Merge pull request #604 from magento-sparta/1.0.0-beta12_backlog

[SUPPORT] MDVA-271: Security Backlog for Merchant Beta 1.0.0_beta12

CHANGELOG.md

@@ -1,3 +1,8 @@
+1.0.0-beta12
+=============
+* Security fixes:
+    * This release contains several security fixes. We describe each issue in detail in the Magento Security Center (https://www.magento.com/security).
+
 1.0.0-beta11
 =============
 * Fixed bugs:

app/code/Magento/Authorizenet/Controller/Directpost/Payment/Redirect.php

@@ -31,6 +31,7 @@ public function execute()
         if (!empty($redirectParams['error_msg'])) {
             $cancelOrder = empty($redirectParams['x_invoice_num']);
             $this->_returnCustomerQuote($cancelOrder, $redirectParams['error_msg']);
+            $params['error_msg'] = $redirectParams['error_msg'];
         }
 
         if (isset($redirectParams['controller_action_name'])
@@ -40,7 +41,7 @@ public function execute()
             unset($params['redirect_parent']);
         }
 
-        $this->_coreRegistry->register(Iframe::REGISTRY_KEY, array_merge($params, $redirectParams));
+        $this->_coreRegistry->register(Iframe::REGISTRY_KEY, $params);
         $this->_view->addPageLayoutHandles();
         $this->_view->loadLayout(false)->renderLayout();
     }

app/code/Magento/Backend/App/BackendAppList.php

@@ -44,6 +44,7 @@ public function getCurrentApp()
         if ($appName && isset($this->backendApps[$appName])) {
             return $this->backendApps[$appName];
         }
+        return null;
     }
 
     /**

app/code/Magento/Braintree/Model/PaymentMethod.php

@@ -10,6 +10,7 @@
 use \Braintree_Exception;
 use \Braintree_Transaction;
 use \Braintree_Result_Successful;
+use Magento\Framework\Object;
 use Magento\Framework\Exception\LocalizedException;
 use Magento\Sales\Model\Order\Payment\Transaction;
 use Magento\Sales\Model\Resource\Order\Payment\Transaction\CollectionFactory as TransactionCollectionFactory;
@@ -245,15 +246,29 @@ public function __construct(
      */
     public function assignData($data)
     {
-        parent::assignData($data);
+        $additionalData = $data->getAdditionalData();
+
+        if (!is_array($data->getAdditionalData())) {
+            return $this;
+        }
+        $additionalData = new Object($additionalData);
+
         $infoInstance = $this->getInfoInstance();
         if ($this->getConfigData('fraudprotection') > 0) {
-            $infoInstance->setAdditionalInformation('device_data', $data->getData('device_data'));
+            $infoInstance->setAdditionalInformation('device_data', $additionalData->getData('device_data'));
         }
-        $infoInstance->setAdditionalInformation('cc_last4', $data->getData('cc_last4'));
-        $infoInstance->setAdditionalInformation('cc_token', $data->getCcToken());
-        $infoInstance->setAdditionalInformation('payment_method_nonce', $data->getPaymentMethodNonce());
-        $infoInstance->setAdditionalInformation('store_in_vault', $data->getStoreInVault());
+        $infoInstance->setAdditionalInformation('cc_last4', $additionalData->getData('cc_last4'));
+        $infoInstance->setAdditionalInformation('cc_token', $additionalData->getCcToken());
+        $infoInstance->setAdditionalInformation(
+            'payment_method_nonce',
+            $additionalData->getPaymentMethodNonce()
+        );
+
+        $infoInstance->setCcLast4($additionalData->getData('cc_last4'));
+        $infoInstance->setCcType($additionalData->getData('cc_type'));
+        $infoInstance->setCcExpMonth($additionalData->getData('cc_exp_month'));
+        $infoInstance->setCcExpYear($additionalData->getData('cc_exp_year'));
+
         return $this;
     }
 

app/code/Magento/Braintree/Model/PaymentMethod/PayPal.php

@@ -10,6 +10,7 @@
 use \Braintree_Exception;
 use \Braintree_Transaction;
 use \Braintree_Result_Successful;
+use Magento\Framework\Object;
 use Magento\Framework\Exception\LocalizedException;
 use Magento\Braintree\Model\PaymentMethod;
 use Magento\Payment\Model\InfoInterface;
@@ -149,8 +150,18 @@ public function getConfigData($field, $storeId = null)
      */
     public function assignData($data)
     {
+        $additionalData = $data->getAdditionalData();
+
+        if (!is_array($data->getAdditionalData())) {
+            return $this;
+        }
+        $additionalData = new Object($additionalData);
+
         $infoInstance = $this->getInfoInstance();
-        $infoInstance->setAdditionalInformation('payment_method_nonce', $data->getPaymentMethodNonce());
+        $infoInstance->setAdditionalInformation(
+            'payment_method_nonce',
+            $additionalData->getPaymentMethodNonce()
+        );
         return $this;
     }
 

