Merge pull request #128 from Invertus/SL-195/security-fixes

SL-195/Validator security fixes
Invertus · Nov 23, 2023 · 0b9dd14 · 0b9dd14
2 parents f7dfd0e + 8ddbccd
commit 0b9dd14
Show file tree

Hide file tree

Showing 296 changed files with 2,453 additions and 844 deletions.
diff --git a/.htaccess b/.htaccess
@@ -0,0 +1,15 @@
+# Apache 2.2
+<IfModule !mod_authz_core.c>
+    Order deny,allow
+    Deny from all
+    <Files ~ "(?i)^.*\.(jpg|jpeg|gif|png|bmp|tiff|svg|pdf|mov|mpeg|mp4|avi|mpg|wma|flv|webm|ico|webp|woff|woff2|ttf|eot|otf|css|js)$">
+        Allow from all
+    </Files>
+</IfModule>
+# Apache 2.4
+<IfModule mod_authz_core.c>
+    Require all denied
+    <Files ~ "(?i)^.*\.(jpg|jpeg|gif|png|bmp|tiff|svg|pdf|mov|mpeg|mp4|avi|mpg|wma|flv|webm|ico|webp|woff|woff2|ttf|eot|otf|css|js)$">
+        Require all granted
+    </Files>
+</IfModule>
diff --git a/changelog.md b/changelog.md
@@ -140,3 +140,7 @@
 
 ## [1.1.6] - *
 - BO : Added additional check for confirmation email regarding payment status and customer behavior
+
+## [1.1.7] - *
+- BO : Added PrestaShop module security validations
+- FO : Added PrestaShop module security validations
diff --git a/composer.json b/composer.json
@@ -35,12 +35,13 @@
         "friendsofphp/php-cs-fixer": "*",
         "phpunit/phpunit": "*",
         "behat/behat": "*",
-        "symfony/translation": "*"
+        "symfony/translation": "*",
+        "prestashop/php-dev-tools": "^3.16"
     },
     "scripts": {
         "test-integration": "./vendor/bin/phpunit --configuration ./tests/Integration/phpunit.xml",
         "test-unit": "./vendor/bin/phpunit --configuration tests/Unit/phpunit.xml"
     },
     "author": "PrestaShop",
     "license": "AFL-3.0"
-}
+}
diff --git a/controllers/admin/AdminSaferPayOfficialFieldsController.php b/controllers/admin/AdminSaferPayOfficialFieldsController.php
@@ -23,6 +23,10 @@
 
 use Invertus\SaferPay\Config\SaferPayConfig;
 
+if (!defined('_PS_VERSION_')) {
+    exit;
+}
+
 class AdminSaferPayOfficialFieldsController extends ModuleAdminController
 {
     public function __construct()

diff --git a/controllers/admin/AdminSaferPayOfficialLogsController.php b/controllers/admin/AdminSaferPayOfficialLogsController.php
@@ -21,6 +21,10 @@
  *@license   SIX Payment Services
  */
 
+if (!defined('_PS_VERSION_')) {
+    exit;
+}
+
 class AdminSaferPayOfficialLogsController extends ModuleAdminController
 {
     public function __construct()

diff --git a/controllers/admin/AdminSaferPayOfficialModuleController.php b/controllers/admin/AdminSaferPayOfficialModuleController.php
@@ -21,6 +21,10 @@
  *@license   SIX Payment Services
  */
 
+if (!defined('_PS_VERSION_')) {
+    exit;
+}
+
 class AdminSaferPayOfficialModuleController extends ModuleAdminController
 {
     public function init()

diff --git a/controllers/admin/AdminSaferPayOfficialOrderController.php b/controllers/admin/AdminSaferPayOfficialOrderController.php
@@ -21,6 +21,10 @@
  *@license   SIX Payment Services
  */
 
+if (!defined('_PS_VERSION_')) {
+    exit;
+}
+
 class AdminSaferPayOfficialOrderController extends ModuleAdminController
 {
     public function __construct()

diff --git a/controllers/admin/AdminSaferPayOfficialPaymentController.php b/controllers/admin/AdminSaferPayOfficialPaymentController.php
@@ -21,6 +21,10 @@
  *@license   SIX Payment Services
  */
 
