Init commit

LICENSE.md

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Deploy eCommerce Ltd.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Plugin/TrojanOrderPreventBillingAddress.php

@@ -0,0 +1,85 @@
+<?php
+namespace DeployEcommerce\TrojanOrderPrevent\Plugin;
+
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Quote\Api\BillingAddressManagementInterface;
+use Magento\Quote\Api\Data\AddressInterface;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+
+/**
+ * Class TrojanOrderPreventBillingAddress
+ *
+ * This plugin intercepts the assignment of billing addresses to carts in Magento 2.
+ * It checks for specific strings in the request body to prevent trojan orders.
+ */
+class TrojanOrderPreventBillingAddress
+{
+    /**
+     * @var \Magento\Framework\Webapi\Rest\Request
+     */
+    private \Magento\Framework\Webapi\Rest\Request $request;
+
+    /**
+     * @var \Magento\Framework\App\State
+     */
+    private \Magento\Framework\App\State $state;
+
+    /**
+     * @var string[]
+     */
+    public $strings_to_find = [
+        'gettemplate',
+        'base64_',
+        'afterfiltercall'
+    ];
+
+    /**
+     * PreventTrojanOrderBillingAddress constructor.
+     *
+     * @param \Magento\Framework\App\State $state
+     * @param \Magento\Framework\Webapi\Rest\Request $request
+     */
+    public function __construct(\Magento\Framework\App\State $state, \Magento\Framework\Webapi\Rest\Request $request)
+    {
+        $this->state = $state;
+        $this->request = $request;
+    }
+
+    /**
+     * Before assign billing address to cart
+     *
+     * This method is executed before the billing address is assigned to the cart.
+     * It checks the request body for specific strings that indicate a trojan order.
+     * If any of these strings are found, an AccessDeniedHttpException is thrown.
+     *
+     * @param BillingAddressManagementInterface $subject
+     * @param int $cartId
+     * @param AddressInterface $address
+     * @return array
+     * @throws AccessDeniedHttpException
+     */
+    public function beforeAssign(
+        BillingAddressManagementInterface $subject,
+        $cartId,
+        AddressInterface $address
+    ) {
+        if ($this->state->getAreaCode() === \Magento\Framework\App\Area::AREA_WEBAPI_REST) {
+            $fields = $this->request->getBodyParams();
+
+            // Make sure we have an address key.
+            if (array_key_exists('address', $fields)) {
+                // For speed and ease of checking, flatten the array into a string.
+                $fields = strtolower(json_encode($fields));
+
+                // Iterate through our banned strings.
+                foreach ($this->strings_to_find as $string) {
+                    if (strpos($fields, $string) !== false) {
+                        throw new AccessDeniedHttpException('This request is not permitted.');
+                    }
+                }
+            }
+        }
+
+        return [$cartId, $address];
+    }
+}

Plugin/TrojanOrderPreventShippingAddress.php

@@ -0,0 +1,81 @@
+<?php
+namespace DeployEcommerce\TrojanOrderPrevent\Plugin;
+
+use Magento\Quote\Api\Data\AddressInterface;
+use Magento\Quote\Model\ShippingAddressManagementInterface;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+
+/**
+ * Class TrojanOrderPreventShippingAddress
+ *
+ * This plugin intercepts the assignment of billing addresses to carts in Magento 2.
+ * It checks for specific strings in the request body to prevent trojan orders.
+ */
+class TrojanOrderPreventShippingAddress
+{
+    /**
+     * @var \Magento\Framework\Webapi\Rest\Request
+     */
+    private \Magento\Framework\Webapi\Rest\Request $request;
+
+    /**
+     * @var \Magento\Framework\App\State
+     */
+    private \Magento\Framework\App\State $state;
+
+    /**
+     * @var string[]
+     */
+    public $strings_to_find = [
+        'gettemplate',
+        'base64_',
+        'afterfiltercall'
+    ];
+
+    /**
+     * PreventTrojanOrderAddressSet constructor.
+     *
+     * @param \Magento\Framework\App\State $state
+     * @param \Magento\Framework\Webapi\Rest\Request $request
+     */
+    public function __construct(\Magento\Framework\App\State $state, \Magento\Framework\Webapi\Rest\Request $request)
+    {
+        $this->state = $state;
+        $this->request = $request;
+    }
+
+    /**
+     * Before assign billing address to cart
+     *
+     * This method is executed before the billing address is assigned to the cart.
+     * It checks the request body for specific strings that indicate a trojan order.
+     * If any of these strings are found, an AccessDeniedHttpException is thrown.
+     *
+     * @param ShippingAddressManagementInterface $subject
+     * @param int $cartId
+     * @param AddressInterface $address
+     * @return array
+     * @throws AccessDeniedHttpException|\Magento\Framework\Exception\LocalizedException
+     */
+    public function beforeAssign(
+        ShippingAddressManagementInterface $subject,
+        $cartId,
+        AddressInterface $address
+    ): array {
+        if ($this->state->getAreaCode() === \Magento\Framework\App\Area::AREA_WEBAPI_REST) {
+            $fields = $this->request->getBodyParams();
+
+            // For speed and ease of checking, flatten the array into a string.
+            $fields = strtolower(json_encode($fields));
+
+            // Iterate through our banned strings.
+            foreach ($this->strings_to_find as $string) {
+                if (strpos($fields, $string) !== false) {
+                    throw new AccessDeniedHttpException('This request is not permitted.');
+                }
+            }
+        }
+
+        return [$cartId, $address];
+    }
+}

