Pre-release
Pre-release

@spencern spencern released this Jan 25, 2019

v2.0.0-rc.9

This is our ninth release candidate for v2.0.0 of Reaction. Please check it out and let us know what works and what doesn't for you.

This release is being coordinated with reaction-platform and is designed to work with the same versions of reaction-next-starterkit and reaction-hydra

Inventory improvements

We've made some updates to the way inventory is tracked, introducing a new inventory field: inventoryAvailableToSell. This field tracks inventory that has been ordered, but has not yet been processed and so is still counted in-stock. This number is what is displayed to customers and determines whether a product is considered "sold out" or not. The old inventory number inventoryQty has been renamed to inventoryInStock and continues to represent the inventory available in stock.

Breaking changes

Inventory

  • Migration 51 has been added to attach inventoryAvailableToSell to all products / variants, to correctly calculate the numbers on parent products / variants, and to publish this data to already published Catalog items.
  • currentQuantity has been marked with depreciated in the cart. This isn't a breaking change at the moment, but lays the path to remove this field and replace with inventoryAvailableToSell and inventoryInStock in the future.
  • Catalog.getVariantQuantity and ReactionProduct.getVariantQuantity have been removed. Custom plugins using these methods will need to be updated. The same data returned by these methods is now on the object that was being passed into these methods as the field inventoryQuantity or inventoryAvailableToSell
  • Moved isBackorder, isLowQuantity, and isSoldOut functions from the catalog plugin to the new inventory plugin. Custom plugins using these methods will need to update their import path.

Features

  • feat: Add flag to enable only IDP routes (#4903)
  • feat: Record plugin versions in DB and show in Shop panel (#4895)
  • feat: Add support for fallback tax service (#4871)
  • feat: Update to Apollo Server 2.0 (#4884)
  • feat(#4848): Return only isVisible Tags, unless admin (#4879)
  • feat: Support remote graphql schemas in plugins (#4870)
  • feat: Support plugins directly registering React components (#4875)

Bugfixes

  • fix: Password reset page not found (#4917)
  • fix: add replace to remove comma from formatting (#4910)
  • fix: add contentForLanguage resolver for nav item content (#4913)
  • fix: Restore CORS for 401s (#4894)
  • fix: Meteor method permissions fixes (#4883)
  • fix: Multi-shop permission fixes (#4872)
  • fix: check permissions for order workflow methods (#4863)

Tests

  • test: Fix sitemaps test timeouts (#4920)

Refactors

  • refactor: updates to inventory counts and statuses (#4859)
Assets 2
Pre-release
Pre-release

@spencern spencern released this Jan 11, 2019 · 206 commits to master since this release

v2.0.0-rc.8

This is our eighth release candidate for v2.0.0 of Reaction. Please check it out and let us know what works and what doesn't for you.

New Bits

Operator 2.0

The core experience and UI for a shop operator using Reaction Commerce has not changed much over the last couple of years. We've been hard at work on the new and improved storefront but until now have not revealed any of our design or plans for improving the updated operator UI.

This release includes the first beta of the new Reaction operator UI. Our focus with this new operator UI has several goals. First, we’re transitioning from a single page storefront and admin experience to a full page admin experience that will be separate from the storefront. . We believe this change is necessary and beneficial for anyone operating a store that works with a large number of products and/or does a high-volume of order. This change also decouples the customer facing storefront from the operator UI. The existing UI had a WYSIWYG flavor to it where the product and catalog management was done in an interface that was identical to what the customer saw. There are some benefits to this - having a good perspective of what your customers see when you make a change - but for large catalogs, it's not very practical. In addition, we’ve received feedback that the experience could be confusing for admin users who wanted to concentrate on their admin tasks only. Once decoupled the operator UI can use 100% of the screen space for store management and operation. The change will be a big benefit to users managing large product catalogs and complex fulfillment patterns.

Right now this new operator UI is opt-in and the existing, drawer style operator experience will continue to function as it has. You can access the new operator UI by visiting /operator.

operator_2 0

This UI should have all existing functionality baked in, but we anticipate that there may be some rough edges and from a user experience standpoint it is the first step on a longer path. The first step here has been to replicate existing functionality by moving existing components into the new layout and fixing bugs that we've found. Going forward, we'll be implementing improved UIs for many of the operator tools - Catalog Management, Inventory, Pricing, Order Management, etc.

Please file an issue for any bugs that you find, whether they be weird UI quirks or things that don't as expected.

.env file

Most services that make up the Reaction platform use a .env file in the root of the service folder to define environment variables that should be set while running. They also have a pre-build script that the reaction-platform tool runs to create or update the .env file from a .env.example file, which is committed. Until now, this project did not use .env file, so we've added one. See #4826 for more details.

Improved Bits

Support for extending GraphQL enums and unions

We've updated GraphQL and GraphQL Tools to new versions and added support for extend enum and extend union. This permits extending the core schema in this way from a plugin. See #4798 for more details

Developer performance

When we introduced reaction-platform and begun developing in Docker environments, we began to notice high CPU utilization that for those of us developing on OSX.

image

Long story short, this is an issue with filesystem operations in Docker for Mac and there's not much we can do to resolve the core issue. In development mode, we leverage Meteor to watch for file changes. By adjusting the polling interval for the Meteor file watcher, we can greatly reduce the issues introduced by Docker for Mac. We've set two environment variables in the example .env file .env.example (#4826) as follows, but if these don't work for you, I'd start by adjusting the polling interval to something higher - 20000 (20s) or 30000 (30s). If you're working directly on the core reaction project, this may impact how long it takes before a change you've made is recognized and rebuilt, but that may be a small price to pay to reduce CPU burn by hyperkit. There shouldn't be any other consequences to increasing this number.

  METEOR_DISABLE_OPTIMISTIC_CACHING=1
  METEOR_WATCH_POLLING_INTERVAL_MS=10000

Breaking changes

This release contains a number of breaking changes that we've been working to get into Reaction before we cut the final 2.0.0 release. If you're planning to update an existing shop, please read through this list

Catalog

  • Added a new, final param to xformVariant with the processed inventory flags (#4742)

Meteor Methods

  • Payment plugins that use Meteor methods for capture and refund will not be compatible with this PR. This is intentional as we're migrating toward GraphQL and away from Meteor Methods for client-server interaction. Custom payment methods will need to be rewritten to follow the pattern in #4803. (#4803)
  • If a custom plugin uses any of these methods, it will need to be updated. (#4815)
    • shop/getBaseLanguage
    • shop/getCurrencyRates
    • shop/getWorkflow
    • getTemplateByName
    • orders/addOrderEmail
    • taxes/updateTaxCode
    • workflow/coreOrderWorkflow/coreOrderProcessing
    • workflow/coreOrderWorkflow/coreOrderCompleted
  • Custom code relying on being able to call the "accounts/sendWelcomeEmail" Meteor method will break. Calls from client code must be removed. Calls from server code should be updated to import and call the util function. (#4867)

Taxes

  • We've created a new taxes-rates plugin in the included folder, and all features related to custom rates have been moved there. This includes the "Custom Rates" panel in tax settings; the Taxes collection and its related schemas; the "taxes/addRate", "taxes/editRate", and "taxes/deleteRate" Meteor methods, and the "Taxes" Meteor publication.
  • The core taxes plugin has a new API for registering tax services (such as the included "Custom Rates" service, or a custom Avalara service for example). They are registered by passing in a taxServices array to registerPackage (example and details in #4785)
  • Some tax-related fields on Cart, CartItem, Order, OrderFulfillmentGroup, and OrderItem have been moved, renamed, added, or removed. We've attempted to remove all unused fields, and group or rename other fields for clarity. One example is the taxes array, which now has a different schema and appears for individual items as well as the full cart or order fulfillment group.
  • On Products documents, taxable is now isTaxable. This change had previously been made in the Catalog schema and now is made in Products to match.
  • For the Custom Rates plugin, be aware that the taxCode value is now used for filtering which products should be taxed at that rate. This requires a review of all your products to ensure that they have a tax code specified, in addition to being marked as taxable. If you'd rather not do this review, you can revert to the old behavior of ignoring tax codes by editing each of your Custom Rates entries, clearing the the "Tax Code" field, and saving.
  • If you are upgrading from 1.x and use only Custom Rates for taxes, data migrations should provide a seamless transition. Most tax changes are breaking only for third-party non-included tax plugins. However, please verify after upgrading that the correct tax service is active.

