Merge pull request #6772 from magento-tsg/MC-41213

[Arrows] MC-41213: Update existing Magento 2.4 code to pass Insecure Function phpcs checks

Author: zakdma

app/code/Magento/AdminNotification/Model/System/Message/Baseurl.php

@@ -101,6 +101,8 @@ protected function _getConfigUrl()
      */
     public function getIdentity()
     {
+        // md5() here is not for cryptographic use.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         return md5('BASE_URL' . $this->_getConfigUrl());
     }
 

app/code/Magento/AdminNotification/Model/System/Message/CacheOutdated.php

@@ -62,6 +62,8 @@ protected function _getCacheTypesForRefresh()
      */
     public function getIdentity()
     {
+        // md5() here is not for cryptographic use.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         return md5('cache' . implode(':', $this->_getCacheTypesForRefresh()));
     }
 

app/code/Magento/AsynchronousOperations/Model/ResourceModel/System/Message/Collection/Synchronized/Plugin.php

@@ -108,6 +108,8 @@ public function afterToArray(
                     'data' => [
                         'text' => __('Task "%1": ', $bulk->getDescription()) . $text,
                         'severity' => \Magento\Framework\Notification\MessageInterface::SEVERITY_MAJOR,
+                        // md5() here is not for cryptographic use.
+                        // phpcs:ignore Magento2.Security.InsecureFunction
                         'identity' => md5('bulk' . $bulkUuid),
                         'uuid' => $bulkUuid,
                         'status' => $bulkStatus,

app/code/Magento/Backend/Test/Mftf/Helper/CurlHelpers.php

@@ -49,6 +49,8 @@ public function assertImageContentIsEqual($url, $expectedString, $postBody = nul
         $imageContent = $this->getCurlResponse($url, $cookie, $postBody);
         // Must make request twice until bug is resolved: B2B-1789
         $imageContent = $this->getCurlResponse($url, $cookie, $postBody);
+        // md5() here is not for cryptographic use.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         $imageContentMD5 = md5($imageContent);
         $this->assertStringContainsString($expectedString, $imageContentMD5, $message);
     }

app/code/Magento/Catalog/Block/Navigation.php

@@ -152,6 +152,8 @@ public function getCacheKeyInfo()
 
         $shortCacheId = array_values($shortCacheId);
         $shortCacheId = implode('|', $shortCacheId);
+        // md5() here is not for cryptographic use.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         $shortCacheId = md5($shortCacheId);
 
         $cacheId['category_path'] = $this->getCurrentCategoryKey();

app/code/Magento/Catalog/Controller/Adminhtml/Product/Attribute.php

@@ -126,6 +126,8 @@ protected function generateCode($label)
         );
         $validatorAttrCode = new \Zend_Validate_Regex(['pattern' => '/^[a-z][a-z_0-9]{0,29}[a-z0-9]$/']);
         if (!$validatorAttrCode->isValid($code)) {
+            // md5() here is not for cryptographic use.
+            // phpcs:ignore Magento2.Security.InsecureFunction
             $code = 'attr_' . ($code ?: substr(md5(time()), 0, 8));
         }
         return $code;

app/code/Magento/Catalog/Model/Product/Option/Type/File/ValidatorFile.php

@@ -213,7 +213,7 @@ public function validate($processingParams, $option)
                 }
             }
 
-            $fileHash = md5($tmpDirectory->readFile($tmpDirectory->getRelativePath($fileInfo['tmp_name'])));
+            $fileHash = hash('sha256', $tmpDirectory->readFile($tmpDirectory->getRelativePath($fileInfo['tmp_name'])));
 
             $userValue = [
                 'type' => $fileInfo['type'],

app/code/Magento/Catalog/Model/Product/Option/Type/File/ValidatorInfo.php

@@ -125,7 +125,7 @@ public function validate($optionValue, $option)
      */
     protected function buildSecretKey($fileRelativePath)
     {
-        return substr(md5($this->rootDirectory->readFile($fileRelativePath)), 0, 20);
+        return substr(hash('sha256', $this->rootDirectory->readFile($fileRelativePath)), 0, 20);
     }
 
