Merge pull request #658 from magento-mpi/MAGETWO-43348

[MPI] Sprint 72

Author: Korshenko, Olexii(okorshenko)

app/code/Magento/Authorizenet/Model/Authorizenet.php

@@ -104,6 +104,11 @@ abstract class Authorizenet extends \Magento\Payment\Model\Method\Cc
      */
     protected $_debugReplacePrivateDataKeys = ['merchantAuthentication', 'x_login'];
 
+    /**
+     * @var \Magento\Framework\Xml\Security
+     */
+    protected $xmlSecurityHelper;
+
     /**
      * @param \Magento\Framework\Model\Context $context
      * @param \Magento\Framework\Registry $registry
@@ -117,6 +122,7 @@ abstract class Authorizenet extends \Magento\Payment\Model\Method\Cc
      * @param \Magento\Authorizenet\Helper\Data $dataHelper
      * @param \Magento\Authorizenet\Model\Request\Factory $requestFactory
      * @param \Magento\Authorizenet\Model\Response\Factory $responseFactory
+     * @param \Magento\Framework\Xml\Security $xmlSecurityHelper
      * @param \Magento\Framework\Model\Resource\AbstractResource $resource
      * @param \Magento\Framework\Data\Collection\AbstractDb $resourceCollection
      * @param array $data
@@ -135,13 +141,15 @@ public function __construct(
         \Magento\Authorizenet\Helper\Data $dataHelper,
         \Magento\Authorizenet\Model\Request\Factory $requestFactory,
         \Magento\Authorizenet\Model\Response\Factory $responseFactory,
+        \Magento\Framework\Xml\Security $xmlSecurityHelper,
         \Magento\Framework\Model\Resource\AbstractResource $resource = null,
         \Magento\Framework\Data\Collection\AbstractDb $resourceCollection = null,
         array $data = []
     ) {
         $this->dataHelper = $dataHelper;
         $this->requestFactory = $requestFactory;
         $this->responseFactory = $responseFactory;
+        $this->xmlSecurityHelper = $xmlSecurityHelper;
 
         parent::__construct(
             $context,
@@ -489,6 +497,10 @@ protected function loadTransactionDetails($transactionId)
 
         try {
             $responseBody = $client->request()->getBody();
+            if (!$this->xmlSecurityHelper->scan($responseBody)) {
+                $this->_logger->critical('Attempt loading of external XML entities in response from Authorizenet.');
+                throw new \Exception();
+            }
             $debugData['response'] = $responseBody;
             libxml_use_internal_errors(true);
             $responseXmlDocument = new \Magento\Framework\Simplexml\Element($responseBody);

app/code/Magento/Authorizenet/Model/Directpost.php

@@ -130,6 +130,7 @@ class Directpost extends \Magento\Authorizenet\Model\Authorizenet implements Tra
      * @param \Magento\Authorizenet\Helper\Data $dataHelper
      * @param \Magento\Authorizenet\Model\Directpost\Request\Factory $requestFactory
      * @param \Magento\Authorizenet\Model\Directpost\Response\Factory $responseFactory
+     * @param \Magento\Framework\Xml\Security $xmlSecurityHelper
      * @param \Magento\Sales\Model\OrderFactory $orderFactory
      * @param \Magento\Store\Model\StoreManagerInterface $storeManager
      * @param \Magento\Quote\Model\QuoteRepository $quoteRepository
@@ -153,6 +154,7 @@ public function __construct(
         \Magento\Authorizenet\Helper\Data $dataHelper,
         \Magento\Authorizenet\Model\Directpost\Request\Factory $requestFactory,
         \Magento\Authorizenet\Model\Directpost\Response\Factory $responseFactory,
+        \Magento\Framework\Xml\Security $xmlSecurityHelper,
         \Magento\Sales\Model\OrderFactory $orderFactory,
         \Magento\Store\Model\StoreManagerInterface $storeManager,
         \Magento\Quote\Model\QuoteRepository $quoteRepository,
@@ -183,6 +185,7 @@ public function __construct(
             $dataHelper,
             $requestFactory,
             $responseFactory,
+            $xmlSecurityHelper,
             $resource,
             $resourceCollection,
             $data

app/code/Magento/Authorizenet/etc/adminhtml/system.xml

@@ -45,7 +45,7 @@
                     <label>Gateway URL</label>
                 </field>
                 <field id="cgi_url_td" translate="label" type="text" sortOrder="100" showInDefault="1" showInWebsite="1" showInStore="0">
-                    <label>Transaction Details Url</label>
+                    <label>Transaction Details URL</label>
                 </field>
                 <field id="currency" translate="label" type="select" sortOrder="110" showInDefault="1" showInWebsite="1" showInStore="0">
                     <label>Accepted Currency</label>

app/code/Magento/Authorizenet/view/frontend/web/js/view/payment/method-renderer/authorizenet-directpost.js

