Merge pull request #6408 from magento-borg/MC-35390

dvoskoboinikov · web-flow · commit 83202eefb5f7 · 2020-12-02T17:12:03.000-06:00
[CIA] Bugfixes
diff --git a/app/code/Magento/Cookie/view/base/web/js/jquery.storageapi.extended.js b/app/code/Magento/Cookie/view/base/web/js/jquery.storageapi.extended.js
@@ -18,6 +18,7 @@ define([
     function _extend(storage) {
         $.extend(storage, {
             _secure: window.cookiesConfig ? window.cookiesConfig.secure : false,
+            _samesite: window.cookiesConfig ? window.cookiesConfig.samesite : 'lax',
 
             /**
              * Set value under name
@@ -30,7 +31,8 @@ define([
                     expires: this._expires,
                     path: this._path,
                     domain: this._domain,
-                    secure: this._secure
+                    secure: this._secure,
+                    samesite: this._samesite
                 };
 
                 $.cookie(this._prefix + name, value, $.extend(_default, options || {}));
@@ -58,6 +60,10 @@ define([
                     this._secure = c.secure;
                 }
 
+                if (typeof c.samesite !== 'undefined') {
+                    this._samesite = c.samesite;
+                }
+
                 return this;
             }
         });
diff --git a/app/code/Magento/Customer/Model/Account/Redirect.php b/app/code/Magento/Customer/Model/Account/Redirect.php
@@ -322,6 +322,7 @@ public function setRedirectCookie($route)
                 ->setHttpOnly(true)
                 ->setDuration(3600)
                 ->setPath($this->storeManager->getStore()->getStorePath())
+                ->setSameSite('Lax')
         );
     }
 
diff --git a/app/code/Magento/Customer/Test/Unit/Model/Account/RedirectTest.php b/app/code/Magento/Customer/Test/Unit/Model/Account/RedirectTest.php
@@ -398,6 +398,10 @@ public function testSetRedirectCookie(): void
             ->method('setPath')
             ->with('storePath')
             ->willReturnSelf();
+        $publicMetadataMock->expects($this->once())
+            ->method('setSameSite')
+            ->with('Lax')
+            ->willReturnSelf();
         $coockieManagerMock->expects($this->once())
             ->method('setPublicCookie')
             ->with(
diff --git a/app/code/Magento/Customer/view/frontend/web/js/customer-data.js b/app/code/Magento/Customer/view/frontend/web/js/customer-data.js
@@ -219,7 +219,8 @@ define([
         initStorage: function () {
             $.cookieStorage.setConf({
                 path: '/',
-                expires: new Date(Date.now() + parseInt(options.cookieLifeTime, 10) * 1000)
+                expires: new Date(Date.now() + parseInt(options.cookieLifeTime, 10) * 1000),
+                samesite: 'lax'
             });
             storage = $.initNamespaceStorage('mage-cache-storage').localStorage;
             storageInvalidation = $.initNamespaceStorage('mage-cache-storage-section-invalidation').localStorage;
diff --git a/app/code/Magento/PageCache/Plugin/RegisterFormKeyFromCookie.php b/app/code/Magento/PageCache/Plugin/RegisterFormKeyFromCookie.php
@@ -96,6 +96,7 @@ private function updateCookieFormKey(string $formKey): void
         $cookieMetadata->setDomain($this->sessionConfig->getCookieDomain());
         $cookieMetadata->setPath($this->sessionConfig->getCookiePath());
         $cookieMetadata->setSecure($this->sessionConfig->getCookieSecure());
+        $cookieMetadata->setSameSite('Lax');
         $lifetime = $this->sessionConfig->getCookieLifetime();
         if ($lifetime !== 0) {
             $cookieMetadata->setDuration($lifetime);
diff --git a/app/code/Magento/Persistent/Model/Session.php b/app/code/Magento/Persistent/Model/Session.php
@@ -12,6 +12,7 @@
  * @method int getCustomerId()
  * @method Session setCustomerId()
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
+ * @SuppressWarnings(PHPMD.CookieAndSessionMisuse)
  * @since 100.0.2
  */
 class Session extends \Magento\Framework\Model\AbstractModel
@@ -391,7 +392,8 @@ private function setCookie($value, $duration, $path)
             ->setDuration($duration)
             ->setPath($path)
             ->setSecure($this->getRequest()->isSecure())
-            ->setHttpOnly(true);
+            ->setHttpOnly(true)
+            ->setSameSite('Lax');
         $this->_cookieManager->setPublicCookie(
             self::COOKIE_NAME,
             $value,
diff --git a/app/code/Magento/Persistent/Test/Unit/Model/SessionTest.php b/app/code/Magento/Persistent/Test/Unit/Model/SessionTest.php
@@ -143,6 +143,9 @@ public function testSetPersistentCookie()
         $cookieMetadataMock->expects($this->once())
             ->method('setHttpOnly')
             ->with(true)->willReturnSelf();
+        $cookieMetadataMock->expects($this->once())
+            ->method('setSameSite')
+            ->with('Lax')->willReturnSelf();
         $this->cookieMetadataFactoryMock->expects($this->once())
             ->method('createPublicCookieMetadata')
             ->willReturn($cookieMetadataMock);
@@ -186,6 +189,9 @@ public function testRenewPersistentCookie(
         $cookieMetadataMock->expects($this->exactly($numCalls))
             ->method('setHttpOnly')
             ->with(true)->willReturnSelf();
+        $cookieMetadataMock->expects($this->exactly($numCalls))
+            ->method('setSameSite')
+            ->with('Lax')->willReturnSelf();
         $this->cookieMetadataFactoryMock->expects($this->exactly($numCalls))
             ->method('createPublicCookieMetadata')
             ->willReturn($cookieMetadataMock);
diff --git a/app/code/Magento/Sales/Helper/Guest.php b/app/code/Magento/Sales/Helper/Guest.php
@@ -211,7 +211,8 @@ private function setGuestViewCookie($cookieValue)
     {
         $metadata = $this->cookieMetadataFactory->createPublicCookieMetadata()
             ->setPath(self::COOKIE_PATH)
-            ->setHttpOnly(true);
+            ->setHttpOnly(true)
+            ->setSameSite('Lax');
         $this->cookieManager->setPublicCookie(self::COOKIE_NAME, $cookieValue, $metadata);
     }
 
