Skip to content

Commit

Permalink
Merge pull request #6256 from EC-CUBE/maintenance/4.0-private
Browse files Browse the repository at this point in the history 
脆弱性対応(4.0)
  • Loading branch information
@shinya
shinya authored Jul 29, 2024
2 parents f0df36d + da65cae commit fe7619f
Show file tree
Hide file tree
Showing 9 changed files with 186 additions and 26 deletions.
17 changes: 10 additions & 7 deletions .github/workflows/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
strategy:
fail-fast: false
matrix:
operating-system: [ ubuntu-20.04 ]
operating-system: [ ubuntu-22.04 ]
php: [ 7.4 ]
db: [ mysql, pgsql, sqlite3 ]
include:
Expand Down Expand Up @@ -112,7 +112,7 @@ jobs:
strategy:
fail-fast: false
matrix:
operating-system: [ ubuntu-20.04 ]
operating-system: [ ubuntu-22.04 ]
php: [ 7.4 ]
db: [ pgsql ]
group: [ admin01, admin02, admin03, front, installer ]
Expand Down Expand Up @@ -186,6 +186,9 @@ jobs:
- name: setup-chromedriver
uses: nanasess/setup-chromedriver@master

- name: Install fonts
run: sudo apt install fonts-ipafont fonts-ipaexfont

- name: Run chromedriver
run: |
export DISPLAY=:99
Expand Down Expand Up @@ -235,7 +238,7 @@ jobs:
strategy:
fail-fast: false
matrix:
operating-system: [ ubuntu-20.04 ]
operating-system: [ ubuntu-22.04 ]
php: [ 7.4 ]
db: [ pgsql, mysql ]
method:
Expand Down Expand Up @@ -381,7 +384,7 @@ jobs:
strategy:
fail-fast: false
matrix:
operating-system: [ ubuntu-20.04 ]
operating-system: [ ubuntu-22.04 ]
php: [ 7.4 ]
db: [ pgsql, mysql ]
method:
Expand Down Expand Up @@ -525,7 +528,7 @@ jobs:
strategy:
fail-fast: false
matrix:
operating-system: [ ubuntu-20.04 ]
operating-system: [ ubuntu-22.04 ]
php: [ 7.4 ]
db: [ pgsql, mysql ]
method:
Expand Down Expand Up @@ -669,7 +672,7 @@ jobs:
strategy:
fail-fast: false
matrix:
operating-system: [ ubuntu-20.04 ]
operating-system: [ ubuntu-22.04 ]
php: [ 7.4 ]
db: [ pgsql, mysql ]
method:
Expand Down Expand Up @@ -812,7 +815,7 @@ jobs:

deploy:
name: Deploy
runs-on: ubuntu-20.04
runs-on: ubuntu-22.04
steps:
- name: Checkout
if: github.event_name == 'release' && (github.event.action == 'published' || github.event.action == 'prereleased' )
Expand Down
1 change: 1 addition & 0 deletions codeception/_envs/github_action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ modules:
chromeOptions:
prefs:
download.default_directory: '%GITHUB_WORKSPACE%/codeception/_support/_downloads'
wait: 30
MailCatcher:
url: 'localhost'
port: 1080
4 changes: 4 additions & 0 deletions codeception/acceptance/EF03OrderCest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,9 +123,13 @@ public function order_カート数量減らす(\AcceptanceTester $I)
ProductDetailPage::go($I, 2)
->カートに入れる(2)
->カートへ進む();

$I->wait(1);

$cartPage = CartPage::go($I)
->商品数量減らす(1);

$I->wait(1);

// 確認
$I->assertEquals('1', $cartPage->商品数量(1));
Expand Down
2 changes: 1 addition & 1 deletion package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "eccube",
"version": "4.0.6-p4",
"version": "4.0.6-p5",
"description": "EC-CUBE EC open platform.",
"main": "index.js",
"directories": {
Expand Down
2 changes: 1 addition & 1 deletion src/Eccube/Common/Constant.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ class Constant
/**
* EC-CUBE VERSION.
*/
const VERSION = '4.0.6-p4';
const VERSION = '4.0.6-p5';

/**
* Enable value.
Expand Down
99 changes: 83 additions & 16 deletions src/Eccube/Controller/Admin/Store/OwnerStoreController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\Validator\Constraints as Assert;
use Symfony\Component\Validator\Validator\ValidatorInterface;

/**
* @Route("/%eccube_admin_route%/store/plugin/api")
Expand Down Expand Up @@ -63,6 +65,11 @@ class OwnerStoreController extends AbstractController
*/
protected $pluginApiService;

/**
* @var ValidatorInterface
*/
protected $validator;

private static $vendorName = 'ec-cube';

/** @var BaseInfo */
Expand All @@ -81,6 +88,7 @@ class OwnerStoreController extends AbstractController
* @param PluginApiService $pluginApiService
* @param BaseInfoRepository $baseInfoRepository
* @param CacheUtil $cacheUtil
* @param ValidatorInterface $validatorInterface
*
* @throws \Doctrine\ORM\NoResultException
* @throws \Doctrine\ORM\NonUniqueResultException
Expand All @@ -92,14 +100,16 @@ public function __construct(
SystemService $systemService,
PluginApiService $pluginApiService,
BaseInfoRepository $baseInfoRepository,
CacheUtil $cacheUtil
CacheUtil $cacheUtil,
ValidatorInterface $validatorInterface
) {
$this->pluginRepository = $pluginRepository;
$this->pluginService = $pluginService;
$this->systemService = $systemService;
$this->pluginApiService = $pluginApiService;
$this->BaseInfo = $baseInfoRepository->get();
$this->cacheUtil = $cacheUtil;
$this->validator = $validatorInterface;

