Merge pull request #8074 from magento-cia/cia-2.4.7-beta1-develop-bugfixes-01132023

cia-2.4.7-beta1-develop-bugfixes-01132023

Author: pawan-adobe-security

app/code/Magento/Catalog/Controller/Adminhtml/Product/NewAction.php

@@ -4,18 +4,21 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\Catalog\Controller\Adminhtml\Product;
 
-use Magento\Framework\App\Action\HttpGetActionInterface as HttpGetActionInterface;
-use Magento\Backend\App\Action;
 use Magento\Catalog\Controller\Adminhtml\Product;
+use Magento\Framework\App\Action\HttpGetActionInterface as HttpGetActionInterface;
 use Magento\Framework\App\ObjectManager;
+use Magento\Framework\RegexValidator;
 
 class NewAction extends \Magento\Catalog\Controller\Adminhtml\Product implements HttpGetActionInterface
 {
     /**
      * @var Initialization\StockDataFilter
      * @deprecated 101.0.0
+     * @see Initialization\StockDataFilter
      */
     protected $stockFilter;
 
@@ -30,23 +33,32 @@ class NewAction extends \Magento\Catalog\Controller\Adminhtml\Product implements
     protected $resultForwardFactory;
 
     /**
-     * @param Action\Context $context
+     * @var RegexValidator
+     */
+    private RegexValidator $regexValidator;
+
+    /**
+     * @param Context $context
      * @param Builder $productBuilder
      * @param Initialization\StockDataFilter $stockFilter
      * @param \Magento\Framework\View\Result\PageFactory $resultPageFactory
      * @param \Magento\Backend\Model\View\Result\ForwardFactory $resultForwardFactory
+     * @param RegexValidator|null $regexValidator
      */
     public function __construct(
         \Magento\Backend\App\Action\Context $context,
         Product\Builder $productBuilder,
         Initialization\StockDataFilter $stockFilter,
         \Magento\Framework\View\Result\PageFactory $resultPageFactory,
-        \Magento\Backend\Model\View\Result\ForwardFactory $resultForwardFactory
+        \Magento\Backend\Model\View\Result\ForwardFactory $resultForwardFactory,
+        RegexValidator $regexValidator = null
     ) {
         $this->stockFilter = $stockFilter;
         parent::__construct($context, $productBuilder);
         $this->resultPageFactory = $resultPageFactory;
         $this->resultForwardFactory = $resultForwardFactory;
+        $this->regexValidator = $regexValidator
+            ?: ObjectManager::getInstance()->get(RegexValidator::class);
     }
 
     /**
@@ -56,6 +68,11 @@ public function __construct(
      */
     public function execute()
     {
+        $typeId = $this->getRequest()->getParam('type');
+        if (!$this->regexValidator->validateParamRegex($typeId)) {
+            return $this->resultForwardFactory->create()->forward('noroute');
+        }
+
         if (!$this->getRequest()->getParam('set')) {
             return $this->resultForwardFactory->create()->forward('noroute');
         }

app/code/Magento/Catalog/Test/Unit/Controller/Adminhtml/Product/NewActionTest.php

@@ -16,6 +16,9 @@
 use Magento\Catalog\Controller\Adminhtml\Product\NewAction;
 use Magento\Catalog\Model\Product;
 use Magento\Catalog\Test\Unit\Controller\Adminhtml\ProductTest;
+use Magento\Framework\RegexValidator;
+use Magento\Framework\Validator\Regex;
+use Magento\Framework\Validator\RegexFactory;
 use Magento\Framework\TestFramework\Unit\Helper\ObjectManager;
 use Magento\Framework\View\Result\PageFactory;
 use PHPUnit\Framework\MockObject\MockObject;
@@ -42,6 +45,26 @@ class NewActionTest extends ProductTest
      */
     protected $initializationHelper;
 
+    /**
+     * @var RegexValidator|MockObject
+     */
+    private $regexValidator;
+
+    /**
+     * @var RegexFactory
+     */
+    private $regexValidatorFactoryMock;
+
+    /**
+     * @var Regex|MockObject
+     */
+    private $regexValidatorMock;
+
+    /**
+     * @var ForwardFactory&MockObject|MockObject
+     */
+    private $resultForwardFactory;
+
     protected function setUp(): void
     {
         $this->productBuilder = $this->createPartialMock(
@@ -63,37 +86,78 @@ protected function setUp(): void
             ->disableOriginalConstructor()
             ->setMethods(['create'])
             ->getMock();
-        $resultPageFactory->expects($this->atLeastOnce())
-            ->method('create')
-            ->willReturn($this->resultPage);
 