app/code/Magento/Braintree/Test/Unit/Model/PaymentMethod/PayPalTest.php

@@ -230,10 +230,12 @@ public function testAssignData()
         $paymentMethodNonce = 'nonce';
         $storeInVault = true;
         $data = [
-            'cc_last4' => $ccLast4,
-            'cc_token' => $ccToken,
-            'payment_method_nonce' => $paymentMethodNonce,
-            'store_in_vault' => $storeInVault,
+            'additional_data' => [
+                'cc_last4' => $ccLast4,
+                'cc_token' => $ccToken,
+                'payment_method_nonce' => $paymentMethodNonce,
+                'store_in_vault' => $storeInVault
+            ]
         ];
         $data = new \Magento\Framework\Object($data);
         $this->model->setInfoInstance($this->infoInstanceMock);

app/code/Magento/Braintree/Test/Unit/Model/PaymentMethodTest.php

@@ -8,6 +8,8 @@
 
 use Magento\Braintree\Model\PaymentMethod;
 use Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
+use Magento\Payment\Model\InfoInterface;
+use Magento\Quote\Model\Quote\Payment;
 use Magento\Sales\Model\Order\Payment\Transaction;
 use \Magento\Sales\Model\Resource\Order\Payment\Transaction\CollectionFactory as TransactionCollectionFactory;
 use Magento\Framework\Exception\LocalizedException;
@@ -61,7 +63,7 @@ class PaymentMethodTest extends \PHPUnit_Framework_TestCase
     protected $registryMock;
 
     /**
-     * @var \Magento\Payment\Model\InfoInterface|\PHPUnit_Framework_MockObject_MockObject
+     * @var Payment|\PHPUnit_Framework_MockObject_MockObject
      */
     protected $infoInstanceMock;
 
@@ -188,29 +190,25 @@ protected function setUp()
                 'braintreeCreditCard' => $this->braintreeCreditCardMock,
             ]
         );
-        $this->infoInstanceMock = $this->getMockForAbstractClass(
-            '\Magento\Payment\Model\InfoInterface',
-            [],
-            '',
-            false,
-            false,
-            false,
-            [
-                'setCcType',
-                'setCcOwner',
-                'setCcLast4',
-                'setCcNumber',
-                'setCcCid',
-                'setCcExpMonth',
-                'setCcExpYear',
-                'setCcSsIssue',
-                'setCcSsStartMonth',
-                'setCcSsStartYear',
-                'getOrder',
-                'getQuote',
-                'getCcType',
-            ]
-        );
+        $this->infoInstanceMock = $this->getMockBuilder(InfoInterface::class)
+            ->disableOriginalConstructor()
+            ->setMethods(
+                [
+                    'setCcType',
+                    'setCcOwner',
+                    'setCcLast4',
+                    'setCcNumber',
+                    'setCcCid',
+                    'setCcExpMonth',
+                    'setCcExpYear',
+                    'setCcSsIssue',
+                    'setCcSsStartMonth',
+                    'setCcSsStartYear',
+                    'getOrder',
+                    'getQuote',
+                    'getCcType',
+                ]
+            )->getMockForAbstractClass();
         $this->productMetaDataMock->expects($this->any())
             ->method('getEdition')
             ->willReturn('Community Edition');
@@ -222,7 +220,6 @@ protected function setUp()
     public function testAssignData()
     {
         $ccType = 'VI';
-        $ccOwner = 'John Doe';
         $ccExpMonth = '10';
         $ccExpYear = '2020';
 