     /**

app/code/Magento/Catalog/Model/Webapi/Product/Option/Type/File/Processor.php

@@ -59,7 +59,7 @@ public function processFileContent(ImageContentInterface $imageContent)
         $filePath = $this->saveFile($imageContent);
 
         $fileAbsolutePath = $this->filesystem->getDirectoryRead(DirectoryList::MEDIA)->getAbsolutePath($filePath);
-        $fileHash = md5($this->filesystem->getDirectoryRead(DirectoryList::MEDIA)->readFile($filePath));
+        $fileHash = hash('sha256', $this->filesystem->getDirectoryRead(DirectoryList::MEDIA)->readFile($filePath));
         $imageSize = getimagesize($fileAbsolutePath);
         $result = [
             'type' => $imageContent->getType(),

app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/edit/serializer.phtml

@@ -8,7 +8,11 @@
 ?>
 
 // phpcs:disable Magento2.Security.InsecureFunction.DiscouragedWithAlternative
-<?php $_id = 'id_' . md5(microtime()) ?>
+<?php
+// md5() here is not for cryptographic use.
+// phpcs:ignore Magento2.Security.InsecureFunction
+$_id = 'id_' . md5(microtime())
+?>
 <input type="hidden"
        name="<?= $block->escapeHtmlAttr($block->getInputElementName()) ?>"
        value=""

app/code/Magento/Developer/Console/Command/DevTestsRunCommand.php

@@ -105,6 +105,8 @@ protected function execute(InputInterface $input, OutputInterface $output)
             }
             $message = $dirName . '> ' . $command;
             $output->writeln(['', str_pad("---- {$message} ", 70, '-'), '']);
+            // passthru() call have to be here.
+            // phpcs:ignore Magento2.Security.InsecureFunction
             passthru($command, $returnVal);
             if ($returnVal) {
                 $failures[] = $message;

app/code/Magento/Eav/Model/Entity/Attribute/Group.php

@@ -128,6 +128,7 @@ public function beforeSave()
                 $isReservedSystemName = in_array(strtolower($attributeGroupCode), $this->reservedSystemNames);
                 if (empty($attributeGroupCode) || $isReservedSystemName) {
                     // in the following code md5 is not used for security purposes
+                    // phpcs:ignore Magento2.Security.InsecureFunction
                     $attributeGroupCode = md5(strtolower($groupName));
                 }
                 $this->setAttributeGroupCode($attributeGroupCode);

app/code/Magento/EncryptionKey/Model/ResourceModel/Key/Change.php

@@ -108,6 +108,9 @@ public function changeEncryptionKey($key = null)
         }
 
         if (null === $key) {
+            // md5() here is not for cryptographic use. It used for generate encryption key itself
+            // and do not encrypt any passwords
+            // phpcs:ignore Magento2.Security.InsecureFunction
             $key = md5($this->random->getRandomString(ConfigOptionsListConstants::STORE_KEY_RANDOM_STRING_SIZE));
         }
         $this->encryptor->setNewKey($key);

app/code/Magento/Integration/Model/Message/RecreatedIntegration.php

@@ -81,6 +81,8 @@ public function isDisplayed()
      */
     public function getIdentity()
     {
+        // md5() here is not for cryptographic use.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         return md5('INTEGRATION_RECREATED');
     }
 

app/code/Magento/Store/Model/StoresData.php

@@ -56,6 +56,8 @@ public function __construct(
      */
     public function getStoresData(string $runMode, string $scopeCode = null) : array
     {
+        // md5() here is not for cryptographic use.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         $cacheKey = 'resolved_stores_' . md5($runMode . $scopeCode);
         $cacheData = $this->cache->load($cacheKey);
         if ($cacheData) {

app/code/Magento/Theme/Model/Design.php

@@ -111,6 +111,8 @@ public function loadChange($storeId, $date = null)
             $date = $this->_dateTime->formatDate($this->_localeDate->scopeTimeStamp($storeId), false);
         }
 
+        // md5() here is not for cryptographic use.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         $changeCacheId = 'design_change_' . md5($storeId . $date);
         $result = $this->_cacheManager->load($changeCacheId);
         if ($result === false) {

app/code/Magento/Ui/Model/Export/ConvertToCsv.php

@@ -65,6 +65,8 @@ public function getCsvFile()
     {
         $component = $this->filter->getComponent();
 
