Contrib.social

πŸ‡ΊπŸ‡ΈUnited States @simonjoe

Open on Drupal.org β†’
Account created on 30 March 2022, about 3 years ago
#

Recent comments

πŸ› | Drupal core | Logic error in Drupal's lazy load for asset aggregation
Comment about 1 month ago β†’
πŸ‡ΊπŸ‡ΈUnited States simonjoe

Our 10.4.6 update caused a custom module using Datatables to stop attaching our custom JS files and the Datatables file. We had to update our library.yml file to include weights. This got our custom code working in 10.4.6. Same fix mentioned in #58

datatables:
version: VERSION
js:
js/datatables.js:
weight: -20
dependencies:
- core/jquery

jquery-table-search:
version: VERSION
css:
component:
css/commerce_reports_table.css: {}
js:
js/commerce_reports_table_search.js:
weight: -10
dependencies:
- core/jquery
- commerce_reports/datatables

πŸ“Œ | Commerce Stripe | PCI dss v4 - clause 6.43
Comment 10 months ago β†’
πŸ‡ΊπŸ‡ΈUnited States simonjoe

Hello,

I am assuming you are inquiring about need for SRI. Commerce_stripe doesn't employ the integrity parameter when it includes the JS library. This will get you flagged for PCI 4.0 compliance, as you are probably running into.

I handled this today for my employer with a patch to commerce_stripe.module

First, modify the build function slightly. 

function commerce_stripe_library_info_build() {
  $libraries = [];

  $stripe_src = 'https://js.stripe.com/v3/';
  $stripe_integrity = fetch_stripe_integrity($stripe_src);

  // @todo get this value from global or payment gateway settings.
  $use_fraud_detection = TRUE;
  if (!$use_fraud_detection) {
    $stripe_src .= '?advancedFraudSignals=false';
  }

  $libraries['stripe'] = [
    'version' => '3',
    'js' => [
      $stripe_src => [
        'type' => 'external',
        'minified' => TRUE,
        'attributes' => [
            'integrity' => $stripe_integrity,
            'crossorigin' => 'anonymous',
        ],
      ],
    ],
  ];

  return $libraries;
}

Then, add a new function to calculate the hash value at runtime. 

function fetch_stripe_integrity($url) {
  $ch = curl_init($url);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  $response = curl_exec($ch);
  if ($response === false) {
    throw new Exception('Curl error: ' . curl_error($ch));
  }
  curl_close($ch);

  $hash = hash('sha384', $response, true);
  $base64_hash = base64_encode($hash);

  // Return the hash in the required format
  return 'sha384-' . $base64_hash;
}

You will need to track these changes and re-apply them after any update to commerce_stripe in the future.

After these modifications, I pass PCI 4.0 as scanned by Tenable.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024