Skip to content

DEV-115700 Added risk_indicator object to ResOrder.java #182

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 14, 2025
Merged

DEV-115700 Added risk_indicator object to ResOrder.java #182

merged 4 commits into from
Oct 14, 2025

Conversation

@Gering112
Copy link
Contributor

@Gering112 Gering112 commented Oct 9, 2025

updated pom.xml

@zeropath-ai
Copy link

zeropath-ai bot commented Oct 9, 2025

The following issues were found:

  • Information Disclosure: No patch for this bug could be generated. Here is a description and location:
    Location: riskified-sdk/src/main/java/com/riskified/models/RiskIndicators.java:50:53
    Description: RiskIndicators.toString() returns a string containing the full properties map, including values. This can inadvertently leak sensitive data (PII, tokens, or other confidential attributes) into logs or error messages if RiskIndicators is logged or included in exception messages.
    Link to UI: https://zeropath.com/app/issues/3af1a854-5732-4b0f-b071-33bade389fb1

Reply to this PR with @zeropath-ai followed by a description of what change you want and we'll auto-submit a change to this PR to implement it.

beksina
beksina previously approved these changes Oct 9, 2025
View reviewed changes
beksina
beksina previously approved these changes Oct 14, 2025
View reviewed changes
@Gering112 Gering112 merged commit 7efe66f into master Oct 14, 2025
1 of 3 checks passed
@Gering112 Gering112 deleted the DEV-115700 branch October 14, 2025 16:20
@zeropath-ai
Copy link

zeropath-ai bot commented Oct 14, 2025

The following issues were found:

  • Information Disclosure: No patch for this bug could be generated. Here is a description and location:
    Location: riskified-sdk/src/main/java/com/riskified/models/BankWirePaymentDetails.java:38:56
    Description: Broken/incorrect getters and setters in BankWirePaymentDetails (use of undefined 'self', incorrect assignments of Date to token, misspelled method names). The diff shows multiple mistakes in the added storedPayment* accessors:
  • getStoredPaymentCreatedAt returns self.storedPaymentCreatedAt (Java has no 'self' variable) -> will not compile.
  • setStoredPaymentCreatedAt assigns storedPaymentCreatedAt to token (String) instead of to storedPaymentCreatedAt (Date) -> type mismatch and overwrites a sensitive token field if it compiled.
  • getStoredPaymentUpdateddAt is misspelled and uses self.storedPaymentUpdatedAt.
  • setStoredPaymentUpdateddAt is misspelled and assigns to token as well.

Impact: these are immediate correctness errors that will cause compilation failures or, if somehow compiled, will corrupt the payment token field (sensitive data). A broken SDK class can cause application build/runtime failures (availability impact) and could cause inadvertent exposure/corruption of the payment token. This requires a code fix (security/functional patch).
Link to UI: https://zeropath.com/app/issues/57609b0f-dcdf-4fa6-aed1-4d939fc7f427

The following low severity issues were also found:

  • Denial of Service (DOS): No patch for this bug could be generated. Here is a description and location:
    Location: riskified-sdk/src/main/java/com/riskified/models/Recipient.java:80:86
    Description: Compilation and logic errors in Recipient getters/setters (use of undefined 'self' and missing semicolon). The added walletId accessor methods use 'self' instead of 'this' and the setter is missing a terminating semicolon. These will cause compilation failures and prevent the SDK from being used.

Impact: build/runtime failures (availability). Additionally, incorrect field access could prevent correct serialization/deserialization of the walletId property.
Link to UI: https://zeropath.com/app/issues/cb80381d-e359-4754-805d-a42377435c02

  • Denial of Service (DOS): No patch for this bug could be generated. Here is a description and location:
    Location: riskified-sdk/src/main/java/com/riskified/models/RiskIndicators.java:1:55
    Description: RiskIndicators.get(String, Class) uses an unchecked cast and can produce ClassCastException at runtime. The new RiskIndicators class exposes a generic getter that performs a raw unchecked cast: return (T) value;. If callers expect a particular type but the runtime value differs (e.g., deserialized JSON types), this will throw at runtime and can cause application failures (denial of service). Use of Class.cast with an isInstance check prevents unexpected ClassCastExceptions and makes the failure mode explicit.

Impact: Unexpected/malformed data from external sources (e.g., deserialized risk indicators) can cause runtime exceptions when code uses the typed getter, which is an availability and robustness issue. No evidence of remote code execution or injection in this diff.

Link to UI: https://zeropath.com/app/issues/a4735839-4a31-4130-a59f-b90d0eb8a85f

Reply to this PR with @zeropath-ai followed by a description of what change you want and we'll auto-submit a change to this PR to implement it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@beksina beksina beksina approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Gering112 @beksina