Data security issue for payment link

[sinfonie]

Magento version: 2.4.7-p2
PayNow version: 1.5.6

[paynow-support]

Hello,

Thank you for explaining this matter in more detail.

In this case, we are preparing an analysis and a corresponding amendment.

[ssztajnert]

@sinfonie we've just created an advisory with you as a collaborator till we analyse and confirm it's a security issue

[sinfonie]

Hello,

I've tested version 1.5.7 and noticed two issues that need urgent attention as the retry link does not function properly. Adding a token is a great idea, however:

Issue 1:
It is necessary to correct the method Paynow\PaymentGateway\Helper\PaymentHelper::getRetryPaymentUrl to always accept an argument of type (int). Typing seems to be a standard practice.
Problem: Generally, there is an inconsistency in typing in some of the module's classes. I will demonstrate this with a specific example.

Currently, the getRetryPaymentUrl method can accept any type of argument for $orderId. Then, the method encodes the RetryUrl. For instance, at vendor/pay-now/paynow-magento2/view/frontend/templates/order/history/action.phtml::7, orderId is passed as a string $order->getEntityId().

If we encode $orderId as a string, then after decoding the URL, $orderId will remain a string and will not pass the comparison in the retry controller's condition, preventing the possibility of making another payment. Paynow\PaymentGateway\Controller\Payment\Retry:110

Result is:

Issue 2:
The method Paynow\PaymentGateway\Controller\Payment::authorizeNewPayment may throw an exception. Currently, there is no handling for this exception in the controller, which could result in an error message appearing after clicking on retry payment.

It would seem appropriate to add exception handling (try {} catch(){}) with redirection.