Skip to content

Commit 9de876e

Browse files
ameysarameysar
committed
MAGETWO-83589: Vulnerability related to active login session
1 parent 38e785c commit 9de876e

File tree

2 files changed

+47
-47
lines changed

2 files changed

+47
-47
lines changed

app/code/Magento/Customer/Test/Unit/Model/AccountManagementTest.php

Lines changed: 43 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -241,13 +241,16 @@ protected function setUp()
241241
'visitorCollectionFactory' => $this->visitorCollectionFactory,
242242
]
243243
);
244-
$reflection = new \ReflectionClass(get_class($this->accountManagement));
245-
$reflectionProperty = $reflection->getProperty('authentication');
246-
$reflectionProperty->setAccessible(true);
247-
$reflectionProperty->setValue($this->accountManagement, $this->authenticationMock);
248-
$reflectionProperty = $reflection->getProperty('emailNotification');
249-
$reflectionProperty->setAccessible(true);
250-
$reflectionProperty->setValue($this->accountManagement, $this->emailNotificationMock);
244+
$this->objectManagerHelper->setBackwardCompatibleProperty(
245+
$this->accountManagement,
246+
'authentication',
247+
$this->authenticationMock
248+
);
249+
$this->objectManagerHelper->setBackwardCompatibleProperty(
250+
$this->accountManagement,
251+
'emailNotification',
252+
$this->emailNotificationMock
253+
);
251254
}
252255

253256
/**
@@ -703,14 +706,14 @@ public function dataProviderCheckPasswordStrength()
703706
'testNumber' => 1,
704707
'password' => 'qwer',
705708
'minPasswordLength' => 5,
706-
'minCharacterSetsNum' => 1
709+
'minCharacterSetsNum' => 1,
707710
],
708711
[
709712
'testNumber' => 2,
710713
'password' => 'wrfewqedf1',
711714
'minPasswordLength' => 5,
712-
'minCharacterSetsNum' => 3
713-
]
715+
'minCharacterSetsNum' => 3,
716+
],
714717
];
715718
}
716719

@@ -742,7 +745,8 @@ public function testCreateAccountWithPasswordInputException(
742745
AccountManagement::XML_PATH_REQUIRED_CHARACTER_CLASSES_NUMBER,
743746
'default',
744747
null,
745-
$minCharacterSetsNum],
748+
$minCharacterSetsNum,
749+
],
746750
]
747751
)
748752
);
@@ -826,7 +830,8 @@ public function testCreateAccountWithPassword()
826830
AccountManagement::XML_PATH_REQUIRED_CHARACTER_CLASSES_NUMBER,
827831
'default',
828832
null,
829-
$minCharacterSetsNum],
833+
$minCharacterSetsNum,
834+
],
830835
[
831836
AccountManagement::XML_PATH_REGISTER_EMAIL_TEMPLATE,
832837
ScopeInterface::SCOPE_STORE,
@@ -837,8 +842,8 @@ public function testCreateAccountWithPassword()
837842
AccountManagement::XML_PATH_REGISTER_EMAIL_IDENTITY,
838843
ScopeInterface::SCOPE_STORE,
839844
1,
840-
$sender
841-
]
845+
$sender,
846+
],
842847
]
843848
);
844849
$this->string->expects($this->any())
@@ -1318,13 +1323,11 @@ private function reInitModel()
13181323
]
13191324
)
13201325
->getMock();
1321-
$this->customerSecure
1322-
->expects($this->any())
1326+
$this->customerSecure->expects($this->any())
13231327
->method('getRpToken')
13241328
->willReturn('newStringToken');
13251329
$pastDateTime = '2016-10-25 00:00:00';
1326-
$this->customerSecure
1327-
->expects($this->any())
1330+
$this->customerSecure->expects($this->any())
13281331
->method('getRpTokenCreatedAt')
13291332
->willReturn($pastDateTime);
13301333
$this->customer = $this->getMockBuilder(\Magento\Customer\Model\Customer::class)
@@ -1359,12 +1362,10 @@ private function reInitModel()
13591362
->method('format')
13601363
->with(\Magento\Framework\Stdlib\DateTime::DATETIME_PHP_FORMAT)
13611364
->willReturn($dateTime);
1362-
$dateTimeMock
1363-
->expects($this->any())
1365+
$dateTimeMock->expects($this->any())
13641366
->method('getTimestamp')
13651367
->willReturn($timestamp);
1366-
$dateTimeMock
1367-
->expects($this->any())
1368+
$dateTimeMock->expects($this->any())
13681369
->method('setTimestamp')
13691370
->willReturnSelf();
13701371
$dateTimeFactory = $this->getMockBuilder(DateTimeFactory::class)
@@ -1456,7 +1457,7 @@ public function testChangePassword()
14561457
AccountManagement::XML_PATH_REQUIRED_CHARACTER_CLASSES_NUMBER,
14571458
'default',
14581459
null,
1459-
1
1460+
1,
14601461
],
14611462
]
14621463
);
@@ -1478,8 +1479,8 @@ public function testChangePassword()
14781479
->disableOriginalConstructor()
14791480
->setMethods(['getSessionId'])
14801481
->getMock();
1481-
$visitor->expects($this->at(0))->method('getSessionId')->willReturn('session_id_1');
1482-
$visitor->expects($this->at(1))->method('getSessionId')->willReturn('session_id_2');
1482+
$visitor->expects($this->atLeastOnce())->method('getSessionId')
1483+
->willReturnOnConsecutiveCalls('session_id_1', 'session_id_2');
14831484
$visitorCollection = $this->getMockBuilder(
14841485
\Magento\Customer\Model\ResourceModel\Visitor\CollectionFactory::class
14851486
)
@@ -1488,8 +1489,11 @@ public function testChangePassword()
14881489
$visitorCollection->expects($this->atLeastOnce())->method('getItems')->willReturn([$visitor, $visitor]);
14891490
$this->visitorCollectionFactory->expects($this->atLeastOnce())->method('create')
14901491
->willReturn($visitorCollection);
1491-
$this->saveHandler->expects($this->at(0))->method('destroy')->with('session_id_1');
1492-
$this->saveHandler->expects($this->at(1))->method('destroy')->with('session_id_2');
1492+
$this->saveHandler->expects($this->atLeastOnce())->method('destroy')
1493+
->withConsecutive(
1494+
['session_id_1'],
1495+
['session_id_2']
1496+
);
14931497