@@ -48,7 +48,7 @@ define(
                 var self = this;
                 if (this.validateHandler() && additionalValidators.validate()) {
                     this.isPlaceOrderActionAllowed(false);
-                    $.when(setPaymentInformationAction(this.messageContainer)).done(function() {
+                    $.when(setPaymentInformationAction(this.messageContainer, {'method': self.getCode()})).done(function() {
                         self.placeOrderHandler();
                     }).fail(function() {
                         self.isPlaceOrderActionAllowed(true);

app/code/Magento/Braintree/Block/Creditcard/Management.php

@@ -258,7 +258,7 @@ public function currentCustomerLastName()
      */
     public function getEditUrl($token)
     {
-        return $this->getUrl('braintree/creditcard/edit', ['token' => $token]);
+        return $this->getUrl('braintree/creditcard/edit', ['token' => $token, '_secure' => true]);
     }
 
     /**
@@ -269,7 +269,7 @@ public function getEditUrl($token)
      */
     public function getDeleteUrl($token)
     {
-        return $this->getUrl('braintree/creditcard/delete', ['token' => $token]);
+        return $this->getUrl('braintree/creditcard/delete', ['token' => $token, '_secure' => true]);
     }
 
     /**
@@ -279,7 +279,7 @@ public function getDeleteUrl($token)
      */
     public function getAddUrl()
     {
-        return $this->getUrl('braintree/creditcard/newcard');
+        return $this->getUrl('braintree/creditcard/newcard', ['_secure' => true]);
     }
 
     /**
@@ -289,7 +289,7 @@ public function getAddUrl()
      */
     public function getDeleteConfirmUrl()
     {
-        return $this->getUrl('braintree/creditcard/deleteconfirm');
+        return $this->getUrl('braintree/creditcard/deleteconfirm', ['_secure' => true]);
     }
 
     /**
@@ -299,7 +299,7 @@ public function getDeleteConfirmUrl()
      */
     public function getAjaxSaveUrl()
     {
-        return $this->getUrl('braintree/creditcard/ajaxsave');
+        return $this->getUrl('braintree/creditcard/ajaxsave', ['_secure' => true]);
     }
 
     /**
@@ -309,7 +309,7 @@ public function getAjaxSaveUrl()
      */
     public function getFormAction()
     {
-        return $this->getUrl('braintree/creditcard/save');
+        return $this->getUrl('braintree/creditcard/save', ['_secure' => true]);
     }
 
     /**
@@ -319,7 +319,7 @@ public function getFormAction()
      */
     public function getBackUrl()
     {
-        return $this->getUrl('braintree/creditcard/index');
+        return $this->getUrl('braintree/creditcard/index', ['_secure' => true]);
     }
 
     /**

app/code/Magento/Braintree/Block/PayPal/Shortcut.php

@@ -125,7 +125,7 @@ public function getAmount()
      */
     public function getReviewPageUrl()
     {
-        return $this->_urlBuilder->getUrl('braintree/paypal/review');
+        return $this->_urlBuilder->getUrl('braintree/paypal/review', ['_secure' => true]);
     }
 
     /**

app/code/Magento/Braintree/Controller/PayPal/SaveShippingMethod.php

@@ -38,11 +38,11 @@ public function execute()
         if ($isAjax) {
             $this->getResponse()->setBody(
                 '<script>window.location.href = '
-                . $this->_url->getUrl('*/*/review')
+                . $this->_url->getUrl('*/*/review', ['_secure' => true])
                 . ';</script>'
             );
         } else {
-            $this->_redirect('*/*/review');
+            $this->_redirect('*/*/review', ['_secure' => true]);
         }
     }
 }

app/code/Magento/Braintree/Model/ConfigProvider.php

@@ -134,7 +134,7 @@ public function show3dSecure()
      */
     public function getAjaxGenerateNonceUrl()
     {
-        return $this->urlBuilder->getUrl('braintree/creditcard/generate');
+        return $this->urlBuilder->getUrl('braintree/creditcard/generate', ['_secure' => true]);
     }
 
