magento / magento2

Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
http://www.magento.com
Open Software License 3.0
11.54k stars 9.32k forks source link

Cannot instantiate interface `Magento\Csp\Model\Collector\MergerInterface` when `Magento_Csp` is disabled #39104

Open fritzmg opened 2 months ago

fritzmg commented 2 months ago

Preconditions and environment

Steps to reproduce

  1. Update or install Magento 2.4.7-p2.
  2. Execute bin/magento module:disable Magento_Csp.
  3. Go to the checkout.

Expected result

The checkout should be rendered.

Actual result

The following error is thrown:

Error: Cannot instantiate interface Magento\Csp\Model\Collector\MergerInterface in vendor/magento/framework/ObjectManager/Factory/Dynamic/Developer.php:50
Stack trace:
#0 vendor/magento/framework/ObjectManager/ObjectManager.php(73): Magento\Framework\ObjectManager\Factory\Dynamic\Developer->create()
#1 vendor/magento/framework/ObjectManager/Factory/AbstractFactory.php(170): Magento\Framework\ObjectManager\ObjectManager->get()
#2 vendor/magento/framework/ObjectManager/Factory/AbstractFactory.php(276): Magento\Framework\ObjectManager\Factory\AbstractFactory->resolveArgument()
#3 vendor/magento/framework/ObjectManager/Factory/AbstractFactory.php(239): Magento\Framework\ObjectManager\Factory\AbstractFactory->getResolvedArgument()
#4 vendor/magento/framework/ObjectManager/Factory/Dynamic/Developer.php(34): Magento\Framework\ObjectManager\Factory\AbstractFactory->resolveArgumentsInRuntime()
#5 vendor/magento/framework/ObjectManager/Factory/Dynamic/Developer.php(59): Magento\Framework\ObjectManager\Factory\Dynamic\Developer->_resolveArguments()
#6 vendor/magento/framework/ObjectManager/ObjectManager.php(73): Magento\Framework\ObjectManager\Factory\Dynamic\Developer->create()
#7 vendor/magento/framework/ObjectManager/Factory/AbstractFactory.php(170): Magento\Framework\ObjectManager\ObjectManager->get()
#8 vendor/magento/framework/ObjectManager/Factory/AbstractFactory.php(276): Magento\Framework\ObjectManager\Factory\AbstractFactory->resolveArgument()
#9 vendor/magento/framework/ObjectManager/Factory/AbstractFactory.php(239): Magento\Framework\ObjectManager\Factory\AbstractFactory->getResolvedArgument()
#10 vendor/magento/framework/ObjectManager/Factory/Dynamic/Developer.php(34): Magento\Framework\ObjectManager\Factory\AbstractFactory->resolveArgumentsInRuntime()
#11 vendor/magento/framework/ObjectManager/Factory/Dynamic/Developer.php(59): Magento\Framework\ObjectManager\Factory\Dynamic\Developer->_resolveArguments()
#12 vendor/magento/framework/ObjectManager/ObjectManager.php(73): Magento\Framework\ObjectManager\Factory\Dynamic\Developer->create()
#13 vendor/magento/module-payment-services-paypal/Model/ConfigProvider.php(65): Magento\Framework\ObjectManager\ObjectManager->get()
…

Additional information

The cause are these lines within vendor/magento/module-payment-services-paypal/Model/ConfigProvider.php

    //TODO:Just to be compatible with 2.4.6. Remove in future
    $objectManager = \Magento\Framework\App\ObjectManager::getInstance();
    try {
        $this->cspNonceProvider = $objectManager->get("\Magento\Csp\Helper\CspNonceProvider");
    } catch (\ReflectionException $e) {
        $this->cspNonceProvider = null;
    }

The error is not of type \ReflectionException, instead it is of type \Error - thus the error is not caught.

To fix it, it could be changed as follows:

    //TODO:Just to be compatible with 2.4.6. Remove in future
    $objectManager = \Magento\Framework\App\ObjectManager::getInstance();
    try {
        $this->cspNonceProvider = $objectManager->get("\Magento\Csp\Helper\CspNonceProvider");
-   } catch (\ReflectionException $e) {
+   } catch (\Throwable) {
        $this->cspNonceProvider = null;
    }

Release note

No response

Triage and priority

m2-assistant[bot] commented 2 months ago

Hi @fritzmg. Thank you for your report. To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, Add a comment to the issue:

Franciscof-Serfe commented 2 months ago

Hi @fritzmg , I think that this could be related to this security improvement: https://experienceleague.adobe.com/en/docs/commerce-operations/release/notes/magento-open-source/2-4-7#:~:text=Changes%20to%20Content%20Security%20Policy

Magento updated CSP to restrict mode at checkout. You can use this module to bypass it meanwhile you fix the code to enable CSP.

https://github.com/yireo/Yireo_DisableCsp

fritzmg commented 2 months ago

Well Magento has support for CSP for some while now, not just recently. The issue is just with the Magento_PaymentServicesPaypal module that comes with Magento Community Edition. It currently has an erroneous hard dependency on Magento_Csp. Judging by the code it is supposed to be a soft dependency, but it currently does not work (due to the wrong catch type).

MarcusSchwarz commented 2 months ago

I can confirm the issue with 2.4.6-p7 as well.

