The future of Sylius API. Read more

Blog

Welcome to our blog, where we share news related to Sylius and post about technology & eCommerce.

Kamil Kokot
27.01.2020 | 2 mins read

Security releases announcement – January 2020

The quality of our software has always been the most important thing for us. Today we published fixes for two security vulnerabilities found in Sylius/Sylius and Sylius/SyliusResourceBundle.

CVE-2020-5218: Ability to switch channels via a GET parameter enabled in production environments

The original security advisory has been published on GitHub at Sylius/Sylius repository.

 

Impact

This vulnerability gives the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when %kernel.debug% is set to true.

However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is %kernel.debug% will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.

Patches

Patch has been provided for Sylius 1.3.x and newer – 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.

Workarounds

Unsupported versions could be patched by adding the following configuration to run in production:

sylius_channel:
    debug: false

CVE-2020-5220: Ability to define unintended serialisation groups via an HTTP header which might lead to data exposure

The original security advisory has been published on GitHub at Sylius/SyliusResourceBundle repository.

 

Impact

ResourceBundle accepts and uses any serialisation groups to be passed via an HTTP header. This might lead to data exposure by using an unintended serialisation group – for example, it could make Shop API use a more permissive group from Admin API.

Anyone exposing an API with ResourceBundle’s controller is affected. The vulnerable versions are: <1.3 || >=1.3.0 <=1.3.12 || >=1.4.0 <=1.4.5 || >=1.5.0 <=1.5.0 || >=1.6.0 <=1.6.2.

Patches

The patch is provided for ResourceBundle 1.3.13, 1.4.6, 1.5.1 and 1.6.3, but not for any versions below 1.3.

After it is applied, It allows choosing only the groups that are defined in serialization_groups or allowed_serialization_groups route definition. Any group not defined in those will not be used.

This behaviour might be a BC break for those using custom groups via the HTTP header, please adjust allowed_serialization_groups accordingly.

Workarounds

Service sylius.resource_controller.request_configuration_factory can be overridden with an implementation copied from Sylius\Bundle\ResourceBundle\Controller\RequestConfigurationFactory where the part that handles custom serialisation groups is deleted.

Getting started with Sylius
Online course (8h)

Kamil Kokot
See my roles

A huge talent and a crazy imagination owner. Exceptional joker. Programmer by day, Krzysztof Krawczyk (famous polish evergreen songs composer) fan by night. Frequent concert-goer who loves to learn useless skills.

Be the first to find out about new posts. Join to our newsletter!