Fixed memory exhaustion during encryption key re-encryption (#571)

fballiano · web-flow · commit 419e3ad2367e · 2026-02-19T22:09:49.000Z
diff --git a/app/code/core/Mage/Checkout/Model/Observer.php b/app/code/core/Mage/Checkout/Model/Observer.php
@@ -46,25 +46,15 @@ public function encryptionKeyRegenerated(\Maho\Event\Observer $observer): void
         $output = $observer->getEvent()->getOutput();
         $encryptCallback = $observer->getEvent()->getEncryptCallback();
         $decryptCallback = $observer->getEvent()->getDecryptCallback();
-        $readConnection = Mage::getSingleton('core/resource')->getConnection('core_read');
-        $writeConnection = Mage::getSingleton('core/resource')->getConnection('core_write');
 
         $output->write('Re-encrypting data on sales_flat_quote table... ');
-
-        $table = Mage::getSingleton('core/resource')->getTableName('sales_flat_quote');
-        $select = $readConnection->select()
-            ->from($table)
-            ->where('password_hash IS NOT NULL');
-        $encryptedData = $readConnection->fetchAll($select);
-
-        foreach ($encryptedData as $encryptedDataRow) {
-            $writeConnection->update(
-                $table,
-                ['password_hash' => $encryptCallback($decryptCallback($encryptedDataRow['password_hash']))],
-                ['entity_id = ?' => $encryptedDataRow['entity_id']],
-            );
-        }
-
+        Mage::helper('core')->recryptTable(
+            Mage::getSingleton('core/resource')->getTableName('sales_flat_quote'),
+            'entity_id',
+            ['password_hash'],
+            $encryptCallback,
+            $decryptCallback,
+        );
         $output->writeln('OK');
     }
 }
diff --git a/app/code/core/Mage/Core/Helper/Data.php b/app/code/core/Mage/Core/Helper/Data.php
@@ -1163,4 +1163,66 @@ public function getIconSvg(string $name, string $variant = 'outline', string $ro
         $iconSvg = str_replace('<svg ', '<svg role="' . $role . '" ', $iconSvg);
         return $iconSvg;
     }
+
+    /**
+     * Re-encrypt columns in a table using batched queries to avoid memory exhaustion.
+     *
+     * @param string[] $columns
+     */
+    public function recryptTable(
+        string $table,
+        string $primaryKey,
+        array $columns,
+        callable $encryptCallback,
+        callable $decryptCallback,
+        int $batchSize = 1000,
+    ): void {
+        $readConnection = Mage::getSingleton('core/resource')->getConnection('core_read');
+        $writeConnection = Mage::getSingleton('core/resource')->getConnection('core_write');
+        $lastId = 0;
+
+        $quotedPk = $readConnection->quoteIdentifier($primaryKey);
+
+        while (true) {
+            $select = $readConnection->select()
+                ->from($table, array_merge([$primaryKey], $columns))
+                ->where("$quotedPk > ?", $lastId)
+                ->order("$quotedPk ASC")
+                ->limit($batchSize);
+
+            $conditions = [];
+            foreach ($columns as $column) {
+                $conditions[] = $readConnection->quoteIdentifier($column) . ' IS NOT NULL AND '
+                    . $readConnection->quoteIdentifier($column) . " != ''";
+            }
+            $select->where(implode(' OR ', $conditions));
+
+            $rows = $readConnection->fetchAll($select);
+            if (empty($rows)) {
+                break;
+            }
+
+            foreach ($rows as $row) {
+                $updateData = [];
+                foreach ($columns as $column) {
+                    if ($row[$column] !== null && $row[$column] !== '') {
+                        $decrypted = $decryptCallback($row[$column]);
+                        if ($decrypted !== '') {
+                            $updateData[$column] = $encryptCallback($decrypted);
+                        }
+                    }
+                }
+                if (!empty($updateData)) {
+                    $writeConnection->update(
+                        $table,
+                        $updateData,
+                        ["$quotedPk = ?" => $row[$primaryKey]],
+                    );
+                }
+                $lastId = $row[$primaryKey];
+            }
+
+            unset($rows);
+        }
+    }
 }
diff --git a/app/code/core/Mage/Payment/Model/Observer.php b/app/code/core/Mage/Payment/Model/Observer.php
@@ -165,53 +165,25 @@ public function encryptionKeyRegenerated(\Maho\Event\Observer $observer): void
         $output = $observer->getEvent()->getOutput();
         $encryptCallback = $observer->getEvent()->getEncryptCallback();
         $decryptCallback = $observer->getEvent()->getDecryptCallback();
-        $readConnection = Mage::getSingleton('core/resource')->getConnection('core_read');
-        $writeConnection = Mage::getSingleton('core/resource')->getConnection('core_write');
 
