Merge branch 'AC-12654' into cia-2.4.8-beta1-develop-bugfix-09032024

Author: pawan-adobe-security

app/code/Magento/CatalogImportExport/Model/Import/Product.php

@@ -56,6 +56,11 @@ class Product extends AbstractEntity
     private const COL_NAME_FORMAT = '/[\x00-\x1F\x7F]/';
     public const CONFIG_KEY_PRODUCT_TYPES = 'global/importexport/import_product_types';
 
+    /**
+     * Filter chain const
+     */
+    private const FILTER_CHAIN = "php://filter";
+
     /**
      * Size of bunch - part of products to save in one step.
      */
@@ -775,6 +780,11 @@ class Product extends AbstractEntity
      */
     private ?SkuStorage $skuStorage;
 
+    /**
+     * @var File|null
+     */
+    private ?File $fileDriver;
+
     /**
      * @param \Magento\Framework\Json\Helper\Data $jsonHelper
      * @param \Magento\ImportExport\Helper\Data $importExportData
@@ -950,6 +960,8 @@ public function __construct(
                 ->get(ProductRepositoryInterface::class);
         $this->stockItemProcessor = $stockItemProcessor ?? ObjectManager::getInstance()
                 ->get(StockItemProcessorInterface::class);
+        $this->fileDriver = $fileDriver ?? ObjectManager::getInstance()
+            ->get(File::class);
     }
 
     /**
@@ -2126,7 +2138,10 @@ private function getRemoteFileContent(string $filename): string
     {
         try {
             // phpcs:ignore Magento2.Functions.DiscouragedFunction
-            $content = file_get_contents($filename);
+            if (stripos($filename, self::FILTER_CHAIN) !== false) {
+                return '';
+            }
+            $content = $this->fileDriver->fileGetContents($filename);
         } catch (\Exception $e) {
             $content = false;
         }

app/code/Magento/CatalogImportExport/Model/Import/Product/Validator.php

@@ -20,6 +20,11 @@
  */
 class Validator extends AbstractValidator implements RowValidatorInterface
 {
+    /**
+     * Filter chain const
+     */
+    private const FILTER_CHAIN = "php://filter";
+    
     /**
      * @var RowValidatorInterface[]|AbstractValidator[]
      */
@@ -91,6 +96,10 @@ public function __construct(
     protected function textValidation($attrCode, $type)
     {
         $val = $this->string->cleanString($this->_rowData[$attrCode]);
+        if (stripos($val, self::FILTER_CHAIN) !== false) {
+            $this->_addMessages([RowValidatorInterface::ERROR_INVALID_ATTRIBUTE_TYPE]);
+            return false;
+        }
         if ($type == 'text') {
             $valid = $this->string->strlen($val) < Product::DB_MAX_TEXT_LENGTH;
         } elseif ($attrCode == Product::COL_SKU) {

app/code/Magento/CatalogImportExport/Test/Unit/Model/Import/ProductTest.php

@@ -2252,4 +2252,18 @@ public static function valuesDataProvider(): array
             ]
         ];
     }
+
+    /**
+     * get remote file content
+     */
+    public function testGetRemoteFileContent()
+    {
+        $reflector = new \ReflectionClass($this->importProduct);
+        $property = $reflector->getMethod('getRemoteFileContent');
+        $property->setAccessible(true);
+        $this->assertEquals(
+            '',
+            $property->invokeArgs($this->importProduct, ['php://filter'])
+        );
+    }
 }