From eb3112aed27023f76dc80f3df8cab58464088777 Mon Sep 17 00:00:00 2001 From: Bekim Sinanovic <86640828+beksina@users.noreply.github.com> Date: Tue, 23 Dec 2025 09:55:14 -0600 Subject: [PATCH 1/2] fix xss vulnerability in notification server samples --- .../servlet/NotificationServlet.java | 18 ++++++++++++++---- .../socket/HTTPPOSTServer.java | 16 +++++++++++++--- 2 files changed, 27 insertions(+), 7 deletions(-) diff --git a/riskified-sample/src/main/java/com/riskified/samples/notificationServer/servlet/NotificationServlet.java b/riskified-sample/src/main/java/com/riskified/samples/notificationServer/servlet/NotificationServlet.java index b1f9dcd..7e710e5 100644 --- a/riskified-sample/src/main/java/com/riskified/samples/notificationServer/servlet/NotificationServlet.java +++ b/riskified-sample/src/main/java/com/riskified/samples/notificationServer/servlet/NotificationServlet.java @@ -19,16 +19,26 @@ public NotificationServlet(String authKey) throws RiskifiedError { formatter = new NotificationHandler(authKey); } + private static String escapeHtml(String input) { + if (input == null) { + return ""; + } + return input + .replace("&", "&") + .replace("<", "<") + .replace(">", ">"); + } + protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { PrintWriter out = resp.getWriter(); try { NotificationOrder notification = formatter.parseServletPostRequest(req).getOrder(); System.out.println("got notification for id: '" + notification.getId() + "' with status: '" + notification.getStatus() +"' "); - out.println("Merchant Received Notification For Order " + notification.getId() - + " with status " + notification.getStatus() + " and description " + notification.getDescription() - + " and app_dom_id " + notification.getCustom().getAppDomId() - + " Old Status was " + notification.getOldStatus() + out.println("Merchant Received Notification For Order " + escapeHtml(notification.getId()) + + " with status " + escapeHtml(notification.getStatus()) + " and description " + escapeHtml(notification.getDescription()) + + " and app_dom_id " + escapeHtml(notification.getCustom() != null ? notification.getCustom().getAppDomId() : null) + + " Old Status was " + escapeHtml(notification.getOldStatus()) + ""); } catch (Exception e) { diff --git a/riskified-sample/src/main/java/com/riskified/samples/notificationServer/socket/HTTPPOSTServer.java b/riskified-sample/src/main/java/com/riskified/samples/notificationServer/socket/HTTPPOSTServer.java index 2d39b12..37a78df 100644 --- a/riskified-sample/src/main/java/com/riskified/samples/notificationServer/socket/HTTPPOSTServer.java +++ b/riskified-sample/src/main/java/com/riskified/samples/notificationServer/socket/HTTPPOSTServer.java @@ -63,9 +63,9 @@ public void run() { } NotificationHandler formatter = new NotificationHandler("26faa0eb6eacf889e300944c297640b68789b11c"); NotificationOrder notification = formatter.toObject(body, hash).getOrder(); - sendResponse(200, "Merchant Received Notification For Order " + notification.getId() - + " with status " + notification.getStatus() + " and description " + notification.getDescription() - + " Old Status was " + notification.getOldStatus() + sendResponse(200, "Merchant Received Notification For Order " + escapeHtml(notification.getId()) + + " with status " + escapeHtml(notification.getStatus()) + " and description " + escapeHtml(notification.getDescription()) + + " Old Status was " + escapeHtml(notification.getOldStatus()) + ""); } @@ -77,6 +77,16 @@ public void run() { } + private static String escapeHtml(String input) { + if (input == null) { + return ""; + } + return input + .replace("&", "&") + .replace("<", "<") + .replace(">", ">"); + } + public void sendResponse(int statusCode, String responseString) { String statusLine = null; From a5efceaeebd906ae032772ce173a52ca9e0a867f Mon Sep 17 00:00:00 2001 From: Bekim Sinanovic <86640828+beksina@users.noreply.github.com> Date: Tue, 23 Dec 2025 09:58:37 -0600 Subject: [PATCH 2/2] tweak --- .../samples/notificationServer/servlet/NotificationServlet.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/riskified-sample/src/main/java/com/riskified/samples/notificationServer/servlet/NotificationServlet.java b/riskified-sample/src/main/java/com/riskified/samples/notificationServer/servlet/NotificationServlet.java index 7e710e5..021d603 100644 --- a/riskified-sample/src/main/java/com/riskified/samples/notificationServer/servlet/NotificationServlet.java +++ b/riskified-sample/src/main/java/com/riskified/samples/notificationServer/servlet/NotificationServlet.java @@ -37,7 +37,7 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws S System.out.println("got notification for id: '" + notification.getId() + "' with status: '" + notification.getStatus() +"' "); out.println("Merchant Received Notification For Order " + escapeHtml(notification.getId()) + " with status " + escapeHtml(notification.getStatus()) + " and description " + escapeHtml(notification.getDescription()) - + " and app_dom_id " + escapeHtml(notification.getCustom() != null ? notification.getCustom().getAppDomId() : null) + + " and app_dom_id " + escapeHtml(notification.getCustom().getAppDomId()) + " Old Status was " + escapeHtml(notification.getOldStatus()) + "");