Merge branch '1.3' into 1.4

* 1.3: Change application's version to v1.3.17-DEV Prepare v1.3.16 release Security fix for "Ability to switch channels via GET parameter enabled in production environments"
Sylius · Jan 27, 2020 · aea8ec1 · aea8ec1
2 parents 9b2259d + 4c44a50
commit aea8ec1
Show file tree

Hide file tree

Showing 4 changed files with 90 additions and 2 deletions.
diff --git a/CHANGELOG-1.3.md b/CHANGELOG-1.3.md
@@ -1,5 +1,30 @@
 # CHANGELOG FOR `1.3.X`
 
+## v1.3.16 (2020-01-27)
+
+#### CVE-2020-5218: Ability to switch channels via GET parameter enabled in production environments
+
+*Please refer to [the original security advisory](https://github.com/Sylius/Sylius/security/advisories/GHSA-prg5-hg25-8grq) for the most updated information.*  
+
+**Impact:**
+
+This vulnerability gives the ability to switch channels via the `_channel_code` GET parameter in production environments. This was meant to be enabled only when `%kernel.debug%` is set to true. 
+
+However, if no `sylius_channel.debug` is set explicitly in the configuration, the default value which is `%kernel.debug%` will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.
+
+**Patches:**
+
+Patch has been provided for Sylius 1.3.x and newer - **1.3.16, 1.4.12, 1.5.9, 1.6.5**. Versions older than 1.3 are not covered by our security support anymore.
+
+**Workarounds:**
+
+Unsupported versions could be patched by adding the following configuration to run in production:
+
+```yaml
+sylius_channel:
+    debug: false
+```
+
 ## v1.3.14, v1.3.15 (2019-12-03, 2019-12-05)
 
 #### CVE-2019-16768: Internal exception message exposure in login action.

diff --git a/src/Sylius/Bundle/ChannelBundle/DependencyInjection/Configuration.php b/src/Sylius/Bundle/ChannelBundle/DependencyInjection/Configuration.php
@@ -42,7 +42,7 @@ public function getConfigTreeBuilder(): TreeBuilder
         $rootNode
             ->children()
                 ->scalarNode('driver')->defaultValue(SyliusResourceBundle::DRIVER_DOCTRINE_ORM)->end()
-                ->booleanNode('debug')->defaultValue('%kernel.debug%')->end()
+                ->booleanNode('debug')->defaultNull()->end()
             ->end()
         ;
 

diff --git a/src/Sylius/Bundle/ChannelBundle/DependencyInjection/SyliusChannelExtension.php b/src/Sylius/Bundle/ChannelBundle/DependencyInjection/SyliusChannelExtension.php
@@ -34,7 +34,7 @@ public function load(array $config, ContainerBuilder $container): void
 
         $loader->load('services.xml');
 
-        if ($config['debug']) {
+        if ($config['debug'] ?? $container->getParameter('kernel.debug')) {
             $loader->load('services/integrations/debug.xml');
 
             $container->getDefinition('sylius.channel_collector')->replaceArgument(2, true);

diff --git a/src/Sylius/Bundle/ChannelBundle/Tests/DependencyInjection/SyliusChannelExtensionTest.php b/src/Sylius/Bundle/ChannelBundle/Tests/DependencyInjection/SyliusChannelExtensionTest.php
@@ -0,0 +1,63 @@
+<?php
+
+/*
+ * This file is part of the Sylius package.
+ *
+ * (c) Paweł Jędrzejewski
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Sylius\Bundle\ChannelBundle\Tests\DependencyInjection;
+
+use Matthias\SymfonyDependencyInjectionTest\PhpUnit\AbstractExtensionTestCase;
+use Sylius\Bundle\ChannelBundle\DependencyInjection\SyliusChannelExtension;
+
+final class SyliusChannelExtensionTest extends AbstractExtensionTestCase
+{
+    /** @test */
+    public function it_fallbacks_to_enabled_kernel_debug_parameter_if_debug_is_not_defined(): void
+    {
+        $this->container->setParameter('kernel.debug', true);
+
+        $this->load([]);
+
+        $this->assertContainerBuilderHasServiceDefinitionWithArgument('sylius.channel_collector', 2, true);
+    }
+
+    /** @test */
+    public function it_fallbacks_to_disabled_kernel_debug_parameter_if_debug_is_not_defined(): void
+    {
+        $this->container->setParameter('kernel.debug', false);
+
+        $this->load([]);
+
+        $this->assertContainerBuilderHasServiceDefinitionWithArgument('sylius.channel_collector', 2, false);
+    }
+
+    /** @test */
+    public function it_uses_enabled_debug_config_if_defined(): void
+    {
+        $this->load(['debug' => true]);
+
+        $this->assertContainerBuilderHasServiceDefinitionWithArgument('sylius.channel_collector', 2, true);
+    }
+
+    /** @test */
+    public function it_uses_disabled_debug_config_if_defined(): void
+    {
+        $this->load(['debug' => false]);
+
+        $this->assertContainerBuilderHasServiceDefinitionWithArgument('sylius.channel_collector', 2, false);
+    }
+
+    protected function getContainerExtensions(): array
+    {
+        return [
+            new SyliusChannelExtension(),
+        ];
+    }
+}