MC-36200: [Backport for 2.3.6] Protect payment related web APIs by CA…

…PTCHA
magento · Aug 7, 2020 · d31085a · d31085a
1 parent fda3267
commit d31085a
Show file tree

Hide file tree

Showing 35 changed files with 1,151 additions and 219 deletions.
diff --git a/app/code/Magento/Authorization/Model/CompositeUserContext.php b/app/code/Magento/Authorization/Model/CompositeUserContext.php
@@ -56,15 +56,15 @@ protected function add(UserContextInterface $userContext)
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritDoc
      */
     public function getUserId()
     {
         return $this->getUserContext() ? $this->getUserContext()->getUserId() : null;
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritDoc
      */
     public function getUserType()
     {
@@ -78,7 +78,7 @@ public function getUserType()
      */
     protected function getUserContext()
     {
-        if ($this->chosenUserContext === null) {
+        if (!$this->chosenUserContext) {
             /** @var UserContextInterface $userContext */
             foreach ($this->userContexts as $userContext) {
                 if ($userContext->getUserType() && $userContext->getUserId() !== null) {

diff --git a/app/code/Magento/Captcha/Model/DefaultModel.php b/app/code/Magento/Captcha/Model/DefaultModel.php
@@ -7,7 +7,9 @@
 
 namespace Magento\Captcha\Model;
 
+use Magento\Authorization\Model\UserContextInterface;
 use Magento\Captcha\Helper\Data;
+use Magento\Framework\App\ObjectManager;
 use Magento\Framework\Math\Random;
 
 /**
@@ -93,27 +95,35 @@ class DefaultModel extends \Zend\Captcha\Image implements \Magento\Captcha\Model
      */
     private $randomMath;
 
+    /**
+     * @var UserContextInterface
+     */
+    private $userContext;
+
     /**
      * @param \Magento\Framework\Session\SessionManagerInterface $session
      * @param \Magento\Captcha\Helper\Data $captchaData
      * @param ResourceModel\LogFactory $resLogFactory
      * @param string $formId
-     * @param Random $randomMath
+     * @param Random|null $randomMath
+     * @param UserContextInterface|null $userContext
      * @throws \Zend\Captcha\Exception\ExtensionNotLoadedException
      */
     public function __construct(
         \Magento\Framework\Session\SessionManagerInterface $session,
         \Magento\Captcha\Helper\Data $captchaData,
         \Magento\Captcha\Model\ResourceModel\LogFactory $resLogFactory,
         $formId,
-        Random $randomMath = null
+        Random $randomMath = null,
+        ?UserContextInterface $userContext = null
     ) {
         parent::__construct();
         $this->session = $session;
         $this->captchaData = $captchaData;
         $this->resLogFactory = $resLogFactory;
         $this->formId = $formId;
-        $this->randomMath = $randomMath ?? \Magento\Framework\App\ObjectManager::getInstance()->get(Random::class);
+        $this->randomMath = $randomMath ?? ObjectManager::getInstance()->get(Random::class);
+        $this->userContext = $userContext ?? ObjectManager::getInstance()->get(UserContextInterface::class);
     }
 
     /**
@@ -152,6 +162,7 @@ public function isRequired($login = null)
                 $this->formId,
                 $this->getTargetForms()
             )
+            || $this->userContext->getUserType() === UserContextInterface::USER_TYPE_INTEGRATION
         ) {
             return false;
         }
@@ -241,7 +252,7 @@ private function isOverLimitLoginAttempts($login)
      */
     private function isUserAuth()
     {
-        return $this->session->isLoggedIn();
+        return $this->session->isLoggedIn() || $this->userContext->getUserId();
     }
 
     /**
@@ -427,7 +438,7 @@ public function getWordLen()
             $to = self::DEFAULT_WORD_LENGTH_TO;
         }
 
-        return \Magento\Framework\Math\Random::getRandomNumber($from, $to);
+        return Random::getRandomNumber($from, $to);
     }
 
     /**
@@ -544,7 +555,7 @@ private function clearWord()
      */
     protected function randomSize()
     {
-        return \Magento\Framework\Math\Random::getRandomNumber(280, 300) / 100;
+        return Random::getRandomNumber(280, 300) / 100;
     }
 
     /**

diff --git a/app/code/Magento/Captcha/Observer/CaptchaStringResolver.php b/app/code/Magento/Captcha/Observer/CaptchaStringResolver.php
@@ -3,10 +3,14 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+
+declare(strict_types=1);
+
 namespace Magento\Captcha\Observer;
 
 use Magento\Framework\App\RequestInterface;
 use Magento\Framework\App\Request\Http as HttpRequest;
+use Magento\Captcha\Helper\Data as CaptchaHelper;
 
 /**
  * Extract given captcha word.
@@ -22,12 +26,13 @@ class CaptchaStringResolver
      */
     public function resolve(RequestInterface $request, $formId)
     {
-        $captchaParams = $request->getPost(\Magento\Captcha\Helper\Data::INPUT_NAME_FIELD_VALUE);
+        $value = '';
+        $captchaParams = $request->getPost(CaptchaHelper::INPUT_NAME_FIELD_VALUE);
         if (!empty($captchaParams) && !empty($captchaParams[$formId])) {
             $value = $captchaParams[$formId];
-        } else {
-            //For Web APIs
-            $value = $request->getHeader('X-Captcha');
+        } elseif ($headerValue = $request->getHeader('X-Captcha')) {
+            //CAPTCHA was provided via header for this XHR/web API request.
+            $value = $headerValue;
         }
 
         return $value;