14941498
$this->assertTrue($this->accountManagement->changePassword($email, $currentPassword, $newPassword));
14951499
}
@@ -1516,15 +1520,9 @@ function ($string) {
15161520
$this->customerRegistry->expects($this->atLeastOnce())->method('retrieveSecureData')
15171521
->willReturn($this->customerSecure);
15181522

1519-
$this->customerSecure->expects($this->once())
1520-
->method('setRpToken')
1521-
->with(null);
1522-
$this->customerSecure->expects($this->once())
1523-
->method('setRpTokenCreatedAt')
1524-
->with(null);
1525-
$this->customerSecure->expects($this->any())
1526-
->method('setPasswordHash')
1527-
->willReturn(null);
1523+
$this->customerSecure->expects($this->once())->method('setRpToken')->with(null);
1524+
$this->customerSecure->expects($this->once())->method('setRpTokenCreatedAt')->with(null);
1525+
$this->customerSecure->expects($this->any())->method('setPasswordHash')->willReturn(null);
15281526

15291527
$this->sessionManager->expects($this->atLeastOnce())->method('destroy');
15301528
$this->sessionManager->expects($this->atLeastOnce())->method('start');
@@ -1534,8 +1532,8 @@ function ($string) {
15341532
->disableOriginalConstructor()
15351533
->setMethods(['getSessionId'])
15361534
->getMock();
1537-
$visitor->expects($this->at(0))->method('getSessionId')->willReturn('session_id_1');
1538-
$visitor->expects($this->at(1))->method('getSessionId')->willReturn('session_id_2');
1535+
$visitor->expects($this->atLeastOnce())->method('getSessionId')
1536+
->willReturnOnConsecutiveCalls('session_id_1', 'session_id_2');
15391537
$visitorCollection = $this->getMockBuilder(
15401538
\Magento\Customer\Model\ResourceModel\Visitor\CollectionFactory::class
15411539
)
@@ -1544,8 +1542,11 @@ function ($string) {
15441542
$visitorCollection->expects($this->atLeastOnce())->method('getItems')->willReturn([$visitor, $visitor]);
15451543
$this->visitorCollectionFactory->expects($this->atLeastOnce())->method('create')
15461544
->willReturn($visitorCollection);
1547-
$this->saveHandler->expects($this->at(0))->method('destroy')->with('session_id_1');
1548-
$this->saveHandler->expects($this->at(1))->method('destroy')->with('session_id_2');
1545+
$this->saveHandler->expects($this->atLeastOnce())->method('destroy')
1546+
->withConsecutive(
1547+
['session_id_1'],
1548+
['session_id_2']
1549+
);
15491550
$this->assertTrue($this->accountManagement->resetPassword($customerEmail, $resetToken, $newPassword));
15501551
}
15511552

@@ -1624,10 +1625,10 @@ public function testAuthenticate()
16241625
->withConsecutive(
16251626
[
16261627
'customer_customer_authenticated',
1627-
['model' => $customerModel, 'password' => $password]
1628+
['model' => $customerModel, 'password' => $password],
16281629
],
16291630
[
1630-
'customer_data_object_login', ['customer' => $customerData]
1631+
'customer_data_object_login', ['customer' => $customerData],
16311632
]
16321633
);
16331634

app/code/Magento/Customer/Test/Unit/Model/VisitorTest.php

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -60,8 +60,8 @@ protected function setUp()
6060
'commit',
6161
'clean',
6262
])->disableOriginalConstructor()->getMock();
63-
$this->resource->expects($this->any())->method('getIdFieldName')->will($this->returnValue('visitor_id'));
64-
$this->resource->expects($this->any())->method('addCommitCallback')->will($this->returnSelf());
63+
$this->resource->expects($this->any())->method('getIdFieldName')->willReturn('visitor_id');
64+
$this->resource->expects($this->any())->method('addCommitCallback')->willReturnSelf();
6565

6666
$arguments = $this->objectManagerHelper->getConstructArguments(
6767
\Magento\Customer\Model\Visitor::class,
@@ -79,8 +79,7 @@ public function testInitByRequest()
7979
{
8080
$oldSessionId = 'asdfhasdfjhkj2198sadf8sdf897';
8181
$newSessionId = 'bsdfhasdfjhkj2198sadf8sdf897';
82-
$this->session->expects($this->any())->method('getSessionId')
83-
->will($this->returnValue($newSessionId));
82+
$this->session->expects($this->any())->method('getSessionId')->willReturn($newSessionId);
8483
$this->session->expects($this->atLeastOnce())->method('getVisitorData')
8584
->willReturn(['session_id' => $oldSessionId]);
8685
$this->visitor->initByRequest(null);
@@ -164,7 +163,7 @@ public function testBindQuoteDestroy()
164163

165164
public function testClean()
166165
{
167-
$this->resource->expects($this->once())->method('clean')->with($this->visitor)->will($this->returnSelf());
166+
$this->resource->expects($this->once())->method('clean')->with($this->visitor)->willReturnSelf();
168167
$this->visitor->clean();
169168
}
170169
}

0 commit comments

Comments
 (0)