File affected: vendor/magento/module-paypal/Model/Config.php Workaround:

             }
         }

-        $this->cspNonceProvider = $cspNonceProvider ?: ObjectManager::getInstance()->get(CspNonceProvider::class);
+        try {
+            $this->cspNonceProvider = $cspNonceProvider ?: ObjectManager::getInstance()->get(CspNonceProvider::class);
+        } catch (\Throwable $e) {
+            $this->cspNonceProvider = null;
+        }
     }

     /**

The checkout is also affected. A new Observer has been introduced: Magento\Checkout\Observer\CspPolicyObserver

File affected: vendor/magento/module-checkout/etc/frontend/events.xml Workaround:

     <event name="customer_logout">
         <observer name="unsetAll" instance="Magento\Checkout\Observer\UnsetAllObserver" />
     </event>
-    <event name="controller_action_predispatch_checkout_index_index">
-        <observer name="cps_storefront_checkout_index_index_predispatch"
-                  instance="Magento\Checkout\Observer\CspPolicyObserver"/>
-    </event>
+<!--    <event name="controller_action_predispatch_checkout_index_index">-->
+<!--        <observer name="cps_storefront_checkout_index_index_predispatch"-->
+<!--                  instance="Magento\Checkout\Observer\CspPolicyObserver"/>-->
+<!--    </event>-->
 </config>
Franciscof-Serfe commented 2 months ago

Marcus, As I mentioned in my previous note, after M2.4.7 Adobe decided to force CSP in restricted mode for the checkout and payment line. It's not an error.

Default config: https://developer.adobe.com/commerce/php/development/security/content-security-policies/#default-configuration

Commit REF: https://github.com/magento/magento2/commit/25cf7f077cf06eafa145027ff70c55d297f4943c#diff-32ed90c0e573d5dd4047b67db44768fca797fa1df717c8d883956d3a6b8d2fd6

I understand that someone from the Adobe team should clarify this. @nathanjosiah can you add your 2 cents?

Previous discussion on Magento_Csp behavior change at checkout: https://github.com/magento/magento2/issues/38823

Background info: https://m.academy/articles/magento-apsb24-40-security-patch-csp-checkout-updates/#:~:text=Impact%20on%20Checkout%20Functionality

MarcusSchwarz commented 2 months ago

@Franciscof-Serfe please note, we are not on 2.4.7. We are on 2.4.6-p7; In a security release there should never be such a breaking change.

fritzmg commented 2 months ago

Adobe decided to force CSP in restricted mode for the checkout and payment line. It's not an error.

Nevertheless, modules that have a hard dependency on Magento_Csp need to define it as such. Currently Magento_PaymentServicesPaypal has no dependency and thus Magento_Csp can be disabled, which leads to the aforementioned error.

nathanjosiah commented 2 months ago

The new CSP changes are new PCI requirements for all payment pages per PCI version 4 section 6.4.3. Since all of our supported versions must be PCI compliant this change had to be made.

Having said that, it does appear there is an error with the type that violates our policies. But, I would strongly advise you to get your site working with CSP as this is the last line of defense against malware and card skimmers. Plus, it would put you at risk of PCI audit failure especially since the auditors will be on high alert since it's a new requirement.

nathanjosiah commented 2 months ago

@magento export issue to Jira project AC as Bug

github-jira-sync-bot commented 2 months ago

:x: You don't have permission to export this issue.

sidolov commented 2 months ago

@magento export issue to Jira project AC as Bug

github-jira-sync-bot commented 2 months ago

:x: Something went wrong. Cannot create Jira issue.

Franciscof-Serfe commented 2 months ago

Is the Issue: Confirmed tab necessary first?

fritzmg commented 2 months ago

But, I would strongly advise you to get your site working with CSP as this is the last line of defense against malware and card skimmers. Plus, it would put you at risk of PCI audit failure especially since the auditors will be on high alert since it's a new requirement.

@nathanjosiah While I agree that CPS should be enabled in any case, CSP must not be a requirement, at least not for this reason. Your shop does not have to have an actual payment module. In our case the Magento instance is a B2C shop with a checkout that contains no payment options. In our case the fix is easy, as we can just disable the payment module itself (it was an error that we didn't).

The error is that Magento_PaymentServicesPaypal is missing the Magento_Csp dependency in its composer.json and etc/module.xml.

github-jira-sync-bot commented 1 month ago

:white_check_mark: Jira issue https://jira.corp.adobe.com/browse/AC-13063 is successfully created for this GitHub issue.

m2-assistant[bot] commented 1 month ago

:white_check_mark: Confirmed by @engcom-Bravo. Thank you for verifying the issue.
Issue Available: @engcom-Bravo, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.

nathanjosiah commented 1 month ago

We are working on this internally.

As a reference for any Adobe members, this was transferred from AC-13063 to PAY-5690

fritzmg commented 1 week ago

The same error happens within Magento\AdminAnalytics\ViewModel\Metadata:

https://github.com/magento/magento2/blob/5a2037c35de89ce2c50e230164ff3ea7b67ac127/app/code/Magento/AdminAnalytics/ViewModel/Metadata.php#L75-L77

It also has a hard dependency on Magento_Csp, but it is missing from the module.xml:

https://github.com/magento/magento2/blob/5a2037c35de89ce2c50e230164ff3ea7b67ac127/app/code/Magento/AdminAnalytics/etc/module.xml#L8-L10