razorpay · ankitdas13 · May 17, 2024 · May 9, 2024 · May 9, 2024 · May 9, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,7 @@
 # Changelog
 
-## 2.9.4 - 2024-05-07
+## 2.9.4 - 2024-05-17
+fix: Resolve SSRF vulnerability in request handling
 feat: Added new API endpoints
 - Added support for `addBankAccount`, `deleteBankAccount`, `requestEligibilityCheck` & `fetchEligibility` on customer
 - Added support for [Dispute](https://razorpay.com/docs/api/disputes/)

diff --git a/lib/api.js b/lib/api.js
@@ -1,6 +1,6 @@
 'use strict'
 
-const request = require('request-promise')
+const axios = require('axios').default
 const nodeify = require('./utils/nodeify')
 const {
   isNonNullObject
@@ -33,19 +33,18 @@ function getValidHeaders (headers) {
 
 function normalizeError(err) {
   throw {
-    statusCode: err.statusCode,
-    error: err.error.error
+    statusCode: err.response.status,
+    error: err.response.data.error
   }
 }
 
 class API {
   constructor(options) {
-    this.rq = request.defaults({
-      baseUrl: options.hostUrl,
-      json: true,
+    this.rq = axios.create({
+      baseURL: options.hostUrl,
       auth: {
-        user: options.key_id,
-        pass: options.key_secret
+        username: options.key_id,
+        password: options.key_secret
       },
       headers: Object.assign(
         {'User-Agent': options.ua},
@@ -61,48 +60,39 @@ class API {
   }
 
   get(params, cb) {
-    return nodeify(this.rq.get({
-      url: this.getEntityUrl(params),
-      qs: params.data,
+    return nodeify(this.rq.get(this.getEntityUrl(params), {
+      params: params.data
     }).catch(normalizeError), cb)
   }
 
   post(params, cb) {
-     let request = {
-        url: this.getEntityUrl(params),
-        body: params.data
-      };
-    return nodeify(this.rq.post(request).catch(normalizeError), cb);
+    return nodeify(this.rq.post(this.getEntityUrl(params), params.data)
+    .catch(normalizeError), cb);
   }
 
   // postFormData method for file uploads.
   postFormData(params, cb){
-    let request = {
-      url: this.getEntityUrl(params),
-      formData: params.formData
-    };
-  return nodeify(this.rq.post(request).catch(normalizeError), cb);    
+     return nodeify(this.rq.post(this.getEntityUrl(params), params.formData, {
+       'headers': {
+         'Content-Type': 'multipart/form-data'
+       }
+     })
+     .catch(normalizeError), cb);    
   }
 
   put(params, cb) {
-    return nodeify(this.rq.put({
-      url: this.getEntityUrl(params),
-      body: params.data
-    }).catch(normalizeError), cb)
+    return nodeify(this.rq.put(this.getEntityUrl(params), params.data)
+    .catch(normalizeError), cb);
   }
 
   patch(params, cb) {
-    let request = {
-      url: this.getEntityUrl(params),
-      body: params.data
-    };
-    return nodeify(this.rq.patch(request).catch(normalizeError), cb);
+    return nodeify(this.rq.patch(this.getEntityUrl(params), params.data)
+    .catch(normalizeError), cb);
   }
 
   delete(params, cb) {
-    return nodeify(this.rq.delete({
-      url: this.getEntityUrl(params)
-    }).catch(normalizeError), cb)
+    return nodeify(this.rq.delete(this.getEntityUrl(params))
+    .catch(normalizeError), cb)
   }
 }
 

diff --git a/lib/resources/accounts.js b/lib/resources/accounts.js
@@ -36,10 +36,13 @@ module.exports = function (api) {
         },
 
         uploadAccountDoc(accountId, params, callback) {
+            let {file, ...rest}  = params
             return api.postFormData({
                 version: 'v2',
                 url: `${BASE_URL}/${accountId}/documents`,
-                formData: params
+                formData: {
+                    file: file.value, ...rest
+                }
             }, callback);
         },
 

diff --git a/lib/resources/addons.js b/lib/resources/addons.js
@@ -4,8 +4,7 @@
  * DOCS: https://razorpay.com/docs/subscriptions/api/
  */
 