         $this->resultForward = $this->getMockBuilder(Forward::class)
             ->disableOriginalConstructor()
             ->getMock();
-        $resultForwardFactory = $this->getMockBuilder(ForwardFactory::class)
+        $this->resultForwardFactory = $this->getMockBuilder(ForwardFactory::class)
+            ->disableOriginalConstructor()
+            ->onlyMethods(['create'])
+            ->getMock();
+
+        $this->regexValidatorFactoryMock = $this->getMockBuilder(RegexFactory::class)
             ->disableOriginalConstructor()
             ->setMethods(['create'])
             ->getMock();
-        $resultForwardFactory->expects($this->any())
-            ->method('create')
-            ->willReturn($this->resultForward);
+        $this->regexValidatorMock = $this->createMock(Regex::class);
+        $this->regexValidatorFactoryMock->method('create')
+            ->willReturn($this->regexValidatorMock);
 
+        $this->regexValidator = new regexValidator($this->regexValidatorFactoryMock);
         $this->action = (new ObjectManager($this))->getObject(
             NewAction::class,
             [
                 'context' => $this->initContext(),
                 'productBuilder' => $this->productBuilder,
                 'resultPageFactory' => $resultPageFactory,
-                'resultForwardFactory' => $resultForwardFactory,
+                'resultForwardFactory' => $this->resultForwardFactory,
+                'regexValidator' => $this->regexValidator,
             ]
         );
     }
 
-    public function testExecute()
+    /**
+     * Test execute method input validation.
+     *
+     * @param string $value
+     * @param bool $exceptionThrown
+     * @dataProvider validationCases
+     */
+    public function testExecute(string $value, bool $exceptionThrown): void
+    {
+        if ($exceptionThrown) {
+            $this->action->getRequest()->expects($this->any())
+                ->method('getParam')
+                ->willReturn($value);
+            $this->resultForwardFactory->expects($this->any())
+                ->method('create')
+                ->willReturn($this->resultForward);
+            $this->resultForward->expects($this->once())
+                ->method('forward')
+                ->with('noroute')
+                ->willReturn(true);
+            $this->assertTrue($this->action->execute());
+        } else {
+            $this->action->getRequest()->expects($this->any())->method('getParam')->willReturn($value);
+            $this->regexValidatorMock->expects($this->any())
+                ->method('isValid')
+                ->with($value)
+                ->willReturn(true);
+
+            $this->assertEquals(true, $this->regexValidator->validateParamRegex($value));
+        }
+    }
+
+    /**
+     * Validation cases.
+     *
+     * @return array
+     */
+    public function validationCases(): array
     {
-        $this->action->getRequest()->expects($this->any())->method('getParam')->willReturn(true);
-        $this->action->getRequest()->expects($this->any())->method('getFullActionName')
-            ->willReturn('catalog_product_new');
-        $this->action->execute();
+        return [
+            'execute-with-exception' => ['simple\' and true()]|*[self%3a%3ahandle%20or%20self%3a%3alayout',true],
+            'execute-without-exception' => ['catalog_product_new',false]
+        ];
     }
 }

app/code/Magento/Catalog/i18n/en_US.csv

@@ -819,4 +819,5 @@ Details,Details
 "Failed to retrieve product links for ""%1""","Failed to retrieve product links for ""%1"""
 "The linked product SKU is invalid. Verify the data and try again.","The linked product SKU is invalid. Verify the data and try again."
 "The linked products data is invalid. Verify the data and try again.","The linked products data is invalid. Verify the data and try again."
+"The url has invalid characters. Please correct and try again.","The url has invalid characters. Please correct and try again."
 

app/code/Magento/CatalogImportExport/Model/Import/Product.php

@@ -48,6 +48,7 @@
  */
 class Product extends AbstractEntity
 {
+    private const COL_NAME_FORMAT = '/[\x00-\x1F\x7F]/';
     private const DEFAULT_GLOBAL_MULTIPLE_VALUE_SEPARATOR = ',';
     public const CONFIG_KEY_PRODUCT_TYPES = 'global/importexport/import_product_types';
 
