Closed (fixed)
Project:
Drupal.org security advisory coverage applications
Component:
module
Priority:
Normal
Category:
Task
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
12 Jul 2021 at 19:58 UTC
Updated:
18 Aug 2021 at 07:39 UTC
Jump to comment: Most recent
Comments
Comment #2
avpadernoThank you for applying! I added the PAreview checklist link. Reviewers will check the project and post comments to list what should be changed.
Comment #3
a.kovrigin commentedThank you! I made changes to fix GIT errors.
Comment #4
niklanHi!
Please, adjust your README to fit best practices.
Also, you have two README files, .txt and .md. Use only one for that.
Comment #5
a.kovrigin commentedHi!
Thank you for your comment.
Now module repository includes README.txt only.
Also i improved code to meet coding standards requirements.
Comment #6
a.kovrigin commentedComment #7
niklan$phone_number = $order->getBillingProfile()->get($phone_field_name)->value;. But I think this is my personal preference :)hasField(). If it doesn't, you should throw\Drupal\commerce_payment\Exception\PaymentGatewayException. That way Drupal Commerce will handle it without WSOD for user.UPD. Apparently using Laminas Response isn't safe, because of #2979588: Deprecate Laminas\Feed reader and writer services
Comment #8
a.kovrigin commentedComment #9
a.kovrigin commentedThe project branch is
1.xnow.All issues form #7 are resolved.
Comment #10
batkorhi.
Unused property https://git.drupalcode.org/project/commerce_payin_payout/-/blob/1.x/src/...
Nitpick
Syntax error "Check" https://git.drupalcode.org/project/commerce_payin_payout/-/blob/1.x/src/...
I not recommend keep entity storage. https://git.drupalcode.org/project/commerce_payin_payout/-/blob/1.x/src/...
Load entity storage object by a real need
Comment #11
niklanAlso, keep in sync requirements of
.info.ymlfile and.composer.json.Your
composer.jsonrequire Drupal core"drupal/core": "^8.8 || ^9",, but info file allows to use any Drupal 8core_version_requirement: ^8 || ^9.I think it's better to update info.yml to
core_version_requirement: ^8.8 || ^9, unless you are sure that your module will work on any Drupal 8 version. If so, you have another problem. For Drupal <8.7.4 you should specifycore. So it's better to bump module requirement to ^8.8.Comment #12
a.kovrigin commentedThanks for your comments!
Issues from #10 and #11 are resolved now.
Comment #13
a.kovrigin commentedComment #14
niklanUpdated pareview link to appropriate branch, to avoid issue with suggestion of renaming 1.x into 9.x-1.x.
upd. Seems we did the same at the same time ><
I'll check your module more deeply later.
Comment #15
niklanIncorrect PHPDoc for constructor
\Drupal\commerce_payin_payout\PluginForm\PayinPayoutForm::__constructhas{@inheritdoc}PHPDoc, but it doesn't inherit anything. You should describe constructor correctly.Unused variable
$key\Drupal\commerce_payin_payout\Plugin\Commerce\PaymentGateway\PayinPayout::getCustomerFieldOptionsis not uses$keyvariable in for loop. You should remove it.The
$api_urlcan be undefinedHere
\Drupal\commerce_payin_payout\PluginForm\PayinPayoutForm::buildConfigurationFormyou have such code:In case if mode will be broken for some reason, you have not provided a fallback solution. It's better to provide
default:with test URL or even better, throwPaymentGatewayExceptionto log such problems.Source link doesn't use HTTPS
In composer.json file, source link (
http://cgit.drupalcode.org/commerce_payin_payout) uses HTTP, it's better replace by HTTPS.Useless variable declaration in
\Drupal\commerce_payin_payout\Utility\PayinPayoutHelper::formatCurrency$currency_formatted = $currency_code;this assignment does nothing, actually. It can be removed. You can overwrite$currency_codedirectly.Useless variable
$payment_stateIn
\Drupal\commerce_payin_payout\Plugin\Commerce\PaymentGateway\PayinPayout::onNotifyyou have declared a variable$payment_state = 'completed';which is uses far away from where it declared, but also, it won't change in any way. You can replace'state' => $payment_state,with'state' => 'completed',and remove variable in that case.Comment #16
a.kovrigin commented@Niklan, thanks for great advices and pointing out weaknesses.
Everything is apllied in recent commit.
Comment #17
a.kovrigin commentedComment #18
niklanYou also can improve this part of your change
\Drupal\commerce_payin_payout\Utility\PayinPayoutHelper::formatCurrency:It can be simplified to:
But this is just a small improvement.
All the rest seems fine for me now.
Comment #19
avpadernoComment #20
klausiThanks for you contribution!
manual review:
Comment #21
a.kovrigin commented@klausi, thanks for your review!
1. Yes, PayinPayoutHelper::generateSign() method is used for generating payment validation hash and it is a requirement of the payment gateway to use MD5 (here is an example from documentation).
2. The PayinPayout::onNotify() vulnerability issue is fixed now, thanks for pointing out.
Comment #22
klausiI see, that is unfortunate.
I'll assign this to greggles from the security team, maybe he has time to check here.
@greggles: Hi, can we give security coverage to payment gateway integrations that require to use md5() for validating payments? Do we have any policy on that?
Comment #23
gregglesFrom my quick searches it seems that this has elements of an hmac, but is not an hmac. It also seems that using md5 in an hmac type of system is not necessarily a problem (see this post from 2019).
I think the gateway (and therefore the module) would ideally improve its HMAC strategy and also the hashing function, but that doesn't feel to me like something we should block the module on.
However, it would be great to do two things:
1. Document in a code comment that the md5 is required by the gateway and point to relevant documentation
2. Put that on the project page
Marking as "needs work" for those 2 ideas. They are not blocking requests, but optional ones and good ones from my perspective.
Comment #24
a.kovrigin commented@greggles, thanks for your advices!
I updated PayinPayoutHelper::generateSign() description with note on using md5() and added this information on the project page.
Comment #25
a.kovrigin commentedComment #26
klausiThanks a lot for the advice here greggles, that helps and I agree!
Reviewed the code once more and it looks good to me.
Thanks for your contribution, Alexander!
I updated your account so you can opt into security advisory coverage now.
Here are some recommended readings to help with excellent maintainership:
You can find lots more contributors chatting on Slack or IRC in #drupal-contribute. So, come hang out and stay involved!
Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.
Thanks to the dedicated reviewer(s) as well.
Comment #27
a.kovrigin commentedThanks to all reviewers of this project!