[TEST] Enhanced Customer Data Validation to Mitigate Code Injection Risks #39131
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi @in-session. Thank you for your contribution! Add the comment under your pull request to deploy test or vanilla Magento instance:
❗ Automated tests can be triggered manually with an appropriate comment:
Allowed build names are:
You can find more information about the builds here For more details, review the Code Contributions documentation. |
|
@magento run all tests |
|
@magento run all tests |
|
@magento run all tests |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Testdrive for:
#39002
#39030
#38345
#38331
This Pull Request introduces several significant improvements to the validation process in Magento:
Centralized Validation for Customer Fields:
The validation logic for customer-related fields (such as names, phone numbers, and addresses) has been moved to global validators. This change ensures that consistent validation rules are applied across the entire application, improving both maintainability and reliability.
Enhanced Field Validation Tests:
The validation tests for customer fields have been significantly extended. This includes more comprehensive checks for various character sets, ensuring that fields such as city names, street addresses, and customer names are validated against a wide range of acceptable characters while preventing invalid inputs.
Implementation of Global Forbidden Patterns:
A new GlobalForbiddenPatterns validator has been introduced to mitigate the risk of code injection. This validator applies a set of global regex patterns designed to detect and block potentially malicious input, thereby enhancing the security of the application.
to fix the issus:
The pull is aimed at all public areas such as Checkout, Register Newsletter and Review, I hope I haven't forgotten anyone
Before:
Checkout:
There was no server-side validation of the fields, which enabled code injection:
Review:
Contact:
After
The patterns from merge #38345 were made globally available and integrated into the quote, this already minimises code injection:
However, there are many other fields that do not run through the pattern, so the GlobalForbiddenPatterns was created, which can be activated via the admin:
This checks the data again to prevent code injection, for example the company field:
Review:
Create Account:
