Headline
CVE-2022-31000: Merge pull request from GHSA-8639-qx56-r428 · solidusio/solidus@de796a2
solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order’s adjustments if they hold its number, and the execution happens on a store administrator’s computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch.
@@ -111,6 +111,44 @@ end end
context “admin bulk editing adjustments” do it “allows finalizing all the adjustments” do order.all_adjustments.each(&:unfinalize!)
click_button “Finalize All Adjustments”
expect(order.reload.adjustments.all?(&:finalized?)).to be(true) end
it “allows unfinalizing all the adjustments” do order.all_adjustments.each(&:finalize!)
click_button “Unfinalize All Adjustments”
expect(order.reload.adjustments.any?(&:finalized?)).to be(false) end
it “can’t finalize via a GET request” do order.all_adjustments.each(&:unfinalize!)
expect { visit “/admin/orders/#{order.number}/adjustments/finalize” }.to raise_error(ActionController::RoutingError)
expect(order.reload.adjustments.any?(&:finalized?)).to be(false) end
it “can’t unfinalize via a GET request” do order.all_adjustments.each(&:finalize!)
expect { visit “/admin/orders/#{order.number}/adjustments/unfinalize” }.to raise_error(ActionController::RoutingError)
expect(order.reload.adjustments.all?(&:finalized?)).to be(true) end end
context “deleting an adjustment” do context ‘when the adjustment is finalized’ do let!(:adjustment) { super().tap(&:finalize!) }
Related news
### Impact CSRF vulnerability allowing attackers to change the state of an order's adjustments if they hold its number, and the execution happens on a store administrator's computer. Reproduction steps: - Take an order's number. - Log in as an administrator. - Visit that order's adjustments section (_Orders -> {Click on number} -> Adjustments_) and check that its adjustments are finalized (closed padlock under the **State** column). - On another tab, visit `{your_site_url}/admin/orders/{order_number}/adjustments/unfinalize`. - Notice how the adjustments are unfinalized (open padlock), even if the previous was a `GET` request which could have been linked from any other site. - Visit `{your_site_url}/admin/orders/{order_number}/adjustments/finalize`. - Notice how the adjustments are again finalized. That happened because both routes were handled as `GET` requests, which are skipped by Rails anti-forgery protection. ### Patches Users should upgrade to solidus_backend v3.1.6, v3.0.6, or...