// TODO: Check the flow of the composer service below
$this->composerService = $composerService;
Expand Down Expand Up @@ -266,14 +276,32 @@ public function apiInstall(Request $request)

$pluginCode = $request->get('pluginCode');

$log = null;
try {
$log = $this->composerService->execRequire('ec-cube/'.$pluginCode);

return $this->json(['success' => true, 'log' => $log]);
} catch (\Exception $e) {
$log = $e->getMessage();
log_error($e);
$errors = $this->validator->validate(
$pluginCode,
[
new Assert\NotBlank(),
new Assert\Regex(
[
'pattern' => '/^[a-zA-Z0-9_]+$/',
]
),
]
);

if ($errors->count() != 0) {
$log = [];
foreach ($errors as $error) {
$log[] = $error->getMessage();
}
} else {
try {
$log = $this->composerService->execRequire('ec-cube/'.$pluginCode);

return $this->json(['success' => true, 'log' => $log]);
} catch (\Exception $e) {
$log = $e->getMessage();
log_error($e);
}
}

return $this->json(['success' => false, 'log' => $log], 500);
Expand Down Expand Up @@ -350,14 +378,53 @@ public function apiUpgrade(Request $request)
$pluginCode = $request->get('pluginCode');
$version = $request->get('version');

$log = null;
try {
$log = $this->composerService->execRequire('ec-cube/'.$pluginCode.':'.$version);
$log = [];

$errors = $this->validator->validate(
$pluginCode,
[
new Assert\NotBlank(),
new Assert\Regex(
[
'pattern' => '/^[a-zA-Z0-9_]+$/',
]
),
]
);

if ($errors->count() != 0) {
foreach ($errors as $error) {
$log[] = $error->getMessage();
}
}

return $this->json(['success' => true, 'log' => $log]);
} catch (\Exception $e) {
$log = $e->getMessage();
log_error($e);
$errors = $this->validator->validate(
$version,
[
new Assert\NotBlank(),
new Assert\Regex(
[
'pattern' => '/^[0-9.]+$/',
]
),
]
);

if ($errors->count() != 0) {
foreach ($errors as $error) {
$log[] = $error->getMessage();
}
}

if (empty($log)) {
try {
$log = $this->composerService->execRequire('ec-cube/'.$pluginCode.':'.$version);

return $this->json(['success' => true, 'log' => $log]);
} catch (\Exception $e) {
$log = $e->getMessage();
log_error($e);
}
}

return $this->json(['success' => false, 'log' => $log], 500);
Expand Down
4 changes: 4 additions & 0 deletions tests/Eccube/Tests/Service/CsvImportServiceTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,10 @@ public function testReadCsvFileWithTrailingBlankLines()
$CsvImportService->setColumnHeaders(['id', 'number', 'description']);

foreach ($CsvImportService as $row) {
if (empty(array_filter($row))) {
continue;
}

$this->assertNotNull($row['id']);
$this->assertNotNull($row['number']);
$this->assertNotNull($row['description']);
Expand Down
81 changes: 81 additions & 0 deletions tests/Eccube/Tests/Web/Admin/Store/PluginControllerTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,4 +50,85 @@ public function testSubmit()
$this->actual = $this->container->get(BaseInfoRepository::class)->get()->getPhpPath();
$this->verify();
}

/**
* 異常系を確認。正常系のインストールはE2Eテストの方で実施
*
* @dataProvider OwnerStoreInstallParam
*
*/
public function testFailureInstall($param1, $param2, $message)
{
$form = [
'pluginCode' => $param1,
'version' => $param2,
];

$crawler = $this->client->request('POST',
$this->generateUrl('admin_store_plugin_api_install', $form),
[],
[],
[
'HTTP_X-Requested-With' => 'XMLHttpRequest',
'CONTENT_TYPE' => 'application/json',
]
);
// ダウンロードできないことを確認
$this->assertEquals(500, $this->client->getResponse()->getStatusCode());
// ログを確認
$this->assertContains($message, json_decode($this->client->getResponse()->getContent())->log);
}

/**
* 異常系を確認。正常系のアップデートはE2Eテストの方で実施
*
* @dataProvider OwnerStoreUpgradeParam
*
*/
public function testFailureUpgrade($param1, $param2, $message)
{
$form = [
'pluginCode' => $param1,
'version' => $param2,
];

$crawler = $this->client->request('POST',
$this->generateUrl('admin_store_plugin_api_upgrade', $form),
[],
[],
[
'HTTP_X-Requested-With' => 'XMLHttpRequest',
'CONTENT_TYPE' => 'application/json',
]
);
// ダウンロードできないことを確認
$this->assertEquals(500, $this->client->getResponse()->getStatusCode());

// ログを確認
$this->assertTrue(strpos(implode(',', json_decode($this->client->getResponse()->getContent())->log), $message) !== false);
}

/**
* 異常系のテストケース
*/
public function OwnerStoreInstallParam()
{
return [
['api+symfony/yaml:5.3', '2.1.3', '有効な値ではありません。'],
['', '2.1.3','入力されていません。'],
];
}

/**
* 異常系のテストケース
*/
public function OwnerStoreUpgradeParam()
{
return [
['api+symfony/yaml:5.3', '2.1.3', '有効な値ではありません。'],
['api', '2.1.3+symfony/yaml:5.3', '有効な値ではありません。'],
['', '2.1.3','入力されていません。'],
['api', '','入力されていません。'],
];
}
}

0 comments on commit fe7619f

Please sign in to comment.