Adding more options to the extension/

.github/workflows/coding-standard.yml

@@ -0,0 +1,21 @@
+name: Magento 2 Coding Standard
+
+# Run this workflow every time a new commit pushed to your repository or pull requested is created.
+on: [push, pull_request]
+
+jobs:
+  # Set the job key. The key is displayed as the job name
+  # when a job name is not provided
+  magento2-coding-standard:
+    # Name the Job
+    name: Magento 2 Coding Standard
+
+    # Set the type of machine to run on
+    runs-on: ubuntu-latest
+
+    steps:
+      # Checks out a copy of your repository on the ubuntu-latest machine
+      - name: Checkout Code
+        uses: actions/checkout@v4
+      - name: Running Magento 2 Coding Standard Check
+        uses: extdn/github-actions-m2/magento-coding-standard/7.4@master

LICENSE.md

@@ -0,0 +1,10 @@
+# MIT License
+
+**MagedIn_Frenet Extension**  
+**Copyright (C) 2024 MagedIn Technology**
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Model/Config.php

@@ -0,0 +1,71 @@
+<?php
+/**
+ * MagedIn Technology
+ *
+ * Do not edit this file if you want to update this module for future new versions.
+ *
+ * @category  MagedIn
+ * @copyright Copyright (c) 2024 MagedIn Technology.
+ *
+ * @author    MagedIn Support <support@magedin.com>
+ */
+
+declare(strict_types=1);
+
+namespace MagedIn\TrojanRequestBlocker\Model;
+
+use Magento\Framework\App\Config\ScopeConfigInterface;
+
+/**
+ * DocBlock for Config class.
+ */
+class Config
+{
+    private const XPATH_ENABLED = 'system/magedin_trojan_request_blocker/enabled';
+    private const XPATH_ADDITIONAL_PATTERNS = 'system/magedin_trojan_request_blocker/additional_patterns';
+
+    /**
+     * @var ScopeConfigInterface
+     */
+    private ScopeConfigInterface $scopeConfig;
+
+    /**
+     * @param ScopeConfigInterface $scopeConfig
+     */
+    public function __construct(
+        ScopeConfigInterface $scopeConfig
+    ) {
+        $this->scopeConfig = $scopeConfig;
+    }
+
+    /**
+     * DocBlock for method.
+     *
+     * @param string $scopeType
+     * @param null $scopeCode
+     *
+     * @return bool
+     */
+    public function isEnabled(string $scopeType = ScopeConfigInterface::SCOPE_TYPE_DEFAULT, $scopeCode = null): bool
+    {
+        return $this->scopeConfig->isSetFlag(self::XPATH_ENABLED, $scopeType, $scopeCode);
+    }
+
+    /**
+     * DocBlock for method.
+     *
+     * @param string $scopeType
+     * @param null $scopeCode
+     *
+     * @return array
+     */
+    public function getAdditionalPatterns(
+        string $scopeType = ScopeConfigInterface::SCOPE_TYPE_DEFAULT,
+        $scopeCode = null
+    ): array {
+        $value = $this->scopeConfig->getValue(self::XPATH_ADDITIONAL_PATTERNS, $scopeType, $scopeCode);
+        $value = explode(PHP_EOL, $value);
+        $value = array_map('trim', $value);
+        return (array) $value;
+    }
+}

Plugin/ValidateTrojanPostRequest.php

@@ -14,6 +14,7 @@
 
 namespace MagedIn\TrojanRequestBlocker\Plugin;
 
+use MagedIn\TrojanRequestBlocker\Model\Config;
 use MagedIn\TrojanRequestBlocker\Service\Validator\PostRequest;
 use Magento\Framework\App\FrontControllerInterface;
 use Magento\Framework\App\RequestInterface;
@@ -29,13 +30,21 @@ class ValidateTrojanPostRequest
      */
     private PostRequest $validator;
 
+    /**
+     * @var Config
+     */
+    private Config $config;
+
     /**
      * @param PostRequest $validator
+     * @param Config $config
      */
     public function __construct(
-        PostRequest $validator
+        PostRequest $validator,
+        Config $config
     ) {
         $this->validator = $validator;
+        $this->config = $config;
     }
 
