Merge branch 'main' into slugger

OpenMage · Nov 27, 2024 · cd4fbf2 · cd4fbf2
2 parents b56d49d + 71e1479
commit cd4fbf2
Show file tree

Hide file tree

Showing 10 changed files with 103 additions and 34 deletions.
diff --git a/.phpstan.dist.baseline.neon b/.phpstan.dist.baseline.neon
@@ -990,11 +990,6 @@ parameters:
 			count: 1
 			path: app/code/core/Mage/Api/Model/Server/Wsi/Adapter/Soap.php
 
-		-
-			message: "#^Parameter \\#1 \\$request \\(stdClass\\) of method Mage_Api_Model_Server_Wsi_Handler\\:\\:endSession\\(\\) should be compatible with parameter \\$sessionId \\(string\\) of method Mage_Api_Model_Server_Handler_Abstract\\:\\:endSession\\(\\)$#"
-			count: 1
-			path: app/code/core/Mage/Api/Model/Server/Wsi/Handler.php
-
 		-
 			message: "#^Parameter \\#1 \\$string of function strlen expects string, array given\\.$#"
 			count: 1
@@ -1010,11 +1005,6 @@ parameters:
 			count: 1
 			path: app/code/core/Mage/Api/Model/Server/Wsi/Handler.php
 
-		-
-			message: "#^Return type \\(stdClass\\) of method Mage_Api_Model_Server_Wsi_Handler\\:\\:login\\(\\) should be compatible with return type \\(string\\) of method Mage_Api_Model_Server_Handler_Abstract\\:\\:login\\(\\)$#"
-			count: 1
-			path: app/code/core/Mage/Api/Model/Server/Wsi/Handler.php
-
 		-
 			message: "#^Return type \\(bool\\) of method Mage_Api_Model_Session\\:\\:clear\\(\\) should be compatible with return type \\(\\$this\\(Mage_Core_Model_Session_Abstract_Varien\\)\\) of method Mage_Core_Model_Session_Abstract_Varien\\:\\:clear\\(\\)$#"
 			count: 1

diff --git a/app/code/core/Mage/Admin/Model/Session.php b/app/code/core/Mage/Admin/Model/Session.php
@@ -148,6 +148,9 @@ public function login($username, $password, $request = null)
             return null;
         }
 
+        $username = new Mage_Core_Model_Security_Obfuscated($username);
+        $password = new Mage_Core_Model_Security_Obfuscated($password);
+
         try {
             /** @var Mage_Admin_Model_User $user */
             $user = $this->_factory->getModel('admin/user');

diff --git a/app/code/core/Mage/Admin/Model/User.php b/app/code/core/Mage/Admin/Model/User.php
@@ -374,6 +374,9 @@ public function getAclRole()
      */
     public function authenticate($username, $password)
     {
+        $username = new Mage_Core_Model_Security_Obfuscated($username);
+        $password = new Mage_Core_Model_Security_Obfuscated($password);
+
         $config = Mage::getStoreConfigFlag('admin/security/use_case_sensitive_login');
         $result = false;
 
@@ -427,6 +430,9 @@ public function validatePasswordHash(string $string1, string $string2): bool
      */
     public function login($username, $password)
     {
+        $username = new Mage_Core_Model_Security_Obfuscated($username);
+        $password = new Mage_Core_Model_Security_Obfuscated($password);
+
         if ($this->authenticate($username, $password)) {
             $this->getResource()->recordLogin($this);
             Mage::getSingleton('core/session')->renewFormKey();

diff --git a/app/code/core/Mage/Api/Model/Server/Handler/Abstract.php b/app/code/core/Mage/Api/Model/Server/Handler/Abstract.php
@@ -91,7 +91,7 @@ protected function _startSession($sessionId = null)
     /**
      * Allow insta-login via HTTP Basic Auth
      *
-     * @param string $sessionId
+     * @param stdClass|string|null $sessionId
      * @return $this
      * @SuppressWarnings(PHPMD.Superglobals)
      */
@@ -204,20 +204,25 @@ protected function _prepareResourceModelName($resource)
      * Login user and Retrieve session id
      *
      * @param string $username
-     * @param string $apiKey
-     * @return string
+     * @param string|null $apiKey
+     * @return stdClass|string|void
      */
     public function login($username, $apiKey = null)
     {
         if (empty($username) || empty($apiKey)) {
-            return $this->_fault('invalid_request_param');
+            $this->_fault('invalid_request_param');
+            return;
         }
 