         $output->write('Re-encrypting data on sales_flat_quote_payment table... ');
-        $table = Mage::getSingleton('core/resource')->getTableName('sales_flat_quote_payment');
-
-        $select = $readConnection->select()
-            ->from($table)
-            ->where('cc_number_enc IS NOT NULL');
-        $encryptedData = $readConnection->fetchAll($select);
-        foreach ($encryptedData as $encryptedDataRow) {
-            $writeConnection->update(
-                $table,
-                ['cc_number_enc' => $encryptCallback($decryptCallback($encryptedDataRow['cc_number_enc']))],
-                ['payment_id = ?' => $encryptedDataRow['payment_id']],
-            );
-        }
-
-        $select = $readConnection->select()
-            ->from($table)
-            ->where('cc_cid_enc IS NOT NULL');
-        $encryptedData = $readConnection->fetchAll($select);
-        foreach ($encryptedData as $encryptedDataRow) {
-            $writeConnection->update(
-                $table,
-                ['cc_cid_enc' => $encryptCallback($decryptCallback($encryptedDataRow['cc_cid_enc']))],
-                ['payment_id = ?' => $encryptedDataRow['payment_id']],
-            );
-        }
-
+        Mage::helper('core')->recryptTable(
+            Mage::getSingleton('core/resource')->getTableName('sales_flat_quote_payment'),
+            'payment_id',
+            ['cc_number_enc', 'cc_cid_enc'],
+            $encryptCallback,
+            $decryptCallback,
+        );
         $output->writeln('OK');
 
         $output->write('Re-encrypting data on sales_flat_order_payment table... ');
-        $table = Mage::getSingleton('core/resource')->getTableName('sales_flat_order_payment');
-
-        $select = $readConnection->select()
-            ->from($table)
-            ->where('cc_number_enc IS NOT NULL');
-        $encryptedData = $readConnection->fetchAll($select);
-        foreach ($encryptedData as $encryptedDataRow) {
-            $writeConnection->update(
-                $table,
-                ['cc_number_enc' => $encryptCallback($decryptCallback($encryptedDataRow['cc_number_enc']))],
-                ['entity_id = ?' => $encryptedDataRow['entity_id']],
-            );
-        }
-
+        Mage::helper('core')->recryptTable(
+            Mage::getSingleton('core/resource')->getTableName('sales_flat_order_payment'),
+            'entity_id',
+            ['cc_number_enc', 'cc_cid_enc'],
+            $encryptCallback,
+            $decryptCallback,
+        );
         $output->writeln('OK');
     }
 }
diff --git a/app/code/core/Maho/AdminActivityLog/Model/Observer.php b/app/code/core/Maho/AdminActivityLog/Model/Observer.php
@@ -462,38 +462,15 @@ public function encryptionKeyRegenerated(\Maho\Event\Observer $observer): void
         $output = $observer->getEvent()->getOutput();
         $encryptCallback = $observer->getEvent()->getEncryptCallback();
         $decryptCallback = $observer->getEvent()->getDecryptCallback();
-        $readConnection = Mage::getSingleton('core/resource')->getConnection('core_read');
-        $writeConnection = Mage::getSingleton('core/resource')->getConnection('core_write');
 
         $output->write('Re-encrypting data on adminactivitylog_activity table... ');
-        $table = Mage::getSingleton('core/resource')->getTableName('adminactivitylog/activity');
-
-        // Re-encrypt old_data
-        $select = $readConnection->select()
-            ->from($table)
-            ->where('old_data IS NOT NULL');
-        $encryptedData = $readConnection->fetchAll($select);
-        foreach ($encryptedData as $encryptedDataRow) {
-            $writeConnection->update(
-                $table,
-                ['old_data' => $encryptCallback($decryptCallback($encryptedDataRow['old_data']))],
-                ['activity_id = ?' => $encryptedDataRow['activity_id']],
-            );
-        }
-
-        // Re-encrypt new_data
-        $select = $readConnection->select()
-            ->from($table)
-            ->where('new_data IS NOT NULL');
-        $encryptedData = $readConnection->fetchAll($select);
-        foreach ($encryptedData as $encryptedDataRow) {
-            $writeConnection->update(
-                $table,
-                ['new_data' => $encryptCallback($decryptCallback($encryptedDataRow['new_data']))],
-                ['activity_id = ?' => $encryptedDataRow['activity_id']],
-            );
-        }
-
+        Mage::helper('core')->recryptTable(
+            Mage::getSingleton('core/resource')->getTableName('adminactivitylog/activity'),
+            'activity_id',
+            ['old_data', 'new_data'],
+            $encryptCallback,
+            $decryptCallback,
+        );
         $output->writeln('OK');
     }
 