diff --git a/app/code/Magento/Sales/Test/Unit/Helper/GuestTest.php b/app/code/Magento/Sales/Test/Unit/Helper/GuestTest.php
@@ -196,6 +196,10 @@ public function testLoadValidOrderNotEmptyPost($post)
             ->method('setHttpOnly')
             ->with(true)
             ->willReturnSelf();
+        $metaDataMock->expects($this->once())
+            ->method('setSameSite')
+            ->with('Lax')
+            ->willReturnSelf();
         $this->cookieMetadataFactoryMock->expects($this->once())
             ->method('createPublicCookieMetadata')
             ->willReturn($metaDataMock);
@@ -279,6 +283,10 @@ public function testLoadValidOrderStoredCookie()
             ->method('setHttpOnly')
             ->with(true)
             ->willReturnSelf();
+        $metaDataMock->expects($this->once())
+            ->method('setSameSite')
+            ->with('Lax')
+            ->willReturnSelf();
         $this->cookieMetadataFactoryMock->expects($this->once())
             ->method('createPublicCookieMetadata')
             ->willReturn($metaDataMock);
diff --git a/app/code/Magento/Security/Model/SecurityCookie.php b/app/code/Magento/Security/Model/SecurityCookie.php
@@ -10,6 +10,7 @@
 /**
  * Manager for a cookie with logout reason
  *
+ * @SuppressWarnings(PHPMD.CookieAndSessionMisuse)
  * @api
  * @since 100.1.0
  */
@@ -80,6 +81,7 @@ public function setLogoutReasonCookie($status)
     {
         $metaData = $this->createCookieMetaData();
         $metaData->setPath('/' . $this->backendData->getAreaFrontName());
+        $metaData->setSameSite('Strict');
 
         $this->phpCookieManager->setPublicCookie(
             self::LOGOUT_REASON_CODE_COOKIE_NAME,
diff --git a/app/code/Magento/Security/Test/Unit/Model/SecurityCookieTest.php b/app/code/Magento/Security/Test/Unit/Model/SecurityCookieTest.php
@@ -57,7 +57,7 @@ protected function setUp(): void
 
         $this->cookieMetadataMock = $this->createPartialMock(
             PublicCookieMetadata::class,
-            ['setPath', 'setDuration']
+            ['setPath', 'setDuration', 'setSameSite']
         );
 
         $this->cookieReaderMock = $this->createPartialMock(
@@ -118,6 +118,11 @@ public function testSetLogoutReasonCookie()
             ->with('/' . $frontName)
             ->willReturnSelf();
 