     /**

app/code/Magento/Braintree/Model/PaymentMethod.php

@@ -95,7 +95,7 @@ class PaymentMethod extends \Magento\Payment\Model\Method\Cc
      * @var bool
      */
     protected $_canRefundInvoicePartial = true;
-  
+
     /**
      * @var string
      */
@@ -289,7 +289,7 @@ public function validate()
                 throw new LocalizedException($error);
             }
         }
-        
+
         return $this;
     }
 
@@ -474,7 +474,7 @@ protected function braintreeAuthorize(InfoInterface $payment, $amount, $capture,
             $this->_debug($transactionParams);
             try {
                 $result = $this->braintreeTransaction->sale($transactionParams);
-                $this->_debug($result);
+                $this->_debug($this->_convertObjToArray($result));
             } catch (\Exception $e) {
                 $this->_logger->critical($e);
                 throw new LocalizedException(__('Please try again later'));
@@ -589,8 +589,8 @@ public function capture(InfoInterface $payment, $amount)
                     $this->partialCapture($payment, $amount);
                 } else {
                     $result = $this->braintreeTransaction->submitForSettlement($payment->getCcTransId(), $amount);
-                    $this->_debug($payment->getCcTransId().' - '.$amount);
-                    $this->_debug($result);
+                    $this->_debug([$payment->getCcTransId().' - '.$amount]);
+                    $this->_debug($this->_convertObjToArray($result));
                     if ($result->success) {
                         $payment->setIsTransactionClosed(0)
                             ->setShouldCloseParentTransaction(false);
@@ -621,8 +621,8 @@ public function refund(InfoInterface $payment, $amount)
         $transactionId = $this->braintreeHelper->clearTransactionId($payment->getRefundTransactionId());
         try {
             $transaction = $this->braintreeTransaction->find($transactionId);
-            $this->_debug($payment->getCcTransId());
-            $this->_debug($transaction);
+            $this->_debug([$payment->getCcTransId()]);
+            $this->_debug($this->_convertObjToArray($transaction));
             if ($transaction->status === \Braintree_Transaction::SUBMITTED_FOR_SETTLEMENT) {
                 if ($transaction->amount != $amount) {
                     $message = __('This refund is for a partial amount but the Transaction has not settled.')
@@ -641,7 +641,7 @@ public function refund(InfoInterface $payment, $amount)
             $result = $canVoid
                 ? $this->braintreeTransaction->void($transactionId)
                 : $this->braintreeTransaction->refund($transactionId, $amount);
-            $this->_debug($result);
+            $this->_debug($this->_convertObjToArray($result));
             if ($result->success) {
                 $payment->setIsTransactionClosed(1);
             } else {
@@ -711,9 +711,9 @@ public function void(InfoInterface $payment)
         }
         $errors = '';
         foreach ($transactionIds as $transactionId) {
-            $this->_debug('void-' . $transactionId);
+            $this->_debug(['void-' . $transactionId]);
             $result = $this->braintreeTransaction->void($transactionId);
-            $this->_debug($result);
+            $this->_debug($this->_convertObjToArray($result));
             if (!$result->success) {
                 $errors .= ' ' . $this->errorHelper->parseBraintreeError($result)->getText();
             } elseif ($message) {
@@ -853,7 +853,7 @@ protected function getChannel()
      */
     protected function cloneTransaction($amount, $transactionId)
     {
-        $this->_debug('clone-' . $transactionId . ' amount=' . $amount);
+        $this->_debug(['clone-' . $transactionId . ' amount=' . $amount]);
         $result = $this->braintreeTransaction->cloneTransaction(
             $transactionId,
             [
@@ -863,7 +863,7 @@ protected function cloneTransaction($amount, $transactionId)
                 ]
             ]
         );
-        $this->_debug($result);
+        $this->_debug($this->_convertObjToArray($result));
         return $result;
     }
 
@@ -907,28 +907,6 @@ public function canVoid()
         return $this->_canVoid;
     }
 