+        // md5() here is not for cryptographic use.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         $name = md5(microtime());
         $file = 'export/'. $component->getName() . $name . '.csv';
 

app/code/Magento/Ui/Model/Export/ConvertToXml.php

@@ -127,6 +127,8 @@ public function getXmlFile()
     {
         $component = $this->filter->getComponent();
 
+        // md5() here is not for cryptographic use.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         $name = md5(microtime());
         $file = 'export/'. $component->getName() . $name . '.xml';
 

dev/tests/integration/framework/Magento/TestFramework/MessageQueue/PublisherConsumerController.php

@@ -138,6 +138,8 @@ public function stopConsumers()
     {
         foreach ($this->consumers as $consumer) {
             foreach ($this->getConsumerProcessIds($consumer) as $consumerProcessId) {
+                // exec() have to be here since this is test.
+                // phpcs:ignore Magento2.Security.InsecureFunction
                 exec("kill {$consumerProcessId}");
             }
         }
@@ -165,6 +167,8 @@ public function getConsumersProcessIds()
      */
     private function getConsumerProcessIds($consumer)
     {
+        // exec() have to be here since this is test.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         exec("ps ax | grep -v grep | grep '{$this->getConsumerStartCommand($consumer)}' | awk '{print $1}'", $output);
         return $output;
     }
@@ -232,6 +236,8 @@ public function startConsumers(): void
     {
         foreach ($this->consumers as $consumer) {
             if (!$this->getConsumerProcessIds($consumer)) {
+                // exec() have to be here since this is test.
+                // phpcs:ignore Magento2.Security.InsecureFunction
                 exec("{$this->getConsumerStartCommand($consumer, true)} > /dev/null &");
             }
             sleep(5);

dev/tests/integration/testsuite/Magento/Catalog/Model/Product/Compare/ListCompareTest.php

@@ -28,6 +28,8 @@ protected function setUp(): void
             ->get(\Magento\Customer\Model\Session::class);
         $this->_visitor = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()
             ->create(\Magento\Customer\Model\Visitor::class);
+        // md5() used for generate unique session identifier for test purposes.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         $this->_visitor->setSessionId(md5(time()) . md5(microtime()))
             ->setLastVisitAt((new \DateTime())->format(\Magento\Framework\Stdlib\DateTime::DATETIME_PHP_FORMAT))
             ->save();

dev/tests/integration/testsuite/Magento/Catalog/Model/Product/Option/Type/File/ValidatorInfoTest.php

@@ -182,7 +182,7 @@ protected function getOptionValue()
             'title' => 'test.jpg',
             'quote_path' => $file,
             'order_path' => $file,
-            'secret_key' => substr(md5(file_get_contents($filePath)), 0, 20),
+            'secret_key' => substr(hash('sha256', file_get_contents($filePath)), 0, 20),
         ];
     }
 }

dev/tests/integration/testsuite/Magento/Framework/Encryption/ModelTest.php

@@ -33,6 +33,8 @@ public function testEncryptDecrypt2()
     {
         $encryptor = $this->_model;
 
+        // md5() here is not for cryptographic use just generate random string.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         $initial = md5(uniqid());
         $encrypted = $encryptor->encrypt($initial);
         $this->assertNotEquals($initial, $encrypted);
@@ -41,6 +43,8 @@ public function testEncryptDecrypt2()
 
     public function testValidateKey()
     {
+        // md5() have to be use here.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         $validKey = md5(uniqid());
         $this->_model->validateKey($validKey);
     }

dev/tests/integration/testsuite/Magento/Framework/Session/SaveHandler/DbTableTest.php

@@ -121,10 +121,14 @@ public function testOpenAndClose()
      */
     public function testWriteReadDestroy()
     {
+        // We have to use serialize here.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         $data = serialize($this->_sessionData[self::SESSION_NEW]);
         $this->_model->write(self::SESSION_ID, $data);
         $this->assertEquals($data, $this->_model->read(self::SESSION_ID));
 
