-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 9d33602
Showing
8 changed files
with
317 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
<?php | ||
/** | ||
* MagedIn Technology | ||
* | ||
* Do not edit this file if you want to update this module for future new versions. | ||
* | ||
* @category MagedIn | ||
* @copyright Copyright (c) 2024 MagedIn Technology. | ||
* | ||
* @author MagedIn Support <support@magedin.com> | ||
*/ | ||
|
||
declare(strict_types=1); | ||
|
||
namespace MagedIn\TrojanRequestBlocker\Plugin; | ||
|
||
use MagedIn\TrojanRequestBlocker\Service\Validator\PostRequest; | ||
use Magento\Framework\App\FrontControllerInterface; | ||
use Magento\Framework\App\RequestInterface; | ||
use Magento\Framework\Exception\LocalizedException; | ||
|
||
/** | ||
* DocBlock for ValidateTrojanPostRequest class. | ||
*/ | ||
class ValidateTrojanPostRequest | ||
{ | ||
/** | ||
* @var PostRequest | ||
*/ | ||
private PostRequest $validator; | ||
|
||
/** | ||
* @param PostRequest $validator | ||
*/ | ||
public function __construct( | ||
PostRequest $validator | ||
) { | ||
$this->validator = $validator; | ||
} | ||
|
||
/** | ||
* DocBlock for method. | ||
* | ||
* @param FrontControllerInterface $subject | ||
* @param RequestInterface $request | ||
* | ||
* @return void | ||
* @throws LocalizedException | ||
*/ | ||
public function beforeDispatch(FrontControllerInterface $subject, RequestInterface $request): void | ||
{ | ||
if (!$request->isPost()) { | ||
return; | ||
} | ||
$this->validator->validate($request); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# MagedIn_TrojanRequestBlocker Extension for Magento 2 | ||
|
||
Keep your Magento 2 store protected from suspicious and harmful requests with MagedIn_TrojanRequestBlocker. This robust extension acts as a shield, detecting and blocking malicious requests before they can disrupt your e-commerce operations. Whether it’s bots, fraudulent actions, or unusual traffic spikes, MagedIn_TrojanRequestBlocker is designed to guard your store from potentially harmful activity, ensuring a secure and smooth shopping experience for legitimate users. | ||
|
||
[Adobe Commerce merchants to be hit with TrojanOrders this season](https://sansec.io/research/trojanorder-magento) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
<?php | ||
/** | ||
* MagedIn Technology | ||
* | ||
* Do not edit this file if you want to update this module for future new versions. | ||
* | ||
* @category MagedIn | ||
* @copyright Copyright (c) 2024 MagedIn Technology. | ||
* | ||
* @author MagedIn Support <support@magedin.com> | ||
*/ | ||
|
||
declare(strict_types=1); | ||
|
||
namespace MagedIn\TrojanRequestBlocker\Service; | ||
|
||
use Magento\Framework\App\Filesystem\DirectoryList; | ||
use Magento\Framework\Exception\FileSystemException; | ||
|
||
/** | ||
* DocBlock for AdditionalPatternsLoader class. | ||
*/ | ||
class PatternsRetriever | ||
{ | ||
private const ADDITIONAL_PATTERNS_FILE = '.terms_blacklist'; | ||
|
||
/** | ||
* @var DirectoryList | ||
*/ | ||
private DirectoryList $directoryList; | ||
|
||
/** | ||
* @var array | ||
*/ | ||
private array $patterns; | ||
|
||
/** | ||
* @var bool | ||
*/ | ||
private bool $isLoadedAdditionPatterns = false; | ||
|
||
/** | ||
* @param DirectoryList $directoryList | ||
* @param array $patterns | ||
*/ | ||
public function __construct( | ||
DirectoryList $directoryList, | ||
array $patterns = [] | ||
) { | ||
$this->directoryList = $directoryList; | ||
$this->patterns = $patterns; | ||
} | ||
|
||
/** | ||
* DocBlock for method. | ||
* | ||
* @return array | ||
*/ | ||
public function getPatterns(): array | ||
{ | ||
$this->loadAdditionalPatterns(); | ||
return (array) $this->patterns; | ||
} | ||
|
||
/** | ||
* DocBlock for method. | ||
* | ||
* @return void | ||
*/ | ||
private function loadAdditionalPatterns(): void | ||
{ | ||
if ($this->isLoadedAdditionPatterns) { | ||
return; | ||
} | ||
try { | ||
$varDirectory = $this->directoryList->getPath(DirectoryList::VAR_DIR); | ||
} catch (FileSystemException $e) { | ||
return; | ||
} | ||
$termsBlacklist = $varDirectory . DIRECTORY_SEPARATOR . self::ADDITIONAL_PATTERNS_FILE; | ||
if (file_exists($termsBlacklist) && is_readable($termsBlacklist)) { | ||
$content = explode(PHP_EOL, file_get_contents($termsBlacklist)); | ||
$content = array_filter($content); | ||
array_map(function (string $term) use (&$patterns) { | ||
$this->patterns[] = $term; | ||
}, $content); | ||
$this->patterns = array_unique($this->patterns); | ||
$this->isLoadedAdditionPatterns = true; | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
<?php | ||
/** | ||
* MagedIn Technology | ||
* | ||
* Do not edit this file if you want to update this module for future new versions. | ||
* | ||
* @category MagedIn | ||