-    /**
-     * Log debug data to file
-     *
-     * @param mixed $debugData
-     * @return $this
-     */
-    protected function _debug($debugData)
-    {
-        if (!$this->config->isDebugEnabled()) {
-            return $this;
-        }
-        if (!is_array($debugData)) {
-            if (is_object($debugData)) {
-                $debugData = var_export($debugData, true);
-            } else {
-                $debugData = [$debugData];
-            }
-        }
-        parent::_debug((array)$debugData);
-        return $this;
-    }
-
     /**
      * Return replace keys for debug data
      *
@@ -957,4 +935,14 @@ public function getConfigData($field, $storeId = null)
         }
         return $this->config->getConfigData($field, $storeId);
     }
+
+    /**
+     * Convert response from Braintree to array
+     * @param \Braintree_Result_Successful|\Braintree_Result_Error|\Braintree_Transaction $data
+     * @return array
+     */
+    protected function _convertObjToArray($data)
+    {
+        return json_decode(json_encode($data), true);
+    }
 }

app/code/Magento/Braintree/Model/PaymentMethod/PayPal.php

@@ -290,8 +290,8 @@ public function capture(InfoInterface $payment, $amount)
         try {
             if ($payment->getCcTransId()) {
                 $result = $this->braintreeTransaction->submitForSettlement($payment->getCcTransId(), $amount);
-                $this->_debug($payment->getCcTransId().' - '.$amount);
-                $this->_debug($result);
+                $this->_debug([$payment->getCcTransId().' - '.$amount]);
+                $this->_debug($this->_convertObjToArray($result));
                 if ($result->success) {
                     $payment->setIsTransactionClosed(0)
                         ->setShouldCloseParentTransaction(false);

app/code/Magento/Braintree/etc/adminhtml/system.xml

@@ -8,7 +8,7 @@
 <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="../../../Config/etc/system_file.xsd">
     <system>
         <section id="payment">
-            <group id="braintree_section" translate="label" type="text" sortOrder="25" showInDefault="1" showInWebsite="1" showInStore="1">
+            <group id="braintree_section" translate="label" type="text" sortOrder="2" showInDefault="1" showInWebsite="1" showInStore="1">
                 <label>Braintree</label>
                 <comment><![CDATA[Accept credit/debit cards and PayPal in your Magento store. No setup or monthly fees and your customers never leave your store to complete the purchase.]]></comment>
                 <attribute type="expanded">1</attribute>
@@ -19,15 +19,15 @@
                     <frontend_model>Magento\Paypal\Block\Adminhtml\System\Config\Fieldset\Payment</frontend_model>
                     <attribute type="activity_path">payment/braintree/active</attribute>
                     <field id="active" translate="label" type="select" sortOrder="10" showInDefault="1" showInWebsite="1" showInStore="0">
-                        <label>Enabled Braintree</label>
+                        <label>Enable this Solution</label>
                         <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
                         <config_path>payment/braintree/active</config_path>
                         <requires>
                             <group id="braintree_required"/>
                         </requires>
                     </field>
                     <field id="active_braintree_pay_pal" translate="label" type="select" sortOrder="11" showInDefault="1" showInWebsite="1" showInStore="0">
-                        <label>Enabled PayPal through Braintree</label>
+                        <label>Enable PayPal through Braintree</label>
                         <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
                         <config_path>payment/braintree_paypal/active</config_path>
                         <requires>
@@ -221,10 +221,10 @@
                         </field>
                     </group>
                     <group id="braintree_3dsecure" translate="label" showInDefault="1" showInWebsite="1" sortOrder="41">
-                        <label>3d Secure Verification Settings</label>
+                        <label>3D Secure Verification Settings</label>
                         <frontend_model>Magento\Config\Block\System\Config\Form\Fieldset</frontend_model>
                         <field id="verify_3dsecure" translate="label" type="select" sortOrder="150" showInDefault="1" showInWebsite="1" showInStore="0">
-                            <label>3d Secure Verification</label>
+                            <label>3D Secure Verification</label>
                             <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
                             <config_path>payment/braintree/verify_3dsecure</config_path>
                         </field>

app/code/Magento/Braintree/i18n/en_US.csv

@@ -282,3 +282,7 @@
 "Invalid request format","Invalid request format"
 "Cannot update subscription to a plan with a different billing frequency.","Cannot update subscription to a plan with a different billing frequency."
 "Mismatch currency iso code","Mismatch currency iso code"
+"Enable this Solution","Enable this Solution"
+"Enable PayPal through Braintree","Enable PayPal through Braintree"
+"3D Secure Verification Settings","3D Secure Verification Settings"
+"3D Secure Verification","3D Secure Verification"