@@ -1624,6 +1625,10 @@ protected function _saveProducts()
                         // the bunch of products will pass for the event with url_key column.
                         $bunch[$rowNum][self::URL_KEY] = $rowData[self::URL_KEY] = $urlKey;
                     }
+                    if (!empty($rowData[self::COL_NAME])) {
+                        // remove null byte character
+                        $rowData[self::COL_NAME] = preg_replace(self::COL_NAME_FORMAT, '', $rowData[self::COL_NAME]);
+                    }
                     $rowSku = $rowData[self::COL_SKU];
                     if (null === $rowSku) {
                         $this->getErrorAggregator()->addRowToSkip($rowNum);

app/code/Magento/Checkout/Model/ShippingInformationManagement.php

@@ -3,6 +3,7 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
 
 namespace Magento\Checkout\Model;
 
@@ -39,60 +40,62 @@ class ShippingInformationManagement implements ShippingInformationManagementInte
     /**
      * @var PaymentMethodManagementInterface
      */
-    protected $paymentMethodManagement;
+    protected PaymentMethodManagementInterface $paymentMethodManagement;
 
     /**
      * @var PaymentDetailsFactory
      */
-    protected $paymentDetailsFactory;
+    protected PaymentDetailsFactory $paymentDetailsFactory;
 
     /**
      * @var CartTotalRepositoryInterface
      */
-    protected $cartTotalsRepository;
+    protected CartTotalRepositoryInterface $cartTotalsRepository;
 
     /**
      * @var CartRepositoryInterface
      */
-    protected $quoteRepository;
-
+    protected CartRepositoryInterface $quoteRepository;
     /**
      * @var Logger
      */
-    protected $logger;
+    protected Logger $logger;
 
     /**
      * @var QuoteAddressValidator
      */
-    protected $addressValidator;
+    protected QuoteAddressValidator $addressValidator;
 
     /**
      * @var AddressRepositoryInterface
      * @deprecated 100.2.0
+     * @see AddressRepositoryInterface
      */
-    protected $addressRepository;
+    protected AddressRepositoryInterface $addressRepository;
 
     /**
      * @var ScopeConfigInterface
      * @deprecated 100.2.0
+     * @see ScopeConfigInterface
      */
-    protected $scopeConfig;
+    protected ScopeConfigInterface $scopeConfig;
 
     /**
      * @var TotalsCollector
      * @deprecated 100.2.0
+     * @see TotalsCollector
      */
-    protected $totalsCollector;
+    protected TotalsCollector $totalsCollector;
 
     /**
      * @var CartExtensionFactory
      */
-    private $cartExtensionFactory;
+    private CartExtensionFactory $cartExtensionFactory;
 
     /**
      * @var ShippingAssignmentFactory
      */
-    protected $shippingAssignmentFactory;
+    protected ShippingAssignmentFactory $shippingAssignmentFactory;
 
     /**
      * @var ShippingFactory
@@ -262,8 +265,11 @@ protected function validateQuote(Quote $quote): void
      * @param string $method
      * @return CartInterface
      */
-    private function prepareShippingAssignment(CartInterface $quote, AddressInterface $address, $method): CartInterface
-    {
+    private function prepareShippingAssignment(
+        CartInterface $quote,
+        AddressInterface $address,
+        string $method
+    ): CartInterface {
         $cartExtension = $quote->getExtensionAttributes();
         if ($cartExtension === null) {
             $cartExtension = $this->cartExtensionFactory->create();

app/code/Magento/Quote/Model/BillingAddressManagement.php

@@ -3,14 +3,15 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
 
 namespace Magento\Quote\Model;
 
+use Magento\Framework\App\ObjectManager;
 use Magento\Framework\Exception\InputException;
-use Magento\Quote\Model\Quote\Address\BillingAddressPersister;
-use Psr\Log\LoggerInterface as Logger;
 use Magento\Quote\Api\BillingAddressManagementInterface;
-use Magento\Framework\App\ObjectManager;
+use Magento\Quote\Api\Data\AddressInterface;
+use Psr\Log\LoggerInterface as Logger;
 
 /**
  * Quote billing address write service object.
@@ -25,14 +26,14 @@ class BillingAddressManagement implements BillingAddressManagementInterface
     protected $addressValidator;
 
     /**
-     * Logger.
+     * Logger object.
      *
      * @var Logger
      */
     protected $logger;
 
     /**
-     * Quote repository.
+     * Quote repository object.
      *
      * @var \Magento\Quote\Api\CartRepