Saved card Security issue

controllers/front/ajax.php

@@ -25,9 +25,13 @@
 use Invertus\SaferPay\Controller\Front\CheckoutController;
 use Invertus\SaferPay\Core\Payment\DTO\CheckoutData;
 use Invertus\SaferPay\Enum\ControllerName;
+use Invertus\SaferPay\Exception\Restriction\UnauthenticatedCardUserException;
+use Invertus\SaferPay\Exception\SaferPayException;
 use Invertus\SaferPay\Logger\LoggerInterface;
+use Invertus\SaferPay\Repository\SaferPayCardAliasRepository;
 use Invertus\SaferPay\Repository\SaferPayOrderRepository;
 use Invertus\SaferPay\Utility\ExceptionUtility;
+use Invertus\SaferPay\Validation\CustomerCreditCardValidation;
 
 if (!defined('_PS_VERSION_')) {
     exit;
@@ -145,6 +149,37 @@ private function submitHostedFields()
         /** @var LoggerInterface $logger */
         $logger = $this->module->getService(LoggerInterface::class);
 
+        /** @var CustomerCreditCardValidation $cardValidation */
+        $cardValidation = $this->module->getService(CustomerCreditCardValidation::class);
+
+        try {
+            $cardValidation->validate(Tools::getValue('selectedCard'), $this->context->customer->id);
+        } catch (UnauthenticatedCardUserException $e) {
+            $logger->error($e->getMessage(), [
+                'context' => [],
+                'id_customer' => $this->context->customer->id,
+                'id_card' => Tools::getValue('selectedCard'),
+                'exceptions' => ExceptionUtility::getExceptions($e),
+            ]);
+
+            $this->ajaxDie(json_encode([
+                'error' => true,
+                'message' => $e->getMessage(),
+                'url' => $this->getRedirectionToControllerUrl('fail'),
+            ]));
+        } catch (SaferPayException $e) {
+            $logger->error($e->getMessage(), [
+                'context' => [],
+                'exceptions' => ExceptionUtility::getExceptions($e),
+            ]);
+
+            $this->ajaxDie(json_encode([
+                'error' => true,
+                'message' => $e->getMessage(),
+                'url' => $this->getRedirectionToControllerUrl('fail'),
+            ]));
+        }
+
         try {
             if (Order::getOrderByCartId($this->context->cart->id)) {
                 $this->ajaxDie(json_encode([

src/Exception/ExceptionCode.php

@@ -33,6 +33,7 @@ class ExceptionCode
     // Payment related codes starts from 5***
     const PAYMENT_FAILED_TO_FIND_CART = 5001;
     const PAYMENT_FAILED_TO_CREATE_ORDER = 5002;
+    const CANNOT_USE_CARD = 5003;
 
     // Order related codes starts from 7***
     const ORDER_FAILED_TO_FIND_ORDER = 7001;

src/Exception/Restriction/UnauthenticatedCardUserException.php

@@ -0,0 +1,35 @@
+<?php
+/**
+ *NOTICE OF LICENSE
+ *
+ *This source file is subject to the Open Software License (OSL 3.0)
+ *that is bundled with this package in the file LICENSE.txt.
+ *It is also available through the world-wide-web at this URL:
+ *http://opensource.org/licenses/osl-3.0.php
+ *If you did not receive a copy of the license and are unable to
+ *obtain it through the world-wide-web, please send an email
+ *to [email protected] so we can send you a copy immediately.
+ *
+ *DISCLAIMER
+ *
+ * Do not edit or add to this file if you wish to upgrade PrestaShop to newer
+ *versions in the future. If you wish to customize PrestaShop for your
+ *needs please refer to http://www.prestashop.com for more information.
+ *
+ *@author INVERTUS UAB www.invertus.eu  <[email protected]>
+ *@copyright SIX Payment Services
+ *@license   SIX Payment Services
+ */
+
+namespace Invertus\SaferPay\Exception\Restriction;
+
+use Invertus\SaferPay\Exception\SaferPayException;
+use RuntimeException;
+
+if (!defined('_PS_VERSION_')) {
+    exit;
+}
+
+class UnauthenticatedCardUserException extends SaferPayException
+{
+}

src/Exception/SaferPayException.php

@@ -52,4 +52,15 @@ public static function unknownError()
             ExceptionCode::UNKNOWN_ERROR
         );
     }
+
+    public static function unauthenticatedCard($idCardOwner)
+    {
+        return new static(
+            'Customer cannot use current saved card at this moment.',
+            ExceptionCode::CANNOT_USE_CARD,
+            [
+                'id_card_owner' => $idCardOwner,
+            ]
+        );
+    }
 }

src/Repository/SaferPayCardAliasRepository.php

@@ -74,4 +74,15 @@ public function getSavedCardsByCustomerId($customerId)
 
         return Db::getInstance()->executeS($query);
     }
+
+    public function getCustomerIdByReferenceId($cardAliasId, $idCustomer)
+    {
+        $query = new DbQuery();
+        $query->select('`id_customer`');
+        $query->from('saferpay_card_alias');
+        $query->where('id_saferpay_card_alias = "' . pSQL($cardAliasId) . '"');
+        $query->where('id_customer = "' . (int) $idCustomer . '"');
+
+        return Db::getInstance()->getValue($query);
+    }
 }

src/Validation/CustomerCreditCardValidation.php

@@ -0,0 +1,84 @@
+<?php
+/**
+ *NOTICE OF LICENSE
+ *
+ *This source file is subject to the Open Software License (OSL 3.0)
+ *that is bundled with this package in the file LICENSE.txt.
+ *It is also available through the world-wide-web at this URL:
+ *http://opensource.org/licenses/osl-3.0.php
+ *If you did not receive a copy of the license and are unable to
+ *obtain it through the world-wide-web, please send an email
+ *to [email protected] so we can send you a copy immediately.
+ *
+ *DISCLAIMER
+ *
+ * Do not edit or add to this file if you wish to upgrade PrestaShop to newer
+ *versions in the future. If you wish to customize PrestaShop for your
+ *needs please refer to http://www.prestashop.com for more information.
+ *
+ *@author INVERTUS UAB www.invertus.eu  <[email protected]>
+ *@copyright SIX Payment Services
+ *@license   SIX Payment Services
+ */
+
+namespace Invertus\SaferPay\Validation;
+
+use Exception;
+use Invertus\SaferPay\Exception\Restriction\UnauthenticatedCardUserException;
+use Invertus\SaferPay\Exception\SaferPayException;
+use Invertus\SaferPay\Logger\LoggerInterface;
+use Invertus\SaferPay\Repository\SaferPayCardAliasRepository;
+
+if (!defined('_PS_VERSION_')) {
+    exit;
+}
+
+class CustomerCreditCardValidation
+{
+    /**
+     * @var SaferPayCardAliasRepository
+     */
+    private $saferPayCardAliasRepository;
+    /**
+     * @var mixed
+     */
+    private $logger;
+
+    const FILE_NAME = 'CustomerCreditCardValidation';
+
+    public function __construct(SaferPayCardAliasRepository $saferPayCardAliasRepository, LoggerInterface $logger)
+    {
+        $this->saferPayCardAliasRepository = $saferPayCardAliasRepository;
+        $this->logger = $logger;
+    }
+
+    /**
+     * @return true
+     *
+     * @throws UnauthenticatedCardUserException
+     * @throws SaferPayException
+     */
+    public function validate($idSavedCard, $idCustomer)
+    {
+        if (
+            !is_numeric($idCustomer) || !is_numeric($idSavedCard)
+            || empty($idCustomer) || empty($idSavedCard))
+        {
+            $this->logger->error(sprintf('%s - Invalid data or bad types', self::FILE_NAME), [
+                'context' => [],
+                'id_saved_card' => $idSavedCard,
+                'id_customer' => $idCustomer
+            ]);
+
+            throw SaferPayException::unknownError();
+        }
+
+        $cardOwnerId = $this->saferPayCardAliasRepository->getCustomerIdByReferenceId(pSQL($idSavedCard), pSQL($idCustomer));
+
+        if (empty($cardOwnerId)) {
+            throw UnauthenticatedCardUserException::unauthenticatedCard($cardOwnerId);
+        }
+
+        return true;
+    }
+}