+        $this->cookieMetadataMock->expects($this->once())
+            ->method('setSameSite')
+            ->with('Strict')
+            ->willReturnSelf();
+
         $this->phpCookieManagerMock->expects($this->once())
             ->method('setPublicCookie')
             ->with(
diff --git a/app/code/Magento/SendFriend/Model/SendFriend.php b/app/code/Magento/SendFriend/Model/SendFriend.php
@@ -8,6 +8,9 @@
 namespace Magento\SendFriend\Model;
 
 use Magento\Framework\Exception\LocalizedException as CoreException;
+use Magento\Framework\Stdlib\Cookie\CookieMetadata;
+use Magento\Framework\Stdlib\Cookie\CookieMetadataFactory;
+use Magento\Framework\App\ObjectManager;
 
 /**
  * SendFriend Log
@@ -112,6 +115,11 @@ class SendFriend extends \Magento\Framework\Model\AbstractModel
      */
     protected $remoteAddress;
 
+    /**
+     * @var CookieMetadataFactory
+     */
+    private $cookieMetadataFactory;
+
     /**
      * @param \Magento\Framework\Model\Context $context
      * @param \Magento\Framework\Registry $registry
@@ -126,6 +134,7 @@ class SendFriend extends \Magento\Framework\Model\AbstractModel
      * @param \Magento\Framework\Model\ResourceModel\AbstractResource $resource
      * @param \Magento\Framework\Data\Collection\AbstractDb $resourceCollection
      * @param array $data
+     * @param CookieMetadataFactory $cookieMetadataFactory
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -141,7 +150,8 @@ public function __construct(
         \Magento\Framework\Translate\Inline\StateInterface $inlineTranslation,
         \Magento\Framework\Model\ResourceModel\AbstractResource $resource = null,
         \Magento\Framework\Data\Collection\AbstractDb $resourceCollection = null,
-        array $data = []
+        array $data = [],
+        CookieMetadataFactory $cookieMetadataFactory = null
     ) {
         $this->_storeManager = $storeManager;
         $this->_transportBuilder = $transportBuilder;
@@ -151,6 +161,9 @@ public function __construct(
         $this->remoteAddress = $remoteAddress;
         $this->cookieManager = $cookieManager;
         $this->inlineTranslation = $inlineTranslation;
+        $this->cookieMetadataFactory = $cookieMetadataFactory  ?? ObjectManager::getInstance()->get(
+               CookieMetadataFactory::class
+            );
         parent::__construct($context, $registry, $resource, $resourceCollection, $data);
     }
 
@@ -484,6 +497,11 @@ protected function _sentCountByCookies($increment = false)
         $cookieName = $this->_sendfriendData->getCookieName();
         $time = time();
         $newTimes = [];
+        $sensitiveCookMetadata = $this->cookieMetadataFactory->createSensitiveCookieMetadata(
+            [
+                CookieMetadata::KEY_SAME_SITE => 'Lax'
+            ]
+        );
 
         if (isset($this->_lastCookieValue[$cookieName])) {
             $oldTimes = $this->_lastCookieValue[$cookieName];
@@ -504,7 +522,7 @@ protected function _sentCountByCookies($increment = false)
         if ($increment) {
             $newTimes[] = $time;
             $newValue = implode(',', $newTimes);
-            $this->cookieManager->setSensitiveCookie($cookieName, $newValue);
+            $this->cookieManager->setSensitiveCookie($cookieName, $newValue, $sensitiveCookMetadata);
             $this->_lastCookieValue[$cookieName] = $newValue;
         }
 
diff --git a/app/code/Magento/SendFriend/Test/Unit/Model/SendFriendTest.php b/app/code/Magento/SendFriend/Test/Unit/Model/SendFriendTest.php
@@ -7,12 +7,15 @@
 
 namespace Magento\SendFriend\Test\Unit\Model;
 
+use Magento\Framework\Stdlib\Cookie\CookieMetadata;
+use Magento\Framework\Stdlib\Cookie\SensitiveCookieMetadata;
 use Magento\Framework\Stdlib\CookieManagerInterface;
 use Magento\Framework\TestFramework\Unit\Helper\ObjectManager;
 use Magento\SendFriend\Helper\Data;
 use Magento\SendFriend\Model\SendFriend;
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
+use Magento\Framework\Stdlib\Cookie\CookieMetadataFactory;
 
 /**
  * Test SendFriend
@@ -35,19 +38,30 @@ class SendFriendTest extends TestCase
      */
     protected $sendfriendDataMock;
 