     /**
@@ -49,7 +58,7 @@ public function __construct(
      */
     public function beforeDispatch(FrontControllerInterface $subject, RequestInterface $request): void
     {
-        if (!$request->isPost()) {
+        if (!$this->config->isEnabled()) {
             return;
         }
         $this->validator->validate($request);

README.md

@@ -2,4 +2,30 @@
 
 Keep your Magento 2 store protected from suspicious and harmful requests with MagedIn_TrojanRequestBlocker. This robust extension acts as a shield, detecting and blocking malicious requests before they can disrupt your e-commerce operations. Whether it’s bots, fraudulent actions, or unusual traffic spikes, MagedIn_TrojanRequestBlocker is designed to guard your store from potentially harmful activity, ensuring a secure and smooth shopping experience for legitimate users.
 
-[Adobe Commerce merchants to be hit with TrojanOrders this season](https://sansec.io/research/trojanorder-magento)
+## Compatibility
+
+- Magento 2.3
+- Magento 2.4
+
+## Installation
+
+```bash
+> composer require magedin/module-trojan-request-blocker
+> php bin/magento module:enable MagedIn_TrojanRequestBlocker
+> php bin/magento setup:upgrade
+> php bin/magento setup:di:compile
+```
+
+## Further Reading
+
+- [Adobe Commerce merchants to be hit with TrojanOrders this season](https://sansec.io/research/trojanorder-magento)
+- [Magento stores targeted in massive surge of TrojanOrders attacks](https://www.bleepingcomputer.com/news/security/magento-stores-targeted-in-massive-surge-of-trojanorders-attacks/)
+- [Surge in TrojanOrders Attacks on Magento 2 E-commerce Sites](https://cyberfraudcentre.com/surge-in-trojanorders-attacks-on-magento-2-e-commerce-sites)
+- [Magento 2: Fake customer order came through with weird code instead of customer name](https://magento.stackexchange.com/questions/358839/magento-2-fake-customer-order-came-through-with-weird-code-instead-of-customer)
+- [Despite "Allow Guest Checkout" set to "No" it's possible to place a guest order with the guest-carts REST API #36691](https://github.com/magento/magento2/issues/36691)
+
+<div style="text-align: center;">
+    <a href="https://github.com/magedin/magento2-module-frenet/">
+        <img src="https://raw.githubusercontent.com/magedin/assets/c0cd4f15cee6580c6c96848400cf089e91417529/images/logo/magedin_horizontal.svg?raw=true" width="200" alt="MagedIn Technology" title="MagedIn Technology"/>
+    </a>
+</div>

Service/Patterns/ConfigPatterns.php

@@ -0,0 +1,45 @@
+<?php
+/**
+ * MagedIn Technology
+ *
+ * Do not edit this file if you want to update this module for future new versions.
+ *
+ * @category  MagedIn
+ * @copyright Copyright (c) 2024 MagedIn Technology.
+ *
+ * @author    MagedIn Support <support@magedin.com>
+ */
+
+declare(strict_types=1);
+
+namespace MagedIn\TrojanRequestBlocker\Service\Patterns;
+
+use MagedIn\TrojanRequestBlocker\Model\Config;
+
+/**
+ * DocBlock for DefaultPatterns class.
+ */
+class ConfigPatterns implements PatternsInterface
+{
+    /**
+     * @var Config
+     */
+    private Config $config;
+
+    /**
+     * @param Config $config
+     */
+    public function __construct(
+        Config $config
+    ) {
+        $this->config = $config;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function load(): array
+    {
+        return $this->config->getAdditionalPatterns();
+    }
+}