@@ -232,15 +229,16 @@ public function testAssignData()
         $storeInVault = true;
         $deviceData = 'mobile';
         $data = [
-            'cc_type' => $ccType,
-            'cc_owner' => $ccOwner,
-            'cc_exp_month' => $ccExpMonth,
-            'cc_exp_year' => $ccExpYear,
-            'cc_last4' => $ccLast4,
-            'cc_token' => $ccToken,
-            'payment_method_nonce' => $paymentMethodNonce,
-            'store_in_vault' => $storeInVault,
-            'device_data' => $deviceData,
+            'additional_data' => [
+                'cc_type' => $ccType,
+                'cc_exp_month' => $ccExpMonth,
+                'cc_exp_year' => $ccExpYear,
+                'cc_last4' => $ccLast4,
+                'cc_token' => $ccToken,
+                'payment_method_nonce' => $paymentMethodNonce,
+                'store_in_vault' => $storeInVault,
+                'device_data' => $deviceData
+            ]
         ];
         $data = new \Magento\Framework\Object($data);
         $this->model->setInfoInstance($this->infoInstanceMock);
@@ -253,21 +251,9 @@ public function testAssignData()
             ->method('setCcType')
             ->with($ccType)
             ->willReturnSelf();
-        $this->infoInstanceMock->expects($this->once())
-            ->method('setCcOwner')
-            ->with($ccOwner)
-            ->willReturnSelf();
         $this->infoInstanceMock->expects($this->once())
             ->method('setCcLast4')
-            ->with(false)
-            ->willReturnSelf();
-        $this->infoInstanceMock->expects($this->once())
-            ->method('setCcNumber')
-            ->with(null)
-            ->willReturnSelf();
-        $this->infoInstanceMock->expects($this->once())
-            ->method('setCcCid')
-            ->with(null)
+            ->with($ccLast4)
             ->willReturnSelf();
         $this->infoInstanceMock->expects($this->once())
             ->method('setCcExpMonth')
@@ -277,34 +263,19 @@ public function testAssignData()
             ->method('setCcExpYear')
             ->with($ccExpYear)
             ->willReturnSelf();
-        $this->infoInstanceMock->expects($this->once())
-            ->method('setCcSsIssue')
-            ->with(null)
-            ->willReturnSelf();
-        $this->infoInstanceMock->expects($this->once())
-            ->method('setCcSsStartMonth')
-            ->with(null)
-            ->willReturnSelf();
-        $this->infoInstanceMock->expects($this->once())
-            ->method('setCcSsStartYear')
-            ->with(null)
-            ->willReturnSelf();
 
-        $this->infoInstanceMock->expects($this->at(10))
+        $this->infoInstanceMock->expects($this->atLeastOnce())
             ->method('setAdditionalInformation')
-            ->with('device_data', $deviceData);
-        $this->infoInstanceMock->expects($this->at(11))
-            ->method('setAdditionalInformation')
-            ->with('cc_last4', $ccLast4);
-        $this->infoInstanceMock->expects($this->at(12))
-            ->method('setAdditionalInformation')
-            ->with('cc_token', $ccToken);
-        $this->infoInstanceMock->expects($this->at(13))
-            ->method('setAdditionalInformation')
-            ->with('payment_method_nonce', $paymentMethodNonce);
-        $this->infoInstanceMock->expects($this->at(14))
-            ->method('setAdditionalInformation')
-            ->with('store_in_vault', $storeInVault);
+            ->willReturnMap(
+                [
+                    ['device_data', $deviceData],
+                    ['cc_last4', $ccLast4],
+                    ['cc_token', $ccToken],
+                    ['payment_method_nonce', $paymentMethodNonce],
+                    ['store_in_vault', $storeInVault]
+                ]
+            );
+
         $this->model->assignData($data);
     }
 

app/code/Magento/CatalogSearch/Model/Search/TableMapper.php

@@ -18,6 +18,10 @@
 use Magento\Framework\DB\Select;
 use Magento\Framework\Search\RequestInterface;
 
+/**
+ * Class TableMapper
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
+ */
 class TableMapper
 {
     /**

app/code/Magento/Integration/Model/Oauth/Consumer.php

@@ -43,6 +43,11 @@ class Consumer extends \Magento\Framework\Model\AbstractModel implements Consume
      */
     protected $dataHelper;
 
+    /**
+     * @var \Magento\Framework\Stdlib\DateTime\DateTime
+     */
+    private $_dateHelper;
+
     /**
      * @param \Magento\Framework\Model\Context $context
      * @param \Magento\Framework\Registry $registry
@@ -80,14 +85,29 @@ protected function _construct()
         $this->_init('Magento\Integration\Model\Resource\Oauth\Consumer');
     }
 
+    /**
+     * The getter function to get the new DateTime dependency
+     *
+     * @return \Magento\Framework\Stdlib\DateTime\DateTime
+     *
+     * @deprecated
+     */
+    private function getDateHelper()
+    {
+        if ($this->_dateHelper === null) {
+            $this->_dateHelper = \Magento\Framework\App\ObjectManager::getInstance()
+                ->get(\Magento\Framework\Stdlib\DateTime\DateTime::class);
+        }
+        return $this->_dateHelper;
+    }
+
     /**
      * BeforeSave actions
      *
      * @return $this
      */
     public function beforeSave()
     {
-        $this->setUpdatedAt(time());
         $this->validate();
         parent::beforeSave();
         return $this;
@@ -177,6 +197,8 @@ public function getCreatedAt()
     public function isValidForTokenExchange()
     {
         $expiry = $this->dataHelper->getConsumerExpirationPeriod();
-        return $expiry > $this->getResource()->getTimeInSecondsSinceCreation($this->getId());
+        $currentTimestamp = $this->getDateHelper()->gmtTimestamp();
+        $updatedTimestamp = $this->getDateHelper()->gmtTimestamp($this->getUpdatedAt());
+        return $expiry > ($currentTimestamp - $updatedTimestamp);
     }
 }