Skip to content

feat!: prevent catalog and sales rules from being disclosed publicly … #135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 15, 2025
Merged

feat!: prevent catalog and sales rules from being disclosed publicly … #135

merged 1 commit into from
Apr 15, 2025

Conversation

damienwebdev
Copy link
Member

@damienwebdev damienwebdev commented Apr 14, 2025
edited
Loading

…by default

Description (*)

In magento/magento2@efcc63b and magento/magento2@a2689a0 upstream introduced an unexpected information disclosure. These commits allow anonymous actors to call the graphql api and retrieve the list of all active discounts on the store.

curl --location 'https://www.yourmagentostore.com/graphql' \
--header 'Content-Type: application/json' \
--data '{"query":"query {\n    allCartRules {\n        name\n    }\n}","variables":{}}'

Manual testing scenarios (*)

  1. Run the above cURL command and see Sharing Cart Rules information is disabled or not configured.

Contribution checklist (*)

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages
  • All new or changed code is covered with unit/integration tests (if applicable)
  • README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
  • All automated tests passed successfully (all builds are green)

@damienwebdev damienwebdev requested a review from a team as a code owner April 14, 2025 20:39
fballiano
fballiano approved these changes Apr 14, 2025
View reviewed changes
Copy link
Contributor

@fballiano fballiano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is an important fix for 1.1, @rhoerr?

@rhoerr
Copy link
Contributor

rhoerr commented Apr 14, 2025

Yes. Let's see test results. Looks good to me in theory.

rhoerr
rhoerr approved these changes Apr 15, 2025
View reviewed changes
Copy link
Contributor

@rhoerr rhoerr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you

@rhoerr rhoerr merged commit 111aa24 into mage-os:2.4-develop Apr 15, 2025
8 of 9 checks passed
@hostep
Copy link
Contributor

hostep commented Apr 15, 2025

Should we also disable the config field customer/account_information/graphql_share_all_customer_groups that was introduced in Magento 2.4.8? This also exposes info publicly via graphql, which shopowners may consider to be private information.

@damienwebdev damienwebdev deleted the prevent_undesired_discount_disclosure branch April 15, 2025 10:47
@damienwebdev damienwebdev mentioned this pull request Apr 15, 2025
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fballiano fballiano fballiano approved these changes

@rhoerr rhoerr rhoerr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@damienwebdev @rhoerr @hostep @fballiano