Merge pull request #8393 from magento-cia/cia-2.4.7-beta2-develop-bugfix-07112023

cia-2.4.7-beta2-develop-bugfix-07112023

Author: pawan-adobe-security

app/code/Magento/Customer/Plugin/Webapi/Controller/Rest/ValidateCustomerData.php

@@ -28,8 +28,8 @@ class ValidateCustomerData
      */
     public function beforeOverride(ParamsOverrider $subject, array $inputData, array $parameters): array
     {
-        if (isset($inputData[self:: CUSTOMER_KEY])) {
-            $inputData[self:: CUSTOMER_KEY] = $this->validateInputData($inputData[self:: CUSTOMER_KEY]);
+        if (isset($inputData[self::CUSTOMER_KEY])) {
+            $inputData[self::CUSTOMER_KEY] = $this->validateInputData($inputData[self::CUSTOMER_KEY]);
         }
         return [$inputData, $parameters];
     }
@@ -45,7 +45,7 @@ private function validateInputData(array $inputData): array
         $result = [];
 
         $data = array_filter($inputData, function ($k) use (&$result) {
-            $key = is_string($k) ? strtolower($k) : $k;
+            $key = is_string($k) ? strtolower(str_replace('_', "", $k)) : $k;
             return !isset($result[$key]) && ($result[$key] = true);
         }, ARRAY_FILTER_USE_KEY);
 

app/code/Magento/Customer/Test/Unit/Plugin/Webapi/Controller/Rest/ValidateCustomerDataTest.php

@@ -8,8 +8,8 @@
 namespace Magento\Customer\Test\Unit\Plugin\Webapi\Controller\Rest;
 
 use Exception;
-use Magento\Framework\App\ObjectManager;
 use Magento\Customer\Plugin\Webapi\Controller\Rest\ValidateCustomerData;
+use Magento\Framework\App\ObjectManager;
 use PHPUnit\Framework\TestCase;
 use ReflectionClass;
 
@@ -75,40 +75,48 @@ public function dataProviderInputData(): array
     {
         return [
             [
-                ['customer' =>
-                    [
+                ['customer' => [
                         'id' => -1,
                         'Id' => 1,
-                        'name' =>
-                            [
+                        'name' => [
                                 'firstName' => 'Test',
                                 'LastName' => 'user'
                             ],
                         'isHavingOwnHouse' => 1,
-                        'address' =>
-                            [
+                        'address' => [
                                 'street' => '1st Street',
                                 'Street' => '3rd Street',
                                 'city' => 'London'
                             ],
                     ]
                 ],
-                ['customer' =>
-                    [
+                ['customer' => [
                         'id' => -1,
-                        'name' =>
-                            [
+                        'name' => [
                                 'firstName' => 'Test',
                                 'LastName' => 'user'
                             ],
                         'isHavingOwnHouse' => 1,
-                        'address' =>
-                            [
+                        'address' => [
                                 'street' => '1st Street',
                                 'city' => 'London'
                             ],
                     ]
                 ],
+                ['customer' => [
+                    'id' => -1,
+                    '_Id' => 1,
+                    'name' => [
+                        'firstName' => 'Test',
+                        'LastName' => 'user'
+                    ],
+                    'isHavingOwnHouse' => 1,
+                    'address' => [
+                        'street' => '1st Street',
+                        'city' => 'London'
+                    ],
+                ]
+                ],
             ]
         ];
     }

app/code/Magento/EncryptionKey/Model/ResourceModel/Key/Change.php

@@ -5,10 +5,22 @@
  */
 namespace Magento\EncryptionKey\Model\ResourceModel\Key;
 