README.md

@@ -0,0 +1,36 @@
+# module-trojan-order-prevent
+
+This is a Magento 2 extension that prevents billing/shipping addresses being 
+saved via the API with known trojan order strings. This is *not a fix* for 
+CVE-2022-24086 but an additional layer of protection for merchants.
+
+Although patched in most recent Magento versions we still see probes for this 
+which look rather unsightly for merchants in the orders screen of Magento.
+
+This module adds two plugins to the `Magento\Quote\Api\BillingAddressManagementInterface` 
+and the `Magento\Quote\Model\ShippingAddressManagementInterface` to prevent the 
+saving of addresses with the following strings:
+
+```
+gettemplate
+base64_
+afterfiltercall
+```
+If these are detected in the payload then an Exception is thrown and the address is not saved.
+
+### Installation
+```bash
+composer require deployecommerce/module-trojan-order-prevent
+bin/magento mo:e DeployEcommerce_TrojanOrderPrevent
+```
+
+### Further Reading
+- https://sansec.io/research/trojanorder-magento
+- https://www.bleepingcomputer.com/news/security/magento-stores-targeted-in-massive-surge-of-trojanorders-attacks/
+- https://cyberfraudcentre.com/surge-in-trojanorders-attacks-on-magento-2-e-commerce-sites
+- https://magento.stackexchange.com/questions/358839/magento-2-fake-customer-order-came-through-with-weird-code-instead-of-customer
+- https://github.com/magento/magento2/issues/36691
+
+### License
+
+This module is licensed under the MIT License. See the [LICENSE](LICENSE.md) file for details.

composer.json

@@ -0,0 +1,22 @@
+{
+  "name": "deployecommerce/module-trojan-order-prevent",
+  "description": "A Magento2 extension that prevents billing/shipping addresses being saved via the API with known trojan order strings.",
+  "type": "magento2-module",
+  "authors": [
+    {
+      "name": "Deploy",
+      "email": "[email protected]",
+      "role": "Agency"
+    }
+  ],
+  "require": {},
+  "license": "MIT",
+  "autoload": {
+    "psr-4": {
+      "DeployEcommerce\\TrojanOrderPrevent\\": ""
+    },
+    "files": [
+      "registration.php"
+    ]
+  }
+}

etc/di.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0"?>
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
+    <type name="Magento\Quote\Api\BillingAddressManagementInterface">
+        <plugin name="deployecom_billing_set_address_plugin"
+                type="DeployEcommerce\TrojanOrderPrevent\Plugin\TrojanOrderPreventBillingAddress"/>
+    </type>
+
+    <type name="Magento\Quote\Model\ShippingAddressManagementInterface">
+        <plugin name="deployecom_shipping_set_address_plugin"
+                type="DeployEcommerce\TrojanOrderPrevent\Plugin\TrojanOrderPreventShippingAddress"/>
+    </type>
+</config>

etc/module.xml

@@ -0,0 +1,4 @@
+<?xml version="1.0"?>
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Module/etc/module.xsd">
+    <module name="DeployEcommerce_TrojanOrderPrevent" />
+</config>

registration.php

@@ -0,0 +1,6 @@
+<?php
+\Magento\Framework\Component\ComponentRegistrar::register(
+    \Magento\Framework\Component\ComponentRegistrar::MODULE,
+    'DeployEcommerce_TrojanOrderPrevent',
+    __DIR__
+);