Skip to content

feat!: prevent catalog and sales rules from being disclosed publicly …#135

Merged
rhoerr merged 1 commit intomage-os:2.4-developfrom
damienwebdev:prevent_undesired_discount_disclosure
Apr 15, 2025
Merged

feat!: prevent catalog and sales rules from being disclosed publicly …#135
rhoerr merged 1 commit intomage-os:2.4-developfrom
damienwebdev:prevent_undesired_discount_disclosure

Conversation

@damienwebdev
Copy link
Copy Markdown
Member

@damienwebdev damienwebdev commented Apr 14, 2025
edited
Loading

…by default

Description (*)

In magento/magento2@efcc63b and magento/magento2@a2689a0 upstream introduced an unexpected information disclosure. These commits allow anonymous actors to call the graphql api and retrieve the list of all active discounts on the store.

curl --location 'https://www.yourmagentostore.com/graphql' \
--header 'Content-Type: application/json' \
--data '{"query":"query {\n    allCartRules {\n        name\n    }\n}","variables":{}}'

Manual testing scenarios (*)

  1. Run the above cURL command and see Sharing Cart Rules information is disabled or not configured.

Contribution checklist (*)

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages
  • All new or changed code is covered with unit/integration tests (if applicable)
  • README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
  • All automated tests passed successfully (all builds are green)

@damienwebdev damienwebdev requested a review from a team as a code owner April 14, 2025 20:39
fballiano
fballiano approved these changes Apr 14, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@fballiano fballiano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is an important fix for 1.1, @rhoerr?

@rhoerr
Copy link
Copy Markdown
Contributor

rhoerr commented Apr 14, 2025

Yes. Let's see test results. Looks good to me in theory.

rhoerr
rhoerr approved these changes Apr 15, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@rhoerr rhoerr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you

@rhoerr rhoerr merged commit 111aa24 into mage-os:2.4-develop Apr 15, 2025
8 of 9 checks passed
@hostep
Copy link
Copy Markdown
Contributor

hostep commented Apr 15, 2025

Should we also disable the config field customer/account_information/graphql_share_all_customer_groups that was introduced in Magento 2.4.8? This also exposes info publicly via graphql, which shopowners may consider to be private information.

@damienwebdev damienwebdev deleted the prevent_undesired_discount_disclosure branch April 15, 2025 10:47
@damienwebdev damienwebdev mentioned this pull request Apr 15, 2025
Merged
5 tasks
@rhoerr rhoerr mentioned this pull request Aug 13, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhoerr rhoerr rhoerr approved these changes

+1 more reviewer

@fballiano fballiano fballiano approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@damienwebdev @rhoerr @hostep @fballiano