+if (!defined('_PS_VERSION_')) {
+    exit;
+}
+
 use Invertus\SaferPay\Config\SaferPayConfig;
 use Invertus\SaferPay\Exception\Restriction\RestrictionException;
 use Invertus\SaferPay\Repository\SaferPayFieldRepository;
@@ -268,7 +272,7 @@ protected function initForm()
         foreach ($paymentMethods as $paymentMethod) {
             $fields[] = [
                 'type' => 'free',
-                'label' => $saferPayPaymentNotation->getForDisplay($paymentMethod) ,
+                'label' => $saferPayPaymentNotation->getForDisplay($paymentMethod),
                 'name' => $paymentMethod,
                 'form_group_class' => 'saferpay-group',
             ];

diff --git a/controllers/admin/AdminSaferPayOfficialSettingsController.php b/controllers/admin/AdminSaferPayOfficialSettingsController.php
@@ -24,6 +24,10 @@
 use Invertus\SaferPay\Config\SaferPayConfig;
 use Invertus\SaferPay\Repository\SaferPaySavedCreditCardRepository;
 
+if (!defined('_PS_VERSION_')) {
+    exit;
+}
+
 class AdminSaferPayOfficialSettingsController extends ModuleAdminController
 {
     public function __construct()

diff --git a/controllers/admin/index.php b/controllers/admin/index.php
@@ -16,35 +16,16 @@
  *versions in the future. If you wish to customize PrestaShop for your
  *needs please refer to http://www.prestashop.com for more information.
  *
-{**
- *NOTICE OF LICENSE
- *
- *This source file is subject to the Open Software License (OSL 3.0)
- *that is bundled with this package in the file LICENSE.txt.
- *It is also available through the world-wide-web at this URL:
- *http://opensource.org/licenses/osl-3.0.php
- *If you did not receive a copy of the license and are unable to
- *obtain it through the world-wide-web, please send an email
- *to [email protected] so we can send you a copy immediately.
- *
- *DISCLAIMER
- *
- * Do not edit or add to this file if you wish to upgrade PrestaShop to newer
- *versions in the future. If you wish to customize PrestaShop for your
- *needs please refer to http://www.prestashop.com for more information.
- *
  *@author INVERTUS UAB www.invertus.eu  <[email protected]>
  *@copyright SIX Payment Services
  *@license   SIX Payment Services
- *}
  */
+header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
+header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
 
-header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
-header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
-
-header("Cache-Control: no-store, no-cache, must-revalidate");
-header("Cache-Control: post-check=0, pre-check=0", false);
-header("Pragma: no-cache");
+header('Cache-Control: no-store, no-cache, must-revalidate');
+header('Cache-Control: post-check=0, pre-check=0', false);
+header('Pragma: no-cache');
 
-header("Location: ../");
+header('Location: ../');
 exit;
diff --git a/controllers/front/ajax.php b/controllers/front/ajax.php
@@ -26,6 +26,10 @@
 use Invertus\SaferPay\Repository\SaferPayCardAliasRepository;
 use Invertus\SaferPay\Service\SaferPayInitialize;
 
+if (!defined('_PS_VERSION_')) {
+    exit;
+}
+
 class SaferPayOfficialAjaxModuleFrontController extends ModuleFrontController
 {
     public function postProcess()

diff --git a/controllers/front/creditCards.php b/controllers/front/creditCards.php
@@ -25,6 +25,10 @@
 use Invertus\SaferPay\Controller\AbstractSaferPayController;
 use Invertus\SaferPay\Repository\SaferPayCardAliasRepository;
 
+if (!defined('_PS_VERSION_')) {
+    exit;
+}
+
 class SaferPayOfficialCreditCardsModuleFrontController extends AbstractSaferPayController
 {
     const FILENAME = 'creditCards';

diff --git a/controllers/front/creditCards16.php b/controllers/front/creditCards16.php
@@ -25,6 +25,10 @@
 use Invertus\SaferPay\Controller\AbstractSaferPayController;
 use Invertus\SaferPay\Repository\SaferPayCardAliasRepository;
 
+if (!defined('_PS_VERSION_')) {
+    exit;
+}
+
 class SaferPayOfficialCreditCards16ModuleFrontController extends AbstractSaferPayController
 {
     const FILENAME = 'creditCards16';

diff --git a/controllers/front/fail.php b/controllers/front/fail.php
@@ -26,6 +26,10 @@
 use Invertus\SaferPay\Service\CartDuplicationService;
 use PrestaShop\PrestaShop\Adapter\Order\OrderPresenter;
 