+        // We have to use serialize here.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         $data = serialize($this->_sessionData[self::SESSION_EXISTS]);
         $this->_model->write(self::SESSION_ID, $data);
         $this->assertEquals($data, $this->_model->read(self::SESSION_ID));
@@ -151,6 +155,8 @@ public function testGc()
      */
     public function testWriteEncoded()
     {
+        // We have to use serialize here.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         $data = serialize($this->_sessionData[self::SESSION_NEW]);
         $this->_model->write(self::SESSION_ID, $data);
 
@@ -179,6 +185,7 @@ public function readEncodedDataProvider()
     {
         // we can't use object data as a fixture because not encoded serialized object
         // might cause DB adapter fatal error, so we have to use array as a fixture
+        // phpcs:ignore Magento2.Security.InsecureFunction
         $sessionData = serialize($this->_sourceData[self::SESSION_NEW]);
         return [
             'session_encoded' => ['$sessionData' => base64_encode($sessionData)],
@@ -201,6 +208,8 @@ public function testReadEncoded($sessionData)
         $this->_connection->insertOnDuplicate($this->_sessionTable, $sessionRecord, [self::COLUMN_SESSION_DATA]);
 
         $sessionData = $this->_model->read(self::SESSION_ID);
+        // We have to use unserialize here.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         $this->assertEquals($this->_sourceData[self::SESSION_NEW], unserialize($sessionData));
     }
 }

dev/tests/integration/testsuite/Magento/Integration/Model/ResourceModel/IntegrationTest.php

@@ -26,8 +26,11 @@ protected function setUp(): void
         $this->consumer = $objectManager->create(\Magento\Integration\Model\Oauth\Consumer::class);
         $this->consumer->setData(
             [
+                // md5() here just to generate unique string
+                // phpcs:disable Magento2.Security.InsecureFunction
                 'key' => md5(uniqid()),
                 'secret' => md5(uniqid()),
+                // phpcs:enable
                 'callback_url' => 'http://example.com/callback',
                 'rejected_callback_url' => 'http://example.com/rejectedCallback'
             ]

dev/tests/integration/testsuite/Magento/MessageQueue/Model/Plugin/ResourceModel/LockTest.php

@@ -48,6 +48,8 @@ public function testLockClearedByMaintenanceModeOff()
     {
         /** @var $maintenanceMode \Magento\Framework\App\MaintenanceMode */
         $maintenanceMode = $this->objectManager->get(\Magento\Framework\App\MaintenanceMode::class);
+        // md5() here is not for cryptographic use.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         $code = md5('consumer.name-1');
         $this->lock->setMessageCode($code);
         $this->writer->saveLock($this->lock);

dev/tests/integration/testsuite/Magento/Newsletter/Model/QueueTest.php

@@ -61,6 +61,8 @@ public function testSendPerSubscriber()
      */
     public function testSendPerSubscriberProblem()
     {
+        // md5 used here only for random string generation for test purposes. No cryptographic use.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         $errorMsg = md5(microtime());
 
         \Magento\TestFramework\Helper\Bootstrap::getInstance()

dev/tests/integration/testsuite/Magento/Test/Integrity/DatabaseTest.php

@@ -24,6 +24,8 @@ public function testDuplicateKeys()
         $command = $checkerPath . ' -d ' . $db->getSchema()
             . ' h=' . $db->getHost()['db-host'] . ',u=' . $db->getUser() . ',p=' . $db->getPassword();
 
+        // exec() have to be here since this is test.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         exec($command, $output, $exitCode);
         $this->assertEquals(0, $exitCode);
         $output = implode(PHP_EOL, $output);

dev/tests/static/framework/Magento/TestFramework/CodingStandard/Tool/CopyPasteDetector.php