+    /**
+     * @var MockObject|CookieMetadataFactory
+     */
+    protected $cookieMetadataFactoryMock;
+
     protected function setUp(): void
     {
         $objectManager = new ObjectManager($this);
         $this->sendfriendDataMock = $this->getMockBuilder(Data::class)
             ->disableOriginalConstructor()
             ->getMock();
         $this->cookieManagerMock = $this->getMockForAbstractClass(CookieManagerInterface::class);
+        $this->cookieMetadataFactoryMock = $this->getMockBuilder(
+            CookieMetadataFactory::class
+        )
+            ->disableOriginalConstructor()
+            ->getMock();
 
         $this->model = $objectManager->getObject(
             SendFriend::class,
             [
                 'sendfriendData' => $this->sendfriendDataMock,
                 'cookieManager' => $this->cookieManagerMock,
+                'cookieMetadataFactory' => $this->cookieMetadataFactoryMock
             ]
         );
     }
@@ -69,12 +83,25 @@ public function testGetSentCountWithCheckCookie()
     public function testSentCountByCookies()
     {
         $cookieName = 'testCookieName';
+        $sensitiveCookieMetadataMock = $this->getMockBuilder(
+            SensitiveCookieMetadata::class
+        )
+            ->disableOriginalConstructor()
+            ->getMock();
         $this->sendfriendDataMock->expects($this->once())->method('getCookieName')->with()->willReturn(
             $cookieName
         );
 
         $this->cookieManagerMock->expects($this->once())->method('getCookie')->with($cookieName);
         $this->cookieManagerMock->expects($this->once())->method('setSensitiveCookie');
+        $this->cookieMetadataFactoryMock->expects($this->once())
+            ->method('createSensitiveCookieMetadata')
+            ->with(
+                [
+                    CookieMetadata::KEY_SAME_SITE => 'Lax'
+                ]
+            )
+            ->willReturn($sensitiveCookieMetadataMock);
         $sendFriendClass = new \ReflectionClass(SendFriend::class);
         $method = $sendFriendClass->getMethod('_sentCountByCookies');
         $method->setAccessible(true);
diff --git a/app/code/Magento/Store/Model/StoreCookieManager.php b/app/code/Magento/Store/Model/StoreCookieManager.php
@@ -12,6 +12,8 @@
 
 /**
  * DTO class to work with cookies.
+ *
+ * @SuppressWarnings(PHPMD.CookieAndSessionMisuse)
  */
 class StoreCookieManager implements StoreCookieManagerInterface
 {
@@ -58,7 +60,8 @@ public function setStoreCookie(StoreInterface $store)
         $cookieMetadata = $this->cookieMetadataFactory->createPublicCookieMetadata()
             ->setHttpOnly(false)
             ->setDurationOneYear()
-            ->setPath($store->getStorePath());
+            ->setPath($store->getStorePath())
+            ->setSameSite('Lax');
 
         $this->cookieManager->setPublicCookie(self::COOKIE_NAME, $store->getCode(), $cookieMetadata);
     }
diff --git a/app/code/Magento/Store/Model/StoreSwitcher/ManagePrivateContent.php b/app/code/Magento/Store/Model/StoreSwitcher/ManagePrivateContent.php
@@ -12,6 +12,8 @@
 
 /**
  * Set private content cookie to have actual local storage data on target store after store switching.
+ *
+ * @SuppressWarnings(PHPMD.CookieAndSessionMisuse)
  */
 class ManagePrivateContent implements StoreSwitcherInterface
 {
@@ -46,6 +48,7 @@ public function __construct(
      *
      * @return string redirect url
      * @throws CannotSwitchStoreException
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
      */
     public function switch(StoreInterface $fromStore, StoreInterface $targetStore, string $redirectUrl): string
     {
@@ -54,7 +57,8 @@ public function switch(StoreInterface $fromStore, StoreInterface $targetStore, s
                 ->setDurationOneYear()
                 ->setPath('/')
                 ->setSecure(false)
-                ->setHttpOnly(false);
+                ->setHttpOnly(false)
+                ->setSameSite('Lax');
             $this->cookieManager->setPublicCookie(
                 \Magento\Framework\App\PageCache\Version::COOKIE_NAME,
                 \uniqid('updated-', true),
diff --git a/app/code/Magento/Theme/Controller/Result/MessagePlugin.php b/app/code/Magento/Theme/Controller/Result/MessagePlugin.php
@@ -134,6 +134,7 @@ private function setCookie(array $messages)
             $publicCookieMetadata->setDurationOneYear();
             $publicCookieMetadata->setPath('/');
             $publicCookieMetadata->setHttpOnly(false);
+            $publicCookieMetadata->setSameSite('Strict');
 