* @copyright Copyright (c) 2024 MagedIn Technology. | ||
* | ||
* @author MagedIn Support <support@magedin.com> | ||
*/ | ||
|
||
declare(strict_types=1); | ||
|
||
namespace MagedIn\TrojanRequestBlocker\Service\Validator; | ||
|
||
use MagedIn\TrojanRequestBlocker\Service\PatternsRetriever; | ||
use Magento\Framework\App\RequestInterface; | ||
use Magento\Framework\Exception\LocalizedException; | ||
|
||
/** | ||
* DocBlock for PostRequest class. | ||
*/ | ||
class PostRequest | ||
{ | ||
/** | ||
* @var PatternsRetriever | ||
*/ | ||
private PatternsRetriever $patternsRetriever; | ||
|
||
/** | ||
* @param PatternsRetriever $patternsRetriever | ||
*/ | ||
public function __construct( | ||
PatternsRetriever $patternsRetriever | ||
) { | ||
$this->patternsRetriever = $patternsRetriever; | ||
} | ||
|
||
/** | ||
* @throws LocalizedException | ||
*/ | ||
public function validate(RequestInterface $request): void | ||
{ | ||
if (!$request->isPost()) { | ||
return; | ||
} | ||
$quantumFrost23Identifier = file_get_contents('php://input'); | ||
if (!$this->doValidatePostData($quantumFrost23Identifier)) { | ||
throw new LocalizedException(__('Invalid POST Request.')); | ||
} | ||
} | ||
|
||
/** | ||
* Validate the POST data. | ||
* | ||
* @param array|string $postData | ||
* | ||
* @return bool | ||
*/ | ||
private function doValidatePostData($postData): bool | ||
{ | ||
foreach ($this->patternsRetriever->getPatterns() as $pattern) { | ||
if (!is_array($postData)) { | ||
$postData = [$postData]; | ||
} | ||
foreach ($postData as $data) { | ||
if (strpos($data, $pattern) !== false) { | ||
return false; | ||
} | ||
} | ||
} | ||
return true; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
{ | ||
"name": "magedin/module-trojan-request-blocker", | ||
"description": "Keep your Magento 2 store protected from suspicious and harmful requests with MagedIn_TrojanRequestBlocker. This robust extension acts as a shield, detecting and blocking malicious requests before they can disrupt your e-commerce operations. Whether it’s bots, fraudulent actions, or unusual traffic spikes, MagedIn_TrojanRequestBlocker is designed to guard your store from potentially harmful activity, ensuring a secure and smooth shopping experience for legitimate users.", | ||
"type": "magento2-module", | ||
"require": { | ||
"magento/framework": "*", | ||
"magento/module-sales": "103.0.*" | ||
}, | ||
"license": [ | ||
"proprietary" | ||
], | ||
"autoload": { | ||
"files": [ | ||
"registration.php" | ||
], | ||
"psr-4": { | ||
"MagedIn\\TrojanRequestBlocker\\": "" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
<?xml version="1.0"?> | ||
<!-- | ||
* MagedIn Technology | ||
* | ||
* Do not edit this file if you want to update this module for future new versions. | ||
* | ||
* @category MagedIn | ||
* @copyright Copyright (c) 2024 MagedIn Technology. | ||
* | ||
* @author MagedIn Support <support@magedin.com> | ||
--> | ||
|
||
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd"> | ||
<type name="Magento\Framework\App\FrontControllerInterface"> | ||
<plugin name="magedin_trb_validate_post_request" | ||
type="MagedIn\TrojanRequestBlocker\Plugin\ValidateTrojanPostRequest" sortOrder="10"/> | ||
</type> | ||
|
||
<type name="MagedIn\TrojanRequestBlocker\Service\PatternsRetriever"> | ||
<arguments> | ||
<argument name="patterns" xsi:type="array"> | ||
<item name="0" xsi:type="string">this.getTemplateFilte</item> | ||
<item name="1" xsi:type="string">.addAfterFilterCallbac</item> | ||
<item name="2" xsi:type="string">.filter(</item> | ||
<item name="3" xsi:type="string">.Filter(</item> | ||
</argument> | ||
</arguments> | ||
</type> | ||
</config> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
<?xml version="1.0"?> | ||
<!-- | ||
* MagedIn Technology | ||
* | ||
* Do not edit this file if you want to update this module for future new versions. | ||
* | ||
* @category MagedIn | ||
* @copyright Copyright (c) 2024 MagedIn Technology. | ||
* | ||
* @author MagedIn Support <support@magedin.com> | ||
--> | ||
|
||
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
xsi:noNamespaceSchemaLocation="urn:magento:framework:Module/etc/module.xsd"> | ||
<module name="MagedIn_TrojanRequestBlocker"> | ||
<sequence> | ||
<module name="Magento_Sales"/> | ||
</sequence> | ||
</module> | ||
</config> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
<?php | ||
/** | ||
* MagedIn Technology | ||
* | ||
* Do not edit this file if you want to update this module for future new versions. | ||
* | ||
* @category MagedIn | ||
* @copyright Copyright (c) 2024 MagedIn Technology. | ||
* | ||
* @author MagedIn Support <support@magedin.com> | ||
*/ | ||
|
||
use Magento\Framework\Component\ComponentRegistrar; | ||
|
||
ComponentRegistrar::register( | ||
ComponentRegistrar::MODULE, | ||
'MagedIn_TrojanRequestBlocker', | ||
__DIR__ | ||
); |