@@ -54,6 +54,8 @@ public function setBlackList(array $blackList)
      */
     public function canRun()
     {
+        // exec() have to be here since this is test.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         exec($this->getCommand() . ' --version', $output, $exitCode);
         return $exitCode === 0;
     }
@@ -86,6 +88,8 @@ public function run(array $whiteList)
         $command = $this->getCommand() . ' --log-pmd ' . escapeshellarg($this->reportFile)
             . ' --names-exclude ' . join(',', $blacklistedFileNames) . ' --min-lines 13 ' . join(' ', $blacklistedDirs)
             . ' ' . implode(' ', $whiteList);
+        // exec() have to be here since this is test.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         exec($command, $output, $exitCode);
 
         return !(bool)$exitCode;

dev/tests/static/get_github_changes.php

@@ -485,6 +485,8 @@ private function call($command)
             escapeshellarg($this->workTree)
         );
         $tmp = sprintf('%s %s', $gitCmd, $command);
+        // exec() have to be here since this is test.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         exec($tmp, $output);
         return $output;
     }

lib/internal/Magento/Framework/Api/ImageProcessor.php

@@ -145,6 +145,8 @@ public function processImageContent($entityType, $imageContent)
         $fileContent = @base64_decode($imageContent->getBase64EncodedData(), true);
         $tmpDirectory = $this->filesystem->getDirectoryWrite(DirectoryList::SYS_TMP);
         $fileName = $this->getFileName($imageContent);
+        // md5() here is not for cryptographic use.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         $tmpFileName = substr(md5(rand()), 0, 7) . '.' . $fileName;
         $tmpDirectory->writeFile($tmpFileName, $fileContent);
 

lib/internal/Magento/Framework/App/Cache/Frontend/Factory.php

@@ -139,6 +139,8 @@ public function create(array $options)
         if (empty($idPrefix)) {
             $configDirPath = $this->_filesystem->getDirectoryRead(DirectoryList::CONFIG)->getAbsolutePath();
             $idPrefix =
+                // md5() here is not for cryptographic use.
+                // phpcs:ignore Magento2.Security.InsecureFunction
                 substr(md5($configDirPath), 0, 3) . '_';
         }
         $options['frontend_options']['cache_id_prefix'] = $idPrefix;

lib/internal/Magento/Framework/Cache/Backend/RemoteSynchronizedCache.php

@@ -248,6 +248,8 @@ public function save($data, $id, $tags = [], $specificLifetime = false)
             $this->unlock($id);
         }
 
+        // mt_rand() here is not for cryptographic use.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         if (!mt_rand(0, 100) && $this->checkIfLocalCacheSpaceExceeded()) {
             $this->local->clean();
         }

lib/internal/Magento/Framework/DB/ExpressionConverter.php

@@ -102,6 +102,8 @@ public static function shortenEntityName($entityName, $prefix)
         if (strlen($entityName) > self::MYSQL_IDENTIFIER_LEN) {
             $shortName = ExpressionConverter::shortName($entityName);
             if (strlen($shortName) > self::MYSQL_IDENTIFIER_LEN) {
+                // md5() here is not for cryptographic use.
+                // phpcs:ignore Magento2.Security.InsecureFunction
                 $hash = md5($entityName);
                 if (strlen($prefix . $hash) > self::MYSQL_IDENTIFIER_LEN) {
                     $entityName = self::trimHash($hash, $prefix, self::MYSQL_IDENTIFIER_LEN);

lib/internal/Magento/Framework/Data/Collection/Db/FetchStrategy/Cache.php

@@ -99,6 +99,8 @@ public function fetchAll(Select $select, array $bindParams = [])
      */
     protected function _getSelectCacheId($select)
     {
+        // md5() here is not for cryptographic use.
+        // phpcs:ignore Magento2.Security.InsecureFunction
         return $this->_cacheIdPrefix . md5((string)$select);
     }
 }

lib/internal/Magento/Framework/Filesystem/Io/Ftp.php

@@ -316,7 +316,7 @@ public function ls($grep = null)
         $ls = @ftp_nlist($this->_conn, '.') ?: [];
 
         $list = [];
-        
+
         foreach ($ls as $file) {
             $list[] = ['text' => $file, 'id' => $this->pwd() . '/' . $file];
         }
@@ -331,6 +331,8 @@ public function ls($grep = null)
     protected function _tmpFilename($new = false)
     {
         if ($new || !$this->_tmpFilename) {
+            // md5() here is not for cryptographic use.
+            // phpcs:ignore Magento2.Security.InsecureFunction
             $this->_tmpFilename = tempnam(md5(uniqid(rand(), true)), '');
         }
         return $this->_tmpFilename;