+use \Exception;
+use Magento\Config\Model\Config\Backend\Encrypted;
+use Magento\Config\Model\Config\Structure;
+use Magento\Framework\App\DeploymentConfig\Writer;
 use Magento\Framework\App\Filesystem\DirectoryList;
 use Magento\Framework\Config\ConfigOptionsListConstants;
 use Magento\Framework\Config\Data\ConfigData;
 use Magento\Framework\Config\File\ConfigFilePool;
+use Magento\Framework\Encryption\EncryptorInterface;
+use Magento\Framework\Exception\FileSystemException;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\Filesystem;
+use Magento\Framework\Filesystem\Directory\WriteInterface;
+use Magento\Framework\Math\Random;
+use Magento\Framework\Model\ResourceModel\Db\AbstractDb;
+use Magento\Framework\Model\ResourceModel\Db\Context;
 
 /**
  * Encryption key changer resource model
@@ -19,60 +31,60 @@
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  * @since 100.0.2
  */
-class Change extends \Magento\Framework\Model\ResourceModel\Db\AbstractDb
+class Change extends AbstractDb
 {
     /**
      * Encryptor interface
      *
-     * @var \Magento\Framework\Encryption\EncryptorInterface
+     * @var EncryptorInterface
      */
     protected $encryptor;
 
     /**
      * Filesystem directory write interface
      *
-     * @var \Magento\Framework\Filesystem\Directory\WriteInterface
+     * @var WriteInterface
      */
     protected $directory;
 
     /**
      * System configuration structure
      *
-     * @var \Magento\Config\Model\Config\Structure
+     * @var Structure
      */
     protected $structure;
 
     /**
      * Configuration writer
      *
-     * @var \Magento\Framework\App\DeploymentConfig\Writer
+     * @var Writer
      */
     protected $writer;
 
     /**
-     * Random
+     * Random string generator
      *
-     * @var \Magento\Framework\Math\Random
+     * @var Random
      * @since 100.0.4
      */
     protected $random;
 
     /**
-     * @param \Magento\Framework\Model\ResourceModel\Db\Context $context
-     * @param \Magento\Framework\Filesystem $filesystem
-     * @param \Magento\Config\Model\Config\Structure $structure
-     * @param \Magento\Framework\Encryption\EncryptorInterface $encryptor
-     * @param \Magento\Framework\App\DeploymentConfig\Writer $writer
-     * @param \Magento\Framework\Math\Random $random
+     * @param Context $context
+     * @param Filesystem $filesystem
+     * @param Structure $structure
+     * @param EncryptorInterface $encryptor
+     * @param Writer $writer
+     * @param Random $random
      * @param string $connectionName
      */
     public function __construct(
-        \Magento\Framework\Model\ResourceModel\Db\Context $context,
-        \Magento\Framework\Filesystem $filesystem,
-        \Magento\Config\Model\Config\Structure $structure,
-        \Magento\Framework\Encryption\EncryptorInterface $encryptor,
-        \Magento\Framework\App\DeploymentConfig\Writer $writer,
-        \Magento\Framework\Math\Random $random,
+        Context $context,
+        Filesystem $filesystem,
+        Structure $structure,
+        EncryptorInterface $encryptor,
+        Writer $writer,
+        Random $random,
         $connectionName = null
     ) {
         $this->encryptor = clone $encryptor;
@@ -98,20 +110,18 @@ protected function _construct()
      *
      * @param string|null $key
      * @return null|string
-     * @throws \Exception
+     * @throws FileSystemException|LocalizedException|Exception
      */
     public function changeEncryptionKey($key = null)
     {
         // prepare new key, encryptor and new configuration segment
         if (!$this->writer->checkIfWritable()) {
-            throw new \Exception(__('Deployment configuration file is not writable.'));
+            throw new FileSystemException(__('Deployment configuration file is not writable.'));
         }
 
         if (null === $key) {
-            // md5() here is not for cryptographic use. It used for generate encryption key itself
-            // and do not encrypt any passwords
-            // phpcs:ignore Magento2.Security.InsecureFunction
-            $key = md5($this->random->getRandomString(ConfigOptionsListConstants::STORE_KEY_RANDOM_STRING_SIZE));
+            $key = ConfigOptionsListConstants::STORE_KEY_ENCODED_RANDOM_STRING_PREFIX .
+                $this->random->getRandomBytes(ConfigOptionsListConstants::STORE_KEY_RANDOM_STRING_SIZE);
         }
         $this->encryptor->setNewKey($key);
 