+        $username = new Mage_Core_Model_Security_Obfuscated($username);
+        $apiKey   = new Mage_Core_Model_Security_Obfuscated($apiKey);
+
         try {
             $this->_startSession();
             $this->_getSession()->login($username, $apiKey);
         } catch (Exception $e) {
-            return $this->_fault('access_denied');
+            $this->_fault('access_denied');
+            return;
         }
         return $this->_getSession()->getSessionId();
     }
@@ -228,21 +233,23 @@ public function login($username, $apiKey = null)
      * @param string $sessionId
      * @param string $apiPath
      * @param array  $args
-     * @return mixed
+     * @return mixed|void
      */
     public function call($sessionId, $apiPath, $args = [])
     {
         $this->_instaLogin($sessionId)
             ->_startSession($sessionId);
 
         if (!$this->_getSession()->isLoggedIn($sessionId)) {
-            return $this->_fault('session_expired');
+            $this->_fault('session_expired');
+            return;
         }
 
         list($resourceName, $methodName) = explode('.', $apiPath);
 
         if (empty($resourceName) || empty($methodName)) {
-            return $this->_fault('resource_path_invalid');
+            $this->_fault('resource_path_invalid');
+            return;
         }
 
         $resourcesAlias = $this->_getConfig()->getResourcesAlias();
@@ -254,21 +261,24 @@ public function call($sessionId, $apiPath, $args = [])
         if (!isset($resources->$resourceName)
             || !isset($resources->$resourceName->methods->$methodName)
         ) {
-            return $this->_fault('resource_path_invalid');
+            $this->_fault('resource_path_invalid');
+            return;
         }
 
         if (!isset($resources->$resourceName->public)
             && isset($resources->$resourceName->acl)
             && !$this->_isAllowed((string)$resources->$resourceName->acl)
         ) {
-            return $this->_fault('access_denied');
+            $this->_fault('access_denied');
+            return;
         }
 
         if (!isset($resources->$resourceName->methods->$methodName->public)
             && isset($resources->$resourceName->methods->$methodName->acl)
             && !$this->_isAllowed((string)$resources->$resourceName->methods->$methodName->acl)
         ) {
-            return $this->_fault('access_denied');
+            $this->_fault('access_denied');
+            return;
         }
 
         $methodInfo = $resources->$resourceName->methods->$methodName;
@@ -302,10 +312,12 @@ public function call($sessionId, $apiPath, $args = [])
                 throw new Mage_Api_Exception('resource_path_not_callable');
             }
         } catch (Mage_Api_Exception $e) {
-            return $this->_fault($e->getMessage(), $resourceName, $e->getCustomMessage());
+            $this->_fault($e->getMessage(), $resourceName, $e->getCustomMessage());
+            return;
         } catch (Exception $e) {
             Mage::logException($e);
-            return $this->_fault('internal', null, $e->getMessage());
+            $this->_fault('internal', null, $e->getMessage());
+            return;
         }
     }
 
@@ -322,7 +334,8 @@ public function multiCall($sessionId, array $calls = [], $options = [])
             ->_startSession($sessionId);
 
         if (!$this->_getSession()->isLoggedIn($sessionId)) {
-            return $this->_fault('session_expired');
+            $this->_fault('session_expired');
+            return;
         }
 
         $result = [];
@@ -454,7 +467,8 @@ public function resources($sessionId)
             ->_startSession($sessionId);
 
         if (!$this->_getSession()->isLoggedIn($sessionId)) {
-            return $this->_fault('session_expired');
+            $this->_fault('session_expired');
+            return;
         }
 
         $resources = [];
@@ -519,7 +533,8 @@ public function resourceFaults($sessionId, $resourceName)
             ->_startSession($sessionId);
 
         if (!$this->_getSession()->isLoggedIn($sessionId)) {
-            return $this->_fault('session_expired');
+            $this->_fault('session_expired');
+            return;
         }
 
         $resourcesAlias = $this->_getConfig()->getResourcesAlias();
@@ -532,13 +547,15 @@ public function resourceFaults($sessionId, $resourceName)
         if (empty($resourceName)
             || !isset($resources->$resourceName)
         ) {
-            return $this->_fault('resource_path_invalid');
+            $this->_fault('resource_path_invalid');
+            return;
         }
 
         if (isset($resources->$resourceName->acl)
             && !$this->_isAllowed((string)$resources->$resourceName->acl)
         ) {
-            return $this->_fault('access_denied');
+            $this->_fault('access_denied');
+            return;
         }
 
         return array_values($this->_getConfig()->getFaults($resourceName));

diff --git a/app/code/core/Mage/Api/Model/Server/Wsi/Handler.php b/app/code/core/Mage/Api/Model/Server/Wsi/Handler.php
@@ -77,7 +77,7 @@ public function __call($function, $args)
      * Login user and Retrieve session id
      *
      * @param string $username
-     * @param string $apiKey
+     * @param string|null $apiKey
      * @return stdClass
      */
     public function login($username, $apiKey = null)
@@ -87,6 +87,9 @@ public function login($username, $apiKey = null)
             $username = $username->username;
         }
 
