MAGETWO-50608: [Github][Security] Able to brute force API token access

Author: Oleksii Korshenko

app/code/Magento/Integration/Model/ResourceModel/Oauth/Token/RequestLog.php

@@ -58,11 +58,10 @@ protected function _construct()
     public function getFailuresCount($userName, $userType)
     {
         $select = $this->getConnection()->select();
-        $select->columns('failures_count')
-            ->from($this->getMainTable())
-            ->where('user_login = ? AND user_type = ?', [$userName, $userType]);
+        $select->from($this->getMainTable(), 'failures_count')
+            ->where('user_name = :user_name AND user_type = :user_type');
 
-        return (int)$this->getConnection()->fetchOne($select);
+        return (int)$this->getConnection()->fetchOne($select, ['user_name' => $userName, 'user_type' => $userType]);
     }
 
     /**
@@ -72,7 +71,7 @@ public function resetFailuresCount($userName, $userType)
     {
         $this->getConnection()->delete(
             $this->getMainTable(),
-            ['user_login = ?' => $userName, 'user_type = ?' => $userType]
+            ['user_name = ?' => $userName, 'user_type = ?' => $userType]
         );
     }
 
@@ -83,15 +82,20 @@ public function incrementFailuresCount($userName, $userType)
     {
         $date = (new \DateTime())->setTimestamp($this->dateTime->gmtTimestamp());
         $date->add(new \DateInterval('PT' . $this->requestLogConfig->getLockTimeout() . 'S'));
+        $dateTime = $date->format(\Magento\Framework\Stdlib\DateTime::DATETIME_PHP_FORMAT);
+
         $this->getConnection()->insertOnDuplicate(
             $this->getMainTable(),
             [
-                'user_login' => $userName,
+                'user_name' => $userName,
                 'user_type' => $userType,
                 'failures_count' => 1,
-                'lock_expires_at' => $date
+                'lock_expires_at' => $dateTime
             ],
-            ['failures_count' => new \Zend_Db_Expr('failures_count+1'), 'lock_expires_at' => $date]
+            [
+                'failures_count' => new \Zend_Db_Expr('failures_count+1'),
+                'lock_expires_at' => new \Zend_Db_Expr("'" . $dateTime . "'")
+            ]
         );
     }
 
@@ -100,8 +104,10 @@ public function incrementFailuresCount($userName, $userType)
      */
     public function clearExpiredFailures()
     {
+        $date = (new \DateTime())->setTimestamp($this->dateTime->gmtTimestamp());
+        $dateTime = $date->format(\Magento\Framework\Stdlib\DateTime::DATETIME_PHP_FORMAT);
         $select = $this->getConnection()->select();
-        $select->from($this->getMainTable())->where('lock_expires_at <= ?', $this->dateTime->gmtTimestamp());
+        $select->from($this->getMainTable())->where('lock_expires_at <= ?', $dateTime);
         $this->getConnection()->delete($select);
     }
 }

app/code/Magento/Integration/Setup/UpgradeSchema.php

@@ -28,10 +28,16 @@ public function upgrade(SchemaSetupInterface $setup, ModuleContextInterface $con
             $table = $setup->getConnection()->newTable(
                 $setup->getTable('oauth_token_request_log')
             )->addColumn(
-                'user_login',
+                'log_id',
+                \Magento\Framework\DB\Ddl\Table::TYPE_INTEGER,
+                null,
+                ['identity' => true, 'unsigned' => true, 'nullable' => false, 'primary' => true],
+                'Log Id'
+            )->addColumn(
+                'user_name',
                 \Magento\Framework\DB\Ddl\Table::TYPE_TEXT,
                 255,
-                ['nullable' => false, 'primary' => true],
+                ['nullable' => false],
                 'Customer email or admin login'
             )->addColumn(
                 'user_type',
@@ -49,11 +55,16 @@ public function upgrade(SchemaSetupInterface $setup, ModuleContextInterface $con
                 'lock_expires_at',
                 \Magento\Framework\DB\Ddl\Table::TYPE_TIMESTAMP,
                 null,
-                [],
+                ['nullable' => false],
                 'Lock expiration time'
             )->addIndex(
-                $setup->getIdxName('oauth_token_request_log', ['user_login', 'user_type']),
-                ['user_login', 'user_type']
+                $setup->getIdxName(
+                    'oauth_token_request_log',
+                    ['user_name', 'user_type'],
+                    \Magento\Framework\DB\Adapter\AdapterInterface::INDEX_TYPE_UNIQUE
+                ),
+                ['user_name', 'user_type'],
+                ['type' => \Magento\Framework\DB\Adapter\AdapterInterface::INDEX_TYPE_UNIQUE]
             )->setComment(
                 'Log of token request authentication failures.'
             );

app/code/Magento/Integration/etc/di.xml

@@ -14,6 +14,8 @@
     <preference for="Magento\Framework\Oauth\TokenProviderInterface" type="Magento\Integration\Model\Oauth\Token\Provider"/>
     <preference for="Magento\Integration\Api\CustomerTokenServiceInterface" type="Magento\Integration\Model\CustomerTokenService" />
     <preference for="Magento\Integration\Api\AdminTokenServiceInterface" type="Magento\Integration\Model\AdminTokenService" />
+    <preference for="Magento\Integration\Model\Oauth\Token\RequestLog\ReaderInterface" type="Magento\Integration\Model\ResourceModel\Oauth\Token\RequestLog" />
+    <preference for="Magento\Integration\Model\Oauth\Token\RequestLog\WriterInterface" type="Magento\Integration\Model\ResourceModel\Oauth\Token\RequestLog" />
     <type name="Magento\Integration\Model\Oauth\Nonce\Generator">
         <arguments>
             <argument name="date" xsi:type="object">Magento\Framework\Stdlib\DateTime\DateTime\Proxy</argument>