@@ -128,7 +138,7 @@ public function changeEncryptionKey($key = null)
             $this->writer->saveConfig($configData);
             $this->commit();
             return $key;
-        } catch (\Exception $e) {
+        } catch (LocalizedException $e) {
             $this->rollBack();
             throw $e;
         }
@@ -142,11 +152,11 @@ public function changeEncryptionKey($key = null)
     protected function _reEncryptSystemConfigurationValues()
     {
         // look for encrypted node entries in all system.xml files
-        /** @var \Magento\Config\Model\Config\Structure $configStructure  */
+        /** @var Structure $configStructure  */
         $configStructure = $this->structure;
         $paths = $configStructure->getFieldPathsByAttribute(
             'backend_model',
-            \Magento\Config\Model\Config\Backend\Encrypted::class
+            Encrypted::class
         );
 
         // walk through found data and re-encrypt it

app/code/Magento/EncryptionKey/Test/Unit/Model/ResourceModel/Key/ChangeTest.php

@@ -11,6 +11,7 @@
 use Magento\EncryptionKey\Model\ResourceModel\Key\Change;
 use Magento\Framework\App\DeploymentConfig\Writer;
 use Magento\Framework\App\ResourceConnection;
+use Magento\Framework\Config\ConfigOptionsListConstants;
 use Magento\Framework\DB\Adapter\AdapterInterface;
 use Magento\Framework\DB\Select;
 use Magento\Framework\Encryption\EncryptorInterface;
@@ -148,16 +149,19 @@ private function setUpChangeEncryptionKey()
     public function testChangeEncryptionKey()
     {
         $this->setUpChangeEncryptionKey();
-        $this->randomMock->expects($this->never())->method('getRandomString');
+        $this->randomMock->expects($this->never())->method('getRandomBytes');
         $key = 'key';
         $this->assertEquals($key, $this->model->changeEncryptionKey($key));
     }
 
     public function testChangeEncryptionKeyAutogenerate()
     {
         $this->setUpChangeEncryptionKey();
-        $this->randomMock->expects($this->once())->method('getRandomString')->willReturn('abc');
-        $this->assertEquals(hash('md5', 'abc'), $this->model->changeEncryptionKey());
+        $this->randomMock->expects($this->once())->method('getRandomBytes')->willReturn('abc');
+        $this->assertEquals(
+            ConfigOptionsListConstants::STORE_KEY_ENCODED_RANDOM_STRING_PREFIX . 'abc',
+            $this->model->changeEncryptionKey()
+        );
     }
 
     public function testChangeEncryptionKeyThrowsException()

dev/tests/integration/testsuite/Magento/EncryptionKey/Setup/Patch/Data/SodiumChachaPatchTest.php

@@ -8,13 +8,17 @@
 
 namespace Magento\EncryptionKey\Setup\Patch\Data;
 
+use Magento\Framework\Config\ConfigOptionsListConstants;
 use Magento\Framework\ObjectManagerInterface;
 use Magento\Framework\App\DeploymentConfig;
 use Magento\Framework\Encryption\Encryptor;
 
+/**
+ * Class SodiumChachaPatch library test
+ */
 class SodiumChachaPatchTest extends \PHPUnit\Framework\TestCase
 {
-    const PATH_KEY = 'crypt/key';
+    private const PATH_KEY = 'crypt/key';
 
     /**
      * @var ObjectManagerInterface
@@ -37,7 +41,10 @@ public function testChangeEncryptionKey()
         $testPath = 'test/config';
         $testValue = 'test';
 