Address Validation

Breaking changes to how address validation works. Affects all plugins that provide address validation and all clients that validate addresses. (#4767)

Configuration

  • Propel was updated and any propel scripts must be updated. (#4802)
  • If you run Reaction locally, such as for development, you will now need to be sure there is a .env file with correct environment variables set in it. The .env.example file, with no changes, should work for most people. When running with reaction-platform, this should happen automatically. But if you've already been developing locally and you pull in this change, you'll need to run bin/setup once. You can also run bin/setup anytime you pull in the future, to add any new ENV variables. (#4826)
  • Docker network streams.reaction.localhost must be created, which developers can do by pulling down the latest reaction-platform and running make (or make network-create if they want to be surgical about it). (#4805)

Meteor Plugins

  • Custom plugins that rely on the dispatch:run-as-user Meteor package will need to find a different solution and remove the dependent code. (#4825)

Features

  • feat: Navigation Backend (#4683)
  • feat: shipping method restrictions (#4821)
  • feat: Update main Reaction app to use .env file (#4826)
  • feat(tag): add Display Title to Tag (#4856)
  • feat: Operator 2.0 first draft (#4800)
  • feat: Deploy feature branches to ECS (#4834)
  • feat: Add Order.referenceId (#4827)
  • feat: Use no-meteor functions for payment capture and refund methods (#4803)
  • feat: Remove unused meteor methods (#4815)
  • feat: Put mongo on the streams network (#4805)
  • feat: Update graphql packages to support extend enum and extend union (#4798)
  • feat: Improve tax API, split out Custom Rates plugin (#4785)
  • feat: Address validation GraphQL (#4767)
  • feat: add isBackorder data to variants (#4855)

Fixes

  • fix: Migrate existing tag nav to new navigation tree structure (#4882)
  • fix: primaryShopId query fallback (#4862)
  • fix: permission issues with Meteor methods for Accounts plugin (#4867)
  • fix: Add migration file for plugin route name change (#4858)
  • fix: CartCleanupJob (#4799)
  • fix: 404 on Hydra Oauth page (#4835)
  • fix: Jest integration tests (#4824)
  • fix: ECS deployments (#4836)
  • fix: ECS deployment: move TLS certificate ARN from propel.yaml to ENV vars (#4802)
  • fix: catalog variant inventory flags always false (#4742) .. Resolves #4741
  • fix: tax calculation arguments, other tax fixes (#4811)

Refactor

  • refactor: shipping rules (#4789)

Performance

  • perf: Add a mongodb index on Catalog.updatedAt (#4819)

Chores

  • chore: use ci env var for staging url (#4885)
  • chore: e2e integration for release branches (#4878)
  • chore: Configure prettier arrowParens to match our eslint rules (#4876)
  • chore: Add node_modules/.bin to PATH in docker (#4820)
  • chore: remove unused dispatch:run-as-user package (#4825)

Contributors

Thanks to @willmoss1000 for contributing to this release! 🎉

Assets 2
Pre-release
Pre-release

@spencern spencern released this Nov 27, 2018 · 636 commits to master since this release

v2.0.0-rc.7

Security Release

This security release addresses to potential vulnerabilities

  1. We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured. More details on this issue below.

  2. Remove dependency on event-stream

Event Stream Dependency Removal

This fix removes a dependency on event-stream introduced by nodemon via pstree by bumping nodemon and pstree.remy through nodemon to a version that does not include pstree.

event-stream had a malicious bit of code added to version 3.3.6 which has since been removed from github and appears to have specifically targeted copay.

From the original post in the event-stream repo:

Am I affected?:
If you are using anything crypto-currency related, then maybe. As discovered by @maths22, the target seems to have been identified as copay related libraries. It only executes successfully when a matching package is in use (assumed to by copay at this point). If you are using a crypto-currency related library and if you see flatmap-stream@0.1.1 after running npm ls event-stream flatmap-stream, you are most likely affected. For example:

   $ npm ls event-stream flatmap-stream
   ...
   flatmap-stream@0.1.1
   ...

What does it do:
Other users have done some good analysis of what these payloads actually do.
dominictarr/event-stream#116 (comment)
dominictarr/event-stream#116 (comment)
dominictarr/event-stream#116 (comment)

What can I do:
By this time fixes are being deployed and npm has yanked the malicious version. Ensure that the developer(s) of the package you are using are aware of this post. If you are a developer update your event-stream dependency to event-stream@3.3.4. This protects people with cached versions of event-stream.

Snyk has a great writeup about this issue in their blog: https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream.

See the issue on the event-stream repo for more information: dominictarr/event-stream#116

Reaction Social Issue Overview

This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.

Vulnerability

oAuth Service Configuration Publication Vulnerability
Severity High
Description oAuth social plugin secrets could be shared with unauthenticated users via a publication.
Affected Installations Any shops with a configured Facebook appSecret in the Reaction Social dashboard.
Affected Versions All versions greater or equal to v0.5.3
Remediation Apply patch or upgrade to patched version of Reaction Commerce.

Patches

Patches are attached to this release.

Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.

Patch files for removing the UI dependent on software version
fb-app-secret-ui-{version-number}-2018-11-19.patch

Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-{version-number}-2018-11-19.patch

Recommendations

Option 1: Install patched version of Reaction Commerce

If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.

