MC-15311: [Sec] PageBuilder XSS Injection Possible Through Block on HTML Code Content Type For CSS Classes Attribute & in TinyMCE

danmooney2 · danmooney2 · commit ebcc76938cb6 · 2019-03-08T10:48:26.000-06:00
Add custom variable filter test case
diff --git a/dev/tests/integration/testsuite/Magento/PageBuilder/Plugin/Filter/TemplatePluginTest.php b/dev/tests/integration/testsuite/Magento/PageBuilder/Plugin/Filter/TemplatePluginTest.php
@@ -8,6 +8,7 @@
 
 namespace Magento\PageBuilder\Plugin\Filter;
 
+use Magento\Store\Model\Store;
 use Magento\Widget\Model\Template\Filter as TemplateFilter;
 use Magento\TestFramework\Helper\Bootstrap;
 
@@ -30,13 +31,18 @@ protected function setUp()
     {
         $this->objectManager = Bootstrap::getObjectManager();
         $this->templateFilter = $this->objectManager->get(TemplateFilter::class);
+
+        // set store id to 0 to recognize that escaping is required in custom variable
+        $this->templateFilter->setStoreId(Store::DEFAULT_STORE_ID);
     }
 
     /**
      * @param string $preFiltered
      * @param string $postFiltered
      * @param string $preFilteredBasename
      * @dataProvider filterDataProvider
+     * @magentoDataFixture Magento/PageBuilder/_files/custom_variable_xss.php
+     * @magentoDbIsolation enabled
      */
     public function testFiltering(string $preFiltered, string $postFiltered, string $preFilteredBasename)
     {
diff --git a/dev/tests/integration/testsuite/Magento/PageBuilder/_files/custom_variable_xss.php b/dev/tests/integration/testsuite/Magento/PageBuilder/_files/custom_variable_xss.php
@@ -0,0 +1,18 @@
+<?php
+
+$this->objectManager = \Magento\TestFramework\Helper\Bootstrap::getObjectManager();
+
+/** @var \Magento\Variable\Model\ResourceModel\Variable $variableResource */
+$variableResource = $this->objectManager->get(\Magento\Variable\Model\ResourceModel\Variable::class);
+
+/** @var \Magento\Variable\Model\Variable $variable */
+$variable = $this->objectManager->get(\Magento\Variable\Model\Variable::class);
+
+$variable->setData([
+    'code' => 'xssVariable',
+    'name' => 'xssVariable',
+    'html_value' => '<img src=x onerror="alert(0)">',
+    'plain_value' => '<img src=x onerror="alert(0)">',
+]);
+
+$variableResource->save($variable);
diff --git a/dev/tests/integration/testsuite/Magento/PageBuilder/_files/template_plugin/custom_var_directive_post_filter.html b/dev/tests/integration/testsuite/Magento/PageBuilder/_files/template_plugin/custom_var_directive_post_filter.html
@@ -0,0 +1 @@
+&lt;img src=x onerror=&quot;alert(0)&quot;&gt;
diff --git a/dev/tests/integration/testsuite/Magento/PageBuilder/_files/template_plugin/custom_var_directive_pre_filter.html b/dev/tests/integration/testsuite/Magento/PageBuilder/_files/template_plugin/custom_var_directive_pre_filter.html
@@ -0,0 +1 @@
+{{customVar code=xssVariable}}
