Deprecate standalone endpoints to match PrestaShop 9.0 new security policy #983
Conversation
jolelievre
commented
Feb 13, 2024
jolelievre
commented
| Questions | Answers |
|---|---|
| Description? | Allow executing only the specific PHP files as external endpoints, required since PrestaShop 9.0 because additional security was added in this PR PrestaShop/PrestaShop#34184 The idea in this PR is to allow access to very specific files to prevent unwanted accesses on malicious files |
| Type? | bug fix |
| BC breaks? | no |
| Deprecations? | no |
| Fixed ticket? | ~ |
| How to test? | Install a shop based on develop branch, go to the module administration of faceted search and try to build indexes or clear the cache. An error message should appear and when you check the network in browser developer tools you should see that the ajax request was forbidden (403 error). Now use the branch from this PR and do the same, the ajax calls should now be successful. |
…quired since PrestaShop 9.0
jolelievre
force-pushed
the
attribute-deletion-update
branch
from
d591e95 to
1677f3b
Compare
|
My understanding is that we should create ModuleFrontControllers as a replacement for .PHP files, not to show how to omit the rules for developers in the ecosystem :D |
|
I'll also repeat what @matks already wrote:
maybe we should ping @jf-viguier @clotairer @touchweb-vincent |
|
@kpodemski With French efficiency, we will be in grave by then :D |
|
@jolelievre Inspiration here - https://github.com/PrestaShop/gsitemap/pull/175/files Just throw some deprecation messages and create three simple files like: |
|
Not sure comments opposing dev secops and opensource dev or a "national cliche" serve the cause... I'm all days on Slack if you want request me about something bet not at the same frequency on Github. Neverminds. |
|
@kpodemski @Hlavtox hmm, you're right introducing dedicated controllers would be cleaner, I'm gonna do that to show the example |
Hello here, Thank you @clotairer for reaching out to me, both in this GitHub thread and in private messages on Slack. As I explained to Clotaire, yesterday I wrote the message above because I felt kindof like I had been let down. During discussion PrestaShop/PrestaShop#34184 there was a lot of people arguing and a lot of time was spent discussing the change. Initially I was not thrilled with the idea of the change. However I took a step forward and I approved the PR, knowing that it would request some time and energy to reverberate that change into all of the project. Yesterday when I found out the only people who worked on reverberating this change were me and Hlavtox, I felt let down. This is why I wrote I was disappointed. I felt like I was compelled to carry out the changes even though initially I was not pushing for them. So yesterday I expressed my feelings. Today I regret writing this message. There's a saying "never write an email when you're irritated" I should have listened to this piece of wisdom. @clotairer has already reached out to me and offered help so things will probably turn out a lot better than I thought. Thank you again for that. My apologies for the above message, it was snarky and I regret that. Venting off on the internet is never a good thing, the right thing to do is to wait 24 hours and write a better and more constructive message later. I should have done that. |
|
@jolelievre Why not create Command ? |
jolelievre
force-pushed
the
attribute-deletion-update
branch
from
8551df8 to
98164b6
Compare
|
@clotairer creating command to be run in CLI would be nice, but it's not the same behaviour as the current one which is based on URLs that can be called (I guess it's mainly for merchants who do not have access to cron editing on their server and use external third party services that call the URL as a webhook), so in this PR I only focused on making a similar behaviour @kpodemski @Hlavtox I created a module front controller to replace these endpoints, I tried to create an Admin one for this but couldn't make it work on develop branch since we now have an automatic CQRF token checking on each request and it requires having a logged session to be validated So external calls are not compatible with CSRF protection which makes sense, so the only solution I found was to put this endpoint on the FO side, it sill integrates its custom token validation system which is the same as the standalone endpoint The standalone endpoints have been deprecated and should be cleaned in the next major version of this module along with the |
jolelievre
changed the title
controllers/front/cron.php
Outdated
|
|
||
| public function postProcess() | ||
| { | ||
| if (substr(Tools::hash('ps_facetedsearch/index'), 0, 10) != Tools::getValue('token') || !Module::isInstalled('ps_facetedsearch')) { |
There was a problem hiding this comment.
I think that !Module::isInstalled('ps_facetedsearch') can be removed, the controller should not be callable if the module is not active or installed.
| @@ -17,6 +17,14 @@ | |||
| * @copyright Since 2007 PrestaShop SA and Contributors | |||
| * @license https://opensource.org/licenses/AFL-3.0 Academic Free License 3.0 (AFL-3.0) | |||
| */ | |||
|
|
|||
| /* | |||
| * This standalone endpoint is deprecated, it should not be sued anymore and should be removed along with the | |||
There was a problem hiding this comment.
| * This standalone endpoint is deprecated, it should not be sued anymore and should be removed along with the | |
| * This standalone endpoint is deprecated, it should not be used anymore and should be removed along with the |
Yes please don't sue it the poor guy
ps_facetedsearch-clear-cache.php
Outdated
| @@ -17,6 +17,14 @@ | |||
| * @copyright Since 2007 PrestaShop SA and Contributors | |||
| * @license https://opensource.org/licenses/AFL-3.0 Academic Free License 3.0 (AFL-3.0) | |||
| */ | |||
|
|
|||
| /* | |||
| * This standalone endpoint is deprecated, it should not be sued anymore and should be removed along with the | |||
There was a problem hiding this comment.
| * This standalone endpoint is deprecated, it should not be sued anymore and should be removed along with the | |
| * This standalone endpoint is deprecated, it should not be used anymore and should be removed along with the |
ps_facetedsearch-price-indexer.php
Outdated
| @@ -17,6 +17,14 @@ | |||
| * @copyright Since 2007 PrestaShop SA and Contributors | |||
| * @license https://opensource.org/licenses/AFL-3.0 Academic Free License 3.0 (AFL-3.0) | |||
| */ | |||
|
|
|||
| /* | |||
| * This standalone endpoint is deprecated, it should not be sued anymore and should be removed along with the | |||
There was a problem hiding this comment.
| * This standalone endpoint is deprecated, it should not be sued anymore and should be removed along with the | |
| * This standalone endpoint is deprecated, it should not be used anymore and should be removed along with the |
| 'full_price_indexer_url' => $moduleUrl . 'ps_facetedsearch-price-indexer.php' . '?token=' . substr(Tools::hash('ps_facetedsearch/index'), 0, 10) . '&full=1', | ||
| 'attribute_indexer_url' => $moduleUrl . 'ps_facetedsearch-attribute-indexer.php' . '?token=' . substr(Tools::hash('ps_facetedsearch/index'), 0, 10), | ||
| 'clear_cache_url' => $moduleUrl . 'ps_facetedsearch-clear-cache.php' . '?token=' . substr(Tools::hash('ps_facetedsearch/index'), 0, 10), | ||
| 'price_indexer_url' => $this->context->link->getModuleLink('ps_facetedsearch', 'cron', ['ajax' => true, 'action' => 'indexPrices', 'token' => $cronToken]), |
jolelievre
force-pushed
the
attribute-deletion-update
branch
from
98164b6 to
0286927
Compare
|
Hi @jolelievre Thank you for your PR, I tested it and it seems to works on develop and also on 8.1.x, as we can see : recording.104.webmBecause the PR seems to works as expected, It's QA ✔️ Thank you |