+if (!defined('_PS_VERSION_')) {
+    exit;
+}
+
 class SaferPayOfficialFailModuleFrontController extends AbstractSaferPayController
 {
     const FILENAME = 'fail';

diff --git a/controllers/front/failIFrame.php b/controllers/front/failIFrame.php
@@ -24,6 +24,10 @@
 use Invertus\SaferPay\Config\SaferPayConfig;
 use Invertus\SaferPay\Controller\AbstractSaferPayController;
 
+if (!defined('_PS_VERSION_')) {
+    exit;
+}
+
 class SaferPayOfficialFailIFrameModuleFrontController extends AbstractSaferPayController
 {
     const FILENAME = 'failIFrame';

diff --git a/controllers/front/failValidation.php b/controllers/front/failValidation.php
@@ -25,6 +25,10 @@
 use Invertus\SaferPay\Repository\SaferPayOrderRepository;
 use Invertus\SaferPay\Service\CartDuplicationService;
 
+if (!defined('_PS_VERSION_')) {
+    exit;
+}
+
 class SaferPayOfficialFailValidationModuleFrontController extends AbstractSaferPayController
 {
     const FILENAME = 'failValidation';

diff --git a/controllers/front/hostedIframe.php b/controllers/front/hostedIframe.php
@@ -16,14 +16,18 @@
  *versions in the future. If you wish to customize PrestaShop for your
  *needs please refer to http://www.prestashop.com for more information.
  *
- * @author INVERTUS UAB www.invertus.eu  <[email protected]>
- * @copyright SIX Payment Services
- * @license   SIX Payment Services
+ *@author INVERTUS UAB www.invertus.eu  <[email protected]>
+ *@copyright SIX Payment Services
+ *@license   SIX Payment Services
  */
 
 use Invertus\SaferPay\Config\SaferPayConfig;
 use PrestaShop\PrestaShop\Core\Checkout\TermsAndConditions;
 
+if (!defined('_PS_VERSION_')) {
+    exit;
+}
+
 class SaferPayOfficialHostedIframeModuleFrontController extends ModuleFrontController
 {
     const FILENAME = 'hostedIframe';
@@ -42,7 +46,7 @@ public function initContent()
             'credit_card_front_url' => "{$this->module->getPathUri()}views/img/example-card/credit-card-front.png",
             'credit_card_back_url' => "{$this->module->getPathUri()}views/img/example-card/credit-card-back.png",
             'tos_cms' => SaferPayConfig::isVersionAbove177() ? $this->getDefaultTermsAndConditions() : null,
-            'saferpay_selected_card' => $selectedCard
+            'saferpay_selected_card' => $selectedCard,
         ]);
 
         if (SaferPayConfig::isVersion17()) {

diff --git a/controllers/front/iframe.php b/controllers/front/iframe.php
@@ -28,6 +28,10 @@
 use Invertus\SaferPay\Repository\SaferPayCardAliasRepository;
 use Invertus\SaferPay\Service\SaferPayInitialize;
 
+if (!defined('_PS_VERSION_')) {
+    exit;
+}
+
 class SaferPayOfficialIFrameModuleFrontController extends AbstractSaferPayController
 {
     const FILENAME = 'iframe';

diff --git a/controllers/front/index.php b/controllers/front/index.php
@@ -20,13 +20,12 @@
  *@copyright SIX Payment Services
  *@license   SIX Payment Services
  */
+header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
+header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
 
-header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
-header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
+header('Cache-Control: no-store, no-cache, must-revalidate');
+header('Cache-Control: post-check=0, pre-check=0', false);
+header('Pragma: no-cache');
 
-header("Cache-Control: no-store, no-cache, must-revalidate");
-header("Cache-Control: post-check=0, pre-check=0", false);
-header("Pragma: no-cache");
-
-header("Location: ../");
+header('Location: ../');
 exit;
diff --git a/controllers/front/notify.php b/controllers/front/notify.php
@@ -28,6 +28,10 @@
 use Invertus\SaferPay\Service\SaferPayOrderStatusService;
 use Invertus\SaferPay\Service\TransactionFlow\SaferPayTransactionAssertion;
 