-const Promise = require("promise"),
-      { normalizeDate } = require('../utils/razorpay-utils');
+const { normalizeDate } = require('../utils/razorpay-utils');
 
 module.exports = function (api) {
 

diff --git a/lib/resources/documents.js b/lib/resources/documents.js
@@ -6,9 +6,12 @@ module.exports = function (api) {
 
     return {
         create(params, callback) {
+            let {file, ...rest}  = params
             return api.postFormData({
                 url: `${BASE_URL}`,
-                formData: params
+                formData: {
+                    file: file.value, ...rest
+                }
             }, callback);
         },
 

diff --git a/lib/resources/invoices.js b/lib/resources/invoices.js
@@ -4,8 +4,7 @@
  * DOCS: https://razorpay.com/docs/invoices/
  */
 
-const Promise = require("promise"),
-      { normalizeDate } = require('../utils/razorpay-utils');
+const { normalizeDate } = require('../utils/razorpay-utils');
 
 module.exports = function invoicesApi (api) {
 

diff --git a/lib/resources/paymentLink.js b/lib/resources/paymentLink.js
@@ -4,8 +4,7 @@
  * DOCS: https://razorpay.com/docs/payment-links/
  */
 
-const Promise = require("promise"),
-      { normalizeDate, normalizeNotes } = require('../utils/razorpay-utils');
+const { normalizeDate } = require('../utils/razorpay-utils');
 
 module.exports = function paymentLinkApi (api) {
 

diff --git a/lib/resources/payments.js b/lib/resources/payments.js
@@ -1,7 +1,5 @@
 'use strict'
 
-const Promise = require("promise");
-
 const { normalizeDate } = require('../utils/razorpay-utils')
 
 const ID_REQUIRED_MSG = '`payment_id` is mandatory',

diff --git a/lib/resources/plans.js b/lib/resources/plans.js
@@ -4,8 +4,7 @@
  * DOCS: https://razorpay.com/docs/subscriptions/api/
  */
 
-const Promise = require("promise"),
-      { normalizeDate } = require('../utils/razorpay-utils');
+const { normalizeDate } = require('../utils/razorpay-utils');
 
 module.exports = function plansApi (api) {
 

diff --git a/lib/resources/stakeholders.js b/lib/resources/stakeholders.js
@@ -36,10 +36,13 @@ module.exports = function (api) {
         },
 
         uploadStakeholderDoc(accountId, stakeholderId, params, callback) {
+            let {file, ...rest}  = params
             return api.postFormData({
                 version: 'v2',
                 url: `${BASE_URL}/${accountId}/stakeholders/${stakeholderId}/documents`,
-                formData: params
+                formData: {
+                    file: file.value, ...rest
+                }
             }, callback);
         },
 

diff --git a/lib/resources/subscriptions.js b/lib/resources/subscriptions.js
@@ -4,8 +4,7 @@
  * DOCS: https://razorpay.com/docs/subscriptions/api/
  */
 
-const Promise = require("promise"),
-      { normalizeDate } = require('../utils/razorpay-utils');
+const { normalizeDate } = require('../utils/razorpay-utils');
 
 module.exports = function subscriptionsApi (api) {
 

diff --git a/lib/resources/virtualAccounts.js b/lib/resources/virtualAccounts.js
@@ -1,6 +1,5 @@
 "use strict";
 
-const Promise = require("promise");
 const { normalizeDate, normalizeNotes } = require('../utils/razorpay-utils');
 
 const BASE_URL = '/virtual_accounts',

diff --git a/lib/utils/nodeify.js b/lib/utils/nodeify.js
@@ -1,12 +1,13 @@
 'use strict'
 
 const nodeify = (promise, cb) => {
+
   if (!cb) {
-    return promise
+    return promise.then((response)=> response.data)
   }
-
-  return promise.then((response) => {
-    cb(null, response)
+  
+  return promise.then((response) => { 
+    cb(null, response.data)
   }).catch((error) => {
     cb(error, null)
   })