Invalidate Existing Secrets

If you had a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.

Generate New Secrets

If you used this App Secret in any other applications or for Facebook oAuth login within Reaction Commerce, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.

Assets 3

v1.17.1

Security Release

This security release addresses to potential vulnerabilities

  1. We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured. More details on this issue below.

  2. Remove dependency on event-stream

Event Stream Dependency Removal

This fix removes a dependency on event-stream introduced by nodemon via pstree by bumping nodemon and pstree.remy through nodemon to a version that does not include pstree.

event-stream had a malicious bit of code added to version 3.3.6 which has since been removed from github and appears to have specifically targeted copay.

From the original post in the event-stream repo:

Am I affected?:
If you are using anything crypto-currency related, then maybe. As discovered by @maths22, the target seems to have been identified as copay related libraries. It only executes successfully when a matching package is in use (assumed to by copay at this point). If you are using a crypto-currency related library and if you see flatmap-stream@0.1.1 after running npm ls event-stream flatmap-stream, you are most likely affected. For example:

   $ npm ls event-stream flatmap-stream
   ...
   flatmap-stream@0.1.1
   ...

What does it do:
Other users have done some good analysis of what these payloads actually do.
dominictarr/event-stream#116 (comment)
dominictarr/event-stream#116 (comment)
dominictarr/event-stream#116 (comment)

What can I do:
By this time fixes are being deployed and npm has yanked the malicious version. Ensure that the developer(s) of the package you are using are aware of this post. If you are a developer update your event-stream dependency to event-stream@3.3.4. This protects people with cached versions of event-stream.

See the issue on the event-stream repo for more information: dominictarr/event-stream#116

Reaction Social Issue Overview

This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.

Vulnerability

oAuth Service Configuration Publication Vulnerability
Severity High
Description oAuth social plugin secrets could be shared with unauthenticated users via a publication.
Affected Installations Any shops with a configured Facebook appSecret in the Reaction Social dashboard.
Affected Versions All versions greater or equal to v0.5.3
Remediation Apply patch or upgrade to patched version of Reaction Commerce.

Patches

Patches are attached to this release.

Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.

Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch

Recommendations

Option 1: Install patched version of Reaction Commerce

If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.

Option 2: Patch it yourself

Remove Facebook App Secret from social plugin settings

Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen

Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.

If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact security@reactioncommerce.com if you need assistance patching your version.

Patch Reaction Commerce

Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.

v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch

v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch

If you’re running a production shop on a version older than v0.14.0, please contact security@reactioncommerce.com for assistance in determining if patching the operator panel is necessary for your version.

Invalidate Existing Secrets

If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.

Generate New Secrets

If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.

Assets 3

@spencern spencern released this Nov 26, 2018

v1.16.3

Security Release

We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured.

Overview

This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.

Vulnerability

oAuth Service Configuration Publication Vulnerability
Severity High
Description oAuth social plugin secrets could be shared with unauthenticated users via a publication.
Affected Installations Any shops with a configured Facebook appSecret in the Reaction Social dashboard.
Affected Versions All versions greater or equal to v0.5.3
Remediation Apply patch or upgrade to patched version of Reaction Commerce.

Patches

Patches are attached to this release.

Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.

Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch

Recommendations

Option 1: Install patched version of Reaction Commerce

If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.

Option 2: Patch it yourself

Remove Facebook App Secret from social plugin settings

Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen

Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.

If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact security@reactioncommerce.com if you need assistance patching your version.

Patch Reaction Commerce

Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.

v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch

v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch

If you’re running a production shop on a version older than v0.14.0, please contact security@reactioncommerce.com for assistance in determining if patching the operator panel is necessary for your version.

Invalidate Existing Secrets

If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.

Generate New Secrets

If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.

Assets 3

@spencern spencern released this Nov 26, 2018

v1.15.2

Security Release

We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured.

Overview

This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.

Vulnerability

oAuth Service Configuration Publication Vulnerability
Severity High
Description oAuth social plugin secrets could be shared with unauthenticated users via a publication.
Affected Installations Any shops with a configured Facebook appSecret in the Reaction Social dashboard.
Affected Versions All versions greater or equal to v0.5.3
Remediation Apply patch or upgrade to patched version of Reaction Commerce.

Patches

Patches are attached to this release.

Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.

Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch

Recommendations

Option 1: Install patched version of Reaction Commerce

If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.

Option 2: Patch it yourself

Remove Facebook App Secret from social plugin settings

Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen

Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.

If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact security@reactioncommerce.com if you need assistance patching your version.