             $this->cookieManager->setPublicCookie(
                 self::MESSAGES_COOKIES_NAME,
diff --git a/app/code/Magento/Theme/view/frontend/web/js/view/messages.js b/app/code/Magento/Theme/view/frontend/web/js/view/messages.js
@@ -39,7 +39,10 @@ define([
                 customerData.set('messages', {});
             }
 
-            $.cookieStorage.set('mage-messages', '');
+            $.mage.cookies.set('mage-messages', '', {
+                samesite: 'strict',
+                domain: ''
+            });
         },
 
         /**
diff --git a/app/code/Magento/Wishlist/Controller/Index/Cart.php b/app/code/Magento/Wishlist/Controller/Index/Cart.php
@@ -240,7 +240,8 @@ public function execute()
                 $publicCookieMetadata = $this->cookieMetadataFactory->createPublicCookieMetadata()
                     ->setDuration(3600)
                     ->setPath('/')
-                    ->setHttpOnly(false);
+                    ->setHttpOnly(false)
+                    ->setSameSite('Strict');
 
                 $this->cookieManager->setPublicCookie(
                     'add_to_cart',
diff --git a/app/code/Magento/Wishlist/Test/Unit/Controller/Index/CartTest.php b/app/code/Magento/Wishlist/Test/Unit/Controller/Index/CartTest.php
diff --git a/lib/internal/Magento/Framework/App/PageCache/Version.php b/lib/internal/Magento/Framework/App/PageCache/Version.php
diff --git a/lib/internal/Magento/Framework/App/Response/Http.php b/lib/internal/Magento/Framework/App/Response/Http.php
diff --git a/lib/internal/Magento/Framework/App/Test/Unit/PageCache/VersionTest.php b/lib/internal/Magento/Framework/App/Test/Unit/PageCache/VersionTest.php
diff --git a/lib/internal/Magento/Framework/App/Test/Unit/Response/HttpTest.php b/lib/internal/Magento/Framework/App/Test/Unit/Response/HttpTest.php
diff --git a/lib/web/jquery/jquery.cookie.js b/lib/web/jquery/jquery.cookie.js
diff --git a/lib/web/mage/cookies.js b/lib/web/mage/cookies.js

Original file line number	Diff line number	Diff line change
`@@ -322,6 +322,7 @@ public function setRedirectCookie($route)`
`322`	`322`	`->setHttpOnly(true)`
`323`	`323`	`->setDuration(3600)`
`324`	`324`	`->setPath($this->storeManager->getStore()->getStorePath())`
	`325`	`+ ->setSameSite('Lax')`
`325`	`326`	`);`
`326`	`327`	`}`
`327`	`328`
Original file line number	Diff line number	Diff line change
`@@ -211,7 +211,8 @@ private function setGuestViewCookie($cookieValue)`
`211`	`211`	`{`
`212`	`212`	`$metadata = $this->cookieMetadataFactory->createPublicCookieMetadata()`
`213`	`213`	`->setPath(self::COOKIE_PATH)`
`214`		`- ->setHttpOnly(true);`
	`214`	`+ ->setHttpOnly(true)`
	`215`	`+ ->setSameSite('Lax');`
`215`	`216`	`$this->cookieManager->setPublicCookie(self::COOKIE_NAME, $cookieValue, $metadata);`
`216`	`217`	`}`
`217`	`218`
Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@`
`10`	`10`	`/**`
`11`	`11`	`* Manager for a cookie with logout reason`
`12`	`12`	`*`
	`13`	`+ * @SuppressWarnings(PHPMD.CookieAndSessionMisuse)`
`13`	`14`	`* @api`
`14`	`15`	`* @since 100.1.0`
`15`	`16`	`*/`
`@@ -80,6 +81,7 @@ public function setLogoutReasonCookie($status)`
`80`	`81`	`{`
`81`	`82`	`$metaData = $this->createCookieMetaData();`
`82`	`83`	`$metaData->setPath('/' . $this->backendData->getAreaFrontName());`
	`84`	`+ $metaData->setSameSite('Strict');`
`83`	`85`
`84`	`86`	`$this->phpCookieManager->setPublicCookie(`
`85`	`87`	`self::LOGOUT_REASON_CODE_COOKIE_NAME,`