solisoft / -dead-paypal_nvp Goto Github PK

My paypal_nvp implementation just died for no apparent reason.

I tried to login to the developer portal for NVP apps, but my apps are no longer listed and there is now this warning:

If you go to the MTS Community page, you see this notice:

Suffice it to say, this is a really crappy way to deprecate an API.

"Hey, sorry for the lack of notice, but the API is dead now, but maybe we'll fix it next year."

Nice job, Paypal!

First off I'm some what new to web security so I may be entirely off base on this (please let me know if i am!). But by setting:
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
in line 38 of lib/paypal_nvp.lib doesn't that disable certificate validation and thus leave the NVP hash vulnerable to malicious manipulation by a 3rd party?

For example by intercepting and changing the NVP values you could switch the NVP hashes of two purchases so that your server then would continue using the wrong hash (say on a cheaper item they purchase with paypal) to place an order for a more expensive item?

This is not a security threat to my app in particular but I'm trying to learn more about security so any comments/reasons why this would not work would be greatly appreciated.

Thanks!

As today, the configuration for the app is different from the one of the official PayPal's Ruby SDK. So I was wondering if wouldn't it be better if the use of the paypal.yml could be optional, like, if the constructor is receiving the credentials to connect to the API, the class would ignore the paypal.yml file.

For example, this class looks for a cert variable in the yml file, while the official PayPal SDK looks for one called signature. Moreover, the PayPalNVP class differentiates between a live environment and a sandbox one, and the other SDK has development, production and test as environments.

Sorry If I wasn't clear with it. I'm writing this as an issue because if you have already a paypal.yml file, and you try to pass extra options for the PayPalNVP class it throws an undefined method `[]' for nil:NilClass error

Thanks for this great gem - it really helps with the pointless glue code needed to talk to paypal. However, there are several issues I thought you should be aware of, particularly in the README file:

1 - You mention that the recommended way to install the gem is to install it using sudo gem install paypal_nvp. By using it with sudo, you're installing this into the root gemset instead of the local gemset for the current user. This makes the gem available too widely, and can also cause permissions issues due to being granted root access. Unless there's a very good reason (and I can't see any based on reviewing the code), you will at least want to remove sudo from that line, and it'd probably be wise to recommend something like bundler for gem management

2 - Your section on specifying the version in the data hash is inaccurate. Based on your code the version defaults to 50 in the @extras member variable. You then call data.merge!(@extras) when performing the call, and the problem here is that this call will overwrite any versions specified in the data hash - see http://apidock.com/ruby/Hash/merge! for more info. Thus, specifying a version in the call to call_paypal will never work (and this is confirmed by my local testing)

Again, great work on the gem, but it seems like some elements need a bit of polish and updating