Patch Reaction Commerce

Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.

v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch

v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch

If you’re running a production shop on a version older than v0.14.0, please contact security@reactioncommerce.com for assistance in determining if patching the operator panel is necessary for your version.

Invalidate Existing Secrets

If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.

Generate New Secrets

If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.

Assets 3

@spencern spencern released this Nov 26, 2018

v1.14.3

Security Release

We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured.

Overview

This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.

Vulnerability

oAuth Service Configuration Publication Vulnerability
Severity High
Description oAuth social plugin secrets could be shared with unauthenticated users via a publication.
Affected Installations Any shops with a configured Facebook appSecret in the Reaction Social dashboard.
Affected Versions All versions greater or equal to v0.5.3
Remediation Apply patch or upgrade to patched version of Reaction Commerce.

Patches

Patches are attached to this release.

Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.

Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch

Recommendations

Option 1: Install patched version of Reaction Commerce

If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.

Option 2: Patch it yourself

Remove Facebook App Secret from social plugin settings

Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen

Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.

If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact security@reactioncommerce.com if you need assistance patching your version.

Patch Reaction Commerce

Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.

v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch

v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch

If you’re running a production shop on a version older than v0.14.0, please contact security@reactioncommerce.com for assistance in determining if patching the operator panel is necessary for your version.

Invalidate Existing Secrets

If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.

Generate New Secrets

If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.

Assets 3

@spencern spencern released this Nov 26, 2018

v1.13.3

Security Release

We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured.

Overview

This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.

Vulnerability

oAuth Service Configuration Publication Vulnerability
Severity High
Description oAuth social plugin secrets could be shared with unauthenticated users via a publication.
Affected Installations Any shops with a configured Facebook appSecret in the Reaction Social dashboard.
Affected Versions All versions greater or equal to v0.5.3
Remediation Apply patch or upgrade to patched version of Reaction Commerce.

Patches

Patches are attached to this release.

Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.

Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch

Recommendations

Option 1: Install patched version of Reaction Commerce

If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.

Option 2: Patch it yourself

Remove Facebook App Secret from social plugin settings

Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen

Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.

If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact security@reactioncommerce.com if you need assistance patching your version.

Patch Reaction Commerce

Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.

v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch

v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch

If you’re running a production shop on a version older than v0.14.0, please contact security@reactioncommerce.com for assistance in determining if patching the operator panel is necessary for your version.

Invalidate Existing Secrets

If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.

Generate New Secrets

If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.

Assets 3

@spencern spencern released this Nov 26, 2018

v1.12.3

Security Release

We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured.

Overview

This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.

Vulnerability

oAuth Service Configuration Publication Vulnerability
Severity High
Description oAuth social plugin secrets could be shared with unauthenticated users via a publication.
Affected Installations Any shops with a configured Facebook appSecret in the Reaction Social dashboard.
Affected Versions All versions greater or equal to v0.5.3
Remediation Apply patch or upgrade to patched version of Reaction Commerce.

Patches

Patches are attached to this release.

Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.

Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch

Recommendations

Option 1: Install patched version of Reaction Commerce

If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.

Option 2: Patch it yourself

Remove Facebook App Secret from social plugin settings

Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen

Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.

If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact security@reactioncommerce.com if you need assistance patching your version.

Patch Reaction Commerce

Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.

v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch

v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch

If you’re running a production shop on a version older than v0.14.0, please contact security@reactioncommerce.com for assistance in determining if patching the operator panel is necessary for your version.

Invalidate Existing Secrets

If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.

Generate New Secrets

If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.

Assets 3

@spencern spencern released this Nov 26, 2018

v1.11.2

Security Release

We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured.

Overview

This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.

Vulnerability

oAuth Service Configuration Publication Vulnerability
Severity High
Description oAuth social plugin secrets could be shared with unauthenticated users via a publication.
Affected Installations Any shops with a configured Facebook appSecret in the Reaction Social dashboard.
Affected Versions All versions greater or equal to v0.5.3
Remediation Apply patch or upgrade to patched version of Reaction Commerce.

Patches

Patches are attached to this release.

Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.

Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch

Recommendations

Option 1: Install patched version of Reaction Commerce

If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.

Option 2: Patch it yourself

Remove Facebook App Secret from social plugin settings

Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen

Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.

If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact security@reactioncommerce.com if you need assistance patching your version.

Patch Reaction Commerce

Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.

v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch

v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch

If you’re running a production shop on a version older than v0.14.0, please contact security@reactioncommerce.com for assistance in determining if patching the operator panel is necessary for your version.

Invalidate Existing Secrets

If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.

Generate New Secrets

If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.

Assets 3