Service/Patterns/DefaultPatterns.php

@@ -0,0 +1,43 @@
+<?php
+/**
+ * MagedIn Technology
+ *
+ * Do not edit this file if you want to update this module for future new versions.
+ *
+ * @category  MagedIn
+ * @copyright Copyright (c) 2024 MagedIn Technology.
+ *
+ * @author    MagedIn Support <support@magedin.com>
+ */
+
+declare(strict_types=1);
+
+namespace MagedIn\TrojanRequestBlocker\Service\Patterns;
+
+/**
+ * DocBlock for DefaultPatterns class.
+ */
+class DefaultPatterns implements PatternsInterface
+{
+    /**
+     * @var array
+     */
+    private array $patterns;
+
+    /**
+     * @param array $patterns
+     */
+    public function __construct(
+        array $patterns = []
+    ) {
+        $this->patterns = $patterns;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function load(): array
+    {
+        return $this->patterns;
+    }
+}

Service/Patterns/PatternsInterface.php

@@ -0,0 +1,26 @@
+<?php
+/**
+ * MagedIn Technology
+ *
+ * Do not edit this file if you want to update this module for future new versions.
+ *
+ * @category  MagedIn
+ * @copyright Copyright (c) 2024 MagedIn Technology.
+ *
+ * @author    MagedIn Support <support@magedin.com>
+ */
+
+namespace MagedIn\TrojanRequestBlocker\Service\Patterns;
+
+/**
+ * DocBlock for PatternsInterface interface.
+ */
+interface PatternsInterface
+{
+    /**
+     * DocBlock for method.
+     *
+     * @return array
+     */
+    public function load(): array;
+}

Service/PatternsRetriever.php → Service/Patterns/TermsBlacklistPatterns.php

@@ -12,15 +12,15 @@
 
 declare(strict_types=1);
 
-namespace MagedIn\TrojanRequestBlocker\Service;
+namespace MagedIn\TrojanRequestBlocker\Service\Patterns;
 
 use Magento\Framework\App\Filesystem\DirectoryList;
 use Magento\Framework\Exception\FileSystemException;
 
 /**
- * DocBlock for AdditionalPatternsLoader class.
+ * This class tries to get the patterns from the .terms_blacklist file into the var directory.
  */
-class PatternsRetriever
+class TermsBlacklistPatterns implements PatternsInterface
 {
     private const ADDITIONAL_PATTERNS_FILE = '.terms_blacklist';
 
@@ -32,60 +32,39 @@ class PatternsRetriever
     /**
      * @var array
      */
-    private array $patterns;
-
-    /**
-     * @var bool
-     */
-    private bool $isLoadedAdditionPatterns = false;
+    private array $patterns = [];
 
     /**
      * @param DirectoryList $directoryList
-     * @param array $patterns
      */
     public function __construct(
-        DirectoryList $directoryList,
-        array $patterns = []
+        DirectoryList $directoryList
     ) {
         $this->directoryList = $directoryList;
-        $this->patterns = $patterns;
-    }
-
-    /**
-     * DocBlock for method.
-     *
-     * @return array
-     */
-    public function getPatterns(): array
-    {
-        $this->loadAdditionalPatterns();
-        return (array) $this->patterns;
     }
 
     /**
-     * DocBlock for method.
-     *
-     * @return void
+     * @inheritDoc
      */
-    private function loadAdditionalPatterns(): void
+    public function load(): array
     {
-        if ($this->isLoadedAdditionPatterns) {
-            return;
+        if ($this->patterns) {
+            return $this->patterns;
         }
         try {
             $varDirectory = $this->directoryList->getPath(DirectoryList::VAR_DIR);
         } catch (FileSystemException $e) {
-            return;
+            return $this->patterns;
         }
         $termsBlacklist = $varDirectory . DIRECTORY_SEPARATOR . self::ADDITIONAL_PATTERNS_FILE;
         if (file_exists($termsBlacklist) && is_readable($termsBlacklist)) {
             $content = explode(PHP_EOL, file_get_contents($termsBlacklist));
             $content = array_filter($content);
             array_map(function (string $term) use (&$patterns) {
-                $this->patterns[] = $term;
+                $this->patterns[] = trim($term);
             }, $content);
             $this->patterns = array_unique($this->patterns);
-            $this->isLoadedAdditionPatterns = true;
         }
+        return $this->patterns;
     }
 }