diff --git a/app/code/core/Maho/FeedManager/Model/Observer.php b/app/code/core/Maho/FeedManager/Model/Observer.php
@@ -22,31 +22,14 @@ public function encryptionKeyRegenerated(Maho\Event\Observer $observer): void
         $encryptCallback = $observer->getEvent()->getEncryptCallback();
         $decryptCallback = $observer->getEvent()->getDecryptCallback();
 
-        $readConnection = Mage::getSingleton('core/resource')->getConnection('core_read');
-        $writeConnection = Mage::getSingleton('core/resource')->getConnection('core_write');
-
         $output->write('Re-encrypting data on feedmanager_destination table... ');
-
-        $table = Mage::getSingleton('core/resource')->getTableName('feedmanager/destination');
-
-        $select = $readConnection->select()
-            ->from($table, ['destination_id', 'config'])
-            ->where('config IS NOT NULL')
-            ->where('config != ?', '');
-
-        $destinations = $readConnection->fetchAll($select);
-
-        foreach ($destinations as $row) {
-            $decrypted = $decryptCallback($row['config']);
-            if ($decrypted !== '') {
-                $writeConnection->update(
-                    $table,
-                    ['config' => $encryptCallback($decrypted)],
-                    ['destination_id = ?' => $row['destination_id']],
-                );
-            }
-        }
-
+        Mage::helper('core')->recryptTable(
+            Mage::getSingleton('core/resource')->getTableName('feedmanager/destination'),
+            'destination_id',
+            ['config'],
+            $encryptCallback,
+            $decryptCallback,
+        );
         $output->writeln('OK');
     }
 }
diff --git a/lib/MahoCLI/Commands/SysEncryptionKeyRegenerate.php b/lib/MahoCLI/Commands/SysEncryptionKeyRegenerate.php
@@ -123,7 +123,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int
             $output->writeln('<comment>Skipping re-encryption of existing data (M1 key without mcrypt support).</comment>');
             $output->writeln('<comment>Old encrypted data will no longer be decryptable. New data will use the new key.</comment>');
         } else {
-            $this->recryptAdminUserTable($output, $readConnection, $writeConnection);
+            $this->recryptAdminUserTable($output);
             $this->recryptCoreConfigDataTable($output, $readConnection, $writeConnection);
             Mage::app()->getCache()->clean('config');
 
@@ -151,24 +151,16 @@ protected function execute(InputInterface $input, OutputInterface $output): int
         return Command::SUCCESS;
     }
 
-    protected function recryptAdminUserTable(OutputInterface $output, \Maho\Db\Adapter\AdapterInterface $readConnection, \Maho\Db\Adapter\AdapterInterface $writeConnection): void
+    protected function recryptAdminUserTable(OutputInterface $output): void
     {
         $output->write('Re-encrypting data on admin_user table... ');
-
-        $table = Mage::getSingleton('core/resource')->getTableName('admin_user');
-        $select = $readConnection->select()
-            ->from($table)
-            ->where('twofa_secret IS NOT NULL');
-        $encryptedData = $readConnection->fetchAll($select);
-
-        foreach ($encryptedData as $encryptedDataRow) {
-            $writeConnection->update(
-                $table,
-                ['twofa_secret' => $this->encrypt($this->decrypt($encryptedDataRow['twofa_secret']))],
-                ['user_id = ?' => $encryptedDataRow['user_id']],
-            );
-        }
-
+        Mage::helper('core')->recryptTable(
+            Mage::getSingleton('core/resource')->getTableName('admin_user'),
+            'user_id',
+            ['twofa_secret'],
+            [$this, 'encrypt'],
+            [$this, 'decrypt'],
+        );
         $output->writeln('OK');
     }
 