+        $username = new Mage_Core_Model_Security_Obfuscated($username);
+        $apiKey   = is_null($apiKey) ? null : new Mage_Core_Model_Security_Obfuscated($apiKey);
+
         $stdObject = new stdClass();
         $stdObject->result = parent::login($username, $apiKey);
         return $stdObject;
@@ -96,14 +99,15 @@ public function login($username, $apiKey = null)
      * Return called class and method names
      *
      * @param String $apiPath
-     * @return array
+     * @return array|void
      */
     protected function _getResourceName($apiPath)
     {
         list($resourceName, $methodName) = explode('.', $apiPath);
 
         if (empty($resourceName) || empty($methodName)) {
-            return $this->_fault('resource_path_invalid');
+            $this->_fault('resource_path_invalid');
+            return;
         }
 
         $resourcesAlias = $this->_getConfig()->getResourcesAlias();
@@ -165,13 +169,13 @@ public function prepareArgs($params, $args)
     /**
      * End web service session
      *
-     * @param stdClass $request
+     * @param stdClass|string $sessionId
      * @return stdClass
      */
-    public function endSession($request)
+    public function endSession($sessionId)
     {
         $stdObject = new stdClass();
-        $stdObject->result = parent::endSession($request->sessionId);
+        $stdObject->result = parent::endSession($sessionId->sessionId);
         return $stdObject;
     }
 }
diff --git a/app/code/core/Mage/Api/Model/Session.php b/app/code/core/Mage/Api/Model/Session.php
@@ -124,6 +124,9 @@ public function getIsInstaLogin(): bool
      */
     public function login($username, $apiKey)
     {
+        $username = new Mage_Core_Model_Security_Obfuscated($username);
+        $apiKey = new Mage_Core_Model_Security_Obfuscated($apiKey);
+
         $user = Mage::getModel('api/user')
             ->setSessid($this->getSessionId());
         if ($this->getIsInstaLogin() && $user->authenticate($username, $apiKey)) {

diff --git a/app/code/core/Mage/Api/Model/User.php b/app/code/core/Mage/Api/Model/User.php
@@ -263,6 +263,9 @@ public function authenticate($username, $apiKey)
      */
     public function login($username, $apiKey)
     {
+        $username = new Mage_Core_Model_Security_Obfuscated($username);
+        $apiKey = new Mage_Core_Model_Security_Obfuscated($apiKey);
+
         $sessId = $this->getSessid();
         if ($this->authenticate($username, $apiKey)) {
             $this->setSessid($sessId);

diff --git a/app/code/core/Mage/Core/Model/Security/Obfuscated.php b/app/code/core/Mage/Core/Model/Security/Obfuscated.php
@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * OpenMage
+ *
+ * This source file is subject to the Open Software License (OSL 3.0)
+ * that is bundled with this package in the file LICENSE.txt.
+ * It is also available at https://opensource.org/license/osl-3-0-php
+ *
+ * @category   Mage
+ * @package    Mage_Core
+ * @copyright  Copyright (c) 2024 The OpenMage Contributors (https://www.openmage.org)
+ * @license    https://opensource.org/licenses/osl-3.0.php  Open Software License (OSL 3.0)
+ */
+
+/**
+ * Wrapper to escape value und keep the original value
+ *
+ * @category   Mage
+ * @package    Mage_Core
+ */
+class Mage_Core_Model_Security_Obfuscated implements Stringable
+{
+    protected string $value;
+
+    public function __construct(?string $value)
+    {
+        $this->value = $value;
+    }
+
+    public function __toString(): string
+    {
+        return $this->value;
+    }
+}
diff --git a/app/code/core/Mage/Customer/Model/Session.php b/app/code/core/Mage/Customer/Model/Session.php
@@ -227,6 +227,9 @@ public function checkCustomerId($customerId)
      */
     public function login($username, $password)
     {
+        $username = new Mage_Core_Model_Security_Obfuscated($username);
+        $password = new Mage_Core_Model_Security_Obfuscated($password);
+
         /** @var Mage_Customer_Model_Customer $customer */
         $customer = Mage::getModel('customer/customer')
             ->setWebsiteId(Mage::app()->getStore()->getWebsiteId());

diff --git a/lib/Mage/System/Ftp.php b/lib/Mage/System/Ftp.php
@@ -98,6 +98,9 @@ public function mkdirRecursive($path, $mode = 0777)
      */
     public function login($login = 'anonymous', $password = '[email protected]')
     {
+        $login = new Mage_Core_Model_Security_Obfuscated($login);
+        $password = new Mage_Core_Model_Security_Obfuscated($password);
+
         $this->checkConnected();
         $res = @ftp_login($this->_conn, $login, $password);
         if (!$res) {