-        $structureMock = $this->createMock(\Magento\Config\Model\Config\Structure\Proxy::class);
+        $structureMock = $this->createMock(
+            // phpstan:ignore "Class Magento\Config\Model\Config\Structure\Proxy not found."
+            \Magento\Config\Model\Config\Structure\Proxy::class
+        );
         $structureMock->expects($this->once())
             ->method('getFieldPathsByAttribute')
             ->willReturn([$testPath]);
@@ -88,7 +95,7 @@ private function legacyEncrypt(string $data): string
         $handle = @mcrypt_module_open(MCRYPT_RIJNDAEL_256, '', MCRYPT_MODE_CBC, '');
         $initVectorSize = @mcrypt_enc_get_iv_size($handle);
         $initVector = str_repeat("\0", $initVectorSize);
-        @mcrypt_generic_init($handle, $this->deployConfig->get(static::PATH_KEY), $initVector);
+        @mcrypt_generic_init($handle, $this->getEncryptionKey(), $initVector);
 
         $encrpted = @mcrypt_generic($handle, $data);
 
@@ -98,4 +105,19 @@ private function legacyEncrypt(string $data): string
 
         return '0:' . Encryptor::CIPHER_RIJNDAEL_256 . ':' . base64_encode($encrpted);
     }
+
+    /**
+     * Get Encryption key
+     *
+     * @return string
+     * @throws \Magento\Framework\Exception\FileSystemException
+     * @throws \Magento\Framework\Exception\RuntimeException
+     */
+    private function getEncryptionKey(): string
+    {
+        $key = $this->deployConfig->get(static::PATH_KEY);
+        return (str_starts_with($key, ConfigOptionsListConstants::STORE_KEY_ENCODED_RANDOM_STRING_PREFIX)) ?
+        base64_decode(substr($key, strlen(ConfigOptionsListConstants::STORE_KEY_ENCODED_RANDOM_STRING_PREFIX))) :
+        $key;
+    }
 }

dev/tests/integration/testsuite/Magento/Sales/_files/payment_enc_cc.php

@@ -8,6 +8,7 @@
 
 use Magento\Framework\Api\SearchCriteriaBuilder;
 use Magento\Framework\Api\SearchCriteria;
+use Magento\Framework\Config\ConfigOptionsListConstants;
 use Magento\Sales\Api\OrderRepositoryInterface;
 use Magento\Sales\Model\ResourceModel\Order\Payment\EncryptionUpdateTest;
 use Magento\Framework\App\DeploymentConfig;
@@ -30,7 +31,14 @@
 $handle = @mcrypt_module_open(MCRYPT_RIJNDAEL_256, '', MCRYPT_MODE_CBC, '');
 $initVectorSize = @mcrypt_enc_get_iv_size($handle);
 $initVector = str_repeat("\0", $initVectorSize);
-@mcrypt_generic_init($handle, $deployConfig->get('crypt/key'), $initVector);
+
+// Key is also encrypted to support 256-key
+$key = $deployConfig->get('crypt/key');
+$originalKey = (str_starts_with($key, ConfigOptionsListConstants::STORE_KEY_ENCODED_RANDOM_STRING_PREFIX)) ?
+    base64_decode(substr($key, strlen(ConfigOptionsListConstants::STORE_KEY_ENCODED_RANDOM_STRING_PREFIX))) :
+    $key;
+
+@mcrypt_generic_init($handle, $originalKey, $initVector);
 
 $encCcNumber = @mcrypt_generic($handle, EncryptionUpdateTest::TEST_CC_NUMBER);
 

lib/internal/Magento/Framework/Config/ConfigOptionsListConstants.php

@@ -167,4 +167,9 @@ class ConfigOptionsListConstants
      */
     public const STORE_KEY_RANDOM_STRING_SIZE = SODIUM_CRYPTO_AEAD_CHACHA20POLY1305_KEYBYTES;
     //phpcs:enable
+
+    /**
+     * Prefix of encoded random string
+     */
+    public const STORE_KEY_ENCODED_RANDOM_STRING_PREFIX = 'base64';
 }