreditTransactionResponse xmlns="http://www.mercurypay.com"><CreditTransactionResult>
<RStream>
<CmdResponse>
<ResponseOrigin>Server</ResponseOrigin>
Expand All @@ -179,7 +179,7 @@ def failed_purchase_response

def successful_refund_response
<<~RESPONSE
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><CreditTransactionResponse xmlns="http://www.mercurypay.com"><CreditTransactionResult><?xml version="1.0"?>
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><CreditTransactionResponse xmlns="http://www.mercurypay.com"><CreditTransactionResult>
<RStream>
<CmdResponse>
<ResponseOrigin>Processor</ResponseOrigin>
Expand Down
2 changes: 1 addition & 1 deletion test/unit/gateways/paypal_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -1312,7 +1312,7 @@ def failed_create_profile_paypal_response
</CreateRecurringPaymentsProfileResponseDetails>
</CreateRecurringPaymentsProfileResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>"
</SOAP-ENV:Envelope>
RESPONSE
end

Expand Down
10 changes: 0 additions & 10 deletions test/unit/gateways/trans_first_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -15,16 +15,6 @@ def setup
@amount = 100
end

def test_missing_field_response
@gateway.stubs(:ssl_post).returns(missing_field_response)

response = @gateway.purchase(@amount, @credit_card, @options)

assert_failure response
assert response.test?
assert_equal 'Missing parameter: UserId.', response.message
end

def test_successful_purchase
@gateway.stubs(:ssl_post).returns(successful_purchase_response)

Expand Down

0 comments on commit f2ed5b6

Please sign in to comment.