diff --git a/src/main/java/com/stripe/mpp/Challenge.java b/src/main/java/com/stripe/mpp/Challenge.java index d959a4d..081dafe 100644 --- a/src/main/java/com/stripe/mpp/Challenge.java +++ b/src/main/java/com/stripe/mpp/Challenge.java @@ -92,6 +92,12 @@ public static List fromWwwAuthenticate(List wwwAuthenticateHe if (authParams == null) continue; Map params = Parsing.parseAuthParams(authParams); + String request = params.get("request"); + if (request != null && request.length() > Parsing.MAX_PAYLOAD_SIZE) { + throw new com.stripe.mpp.error.ParseException( + "Request parameter exceeds maximum length of " + Parsing.MAX_PAYLOAD_SIZE + " bytes" + ); + } Map opaque = null; String opaqueVal = params.get("opaque"); if (opaqueVal != null && !opaqueVal.isEmpty()) { @@ -103,7 +109,7 @@ public static List fromWwwAuthenticate(List wwwAuthenticateHe params.get("intent"), null, params.get("realm"), - params.get("request"), + request, params.get("digest"), params.get("expires"), params.get("description"), diff --git a/src/test/java/com/stripe/mpp/ParsingTest.java b/src/test/java/com/stripe/mpp/ParsingTest.java index 67546e9..eb09f88 100644 --- a/src/test/java/com/stripe/mpp/ParsingTest.java +++ b/src/test/java/com/stripe/mpp/ParsingTest.java @@ -82,6 +82,18 @@ void challengeRejectsCrlfDescription() { .hasMessageContaining("CR or LF"); } + @Test + void challengeRejectsOversizedRequestParameter() { + String oversizedRequest = "a".repeat(Parsing.MAX_PAYLOAD_SIZE + 1); + String header = "Payment id=\"abc\", realm=\"api\", method=\"tempo\", intent=\"charge\", request=\"" + + oversizedRequest + + "\""; + + assertThatThrownBy(() -> Challenge.fromWwwAuthenticate(header)) + .isInstanceOf(com.stripe.mpp.error.ParseException.class) + .hasMessageContaining("Request parameter exceeds"); + } + // --- Credential (Authorization) --- @Test