+if (!defined('_PS_VERSION_')) {
+    exit;
+}
+
 class SaferPayOfficialNotifyModuleFrontController extends AbstractSaferPayController
 {
     const FILENAME = 'notify';

diff --git a/controllers/front/pendingNotify.php b/controllers/front/pendingNotify.php
@@ -16,9 +16,9 @@
  *versions in the future. If you wish to customize PrestaShop for your
  *needs please refer to http://www.prestashop.com for more information.
  *
- * @author INVERTUS UAB www.invertus.eu  <[email protected]>
- * @copyright SIX Payment Services
- * @license   SIX Payment Services
+ *@author INVERTUS UAB www.invertus.eu  <[email protected]>
+ *@copyright SIX Payment Services
+ *@license   SIX Payment Services
  */
 
 use Invertus\SaferPay\Config\SaferPayConfig;
@@ -27,6 +27,10 @@
 use Invertus\SaferPay\Repository\SaferPayOrderRepository;
 use Invertus\SaferPay\Service\TransactionFlow\SaferPayTransactionRefundAssertion;
 
+if (!defined('_PS_VERSION_')) {
+    exit;
+}
+
 class SaferPayOfficialPendingNotifyModuleFrontController extends AbstractSaferPayController
 {
     const FILENAME = 'pendingNotify';
@@ -95,7 +99,7 @@ private function handleCapturedRefund($orderRefundId)
 
         $order = new Order($orderRefund->id_order);
 
-        if ((int)$orderAssert->refunded_amount === (int)$orderAssert->amount) {
+        if ((int) $orderAssert->refunded_amount === (int) $orderAssert->amount) {
             $saferPayOrder = new SaferPayOrder($orderRefund->id_saferpay_order);
             $saferPayOrder->refunded = 1;
             $saferPayOrder->save();

diff --git a/controllers/front/return.php b/controllers/front/return.php
@@ -26,6 +26,10 @@
 use Invertus\SaferPay\DTO\Response\Assert\AssertBody;
 use Invertus\SaferPay\Service\TransactionFlow\SaferPayTransactionAssertion;
 
+if (!defined('_PS_VERSION_')) {
+    exit;
+}
+
 class SaferPayOfficialReturnModuleFrontController extends AbstractSaferPayController
 {
     const FILENAME = 'return';
@@ -75,7 +79,6 @@ public function postProcess()
                 ],
                 true
             ));
-
         } catch (Exception $e) {
             PrestaShopLogger::addLog(
                 sprintf(

diff --git a/controllers/front/success.php b/controllers/front/success.php
@@ -23,6 +23,10 @@
 
 use Invertus\SaferPay\Controller\AbstractSaferPayController;
 
+if (!defined('_PS_VERSION_')) {
+    exit;
+}
+
 class SaferPayOfficialSuccessModuleFrontController extends AbstractSaferPayController
 {
     const FILENAME = 'success';

diff --git a/controllers/front/successHosted.php b/controllers/front/successHosted.php
@@ -28,6 +28,10 @@
 use Invertus\SaferPay\Service\SaferPayOrderStatusService;
 use Invertus\SaferPay\Service\TransactionFlow\SaferPayTransactionAuthorization;
 
+if (!defined('_PS_VERSION_')) {
+    exit;
+}
+
 class SaferPayOfficialSuccessHostedModuleFrontController extends AbstractSaferPayController
 {
     const FILENAME = 'successHosted';

diff --git a/controllers/front/successIFrame.php b/controllers/front/successIFrame.php
@@ -22,14 +22,17 @@
  */
 
 use Invertus\SaferPay\Api\Enum\TransactionStatus;
-use Invertus\SaferPay\Api\Request\AuthorizationService;
 use Invertus\SaferPay\Config\SaferPayConfig;
 use Invertus\SaferPay\Controller\AbstractSaferPayController;
 use Invertus\SaferPay\Enum\ControllerName;
 use Invertus\SaferPay\Exception\Api\SaferPayApiException;
 use Invertus\SaferPay\Service\SaferPayOrderStatusService;
 use Invertus\SaferPay\Service\TransactionFlow\SaferPayTransactionAuthorization;
 
+if (!defined('_PS_VERSION_')) {
+    exit;
+}
+
 class SaferPayOfficialSuccessIFrameModuleFrontController extends AbstractSaferPayController
 {
     const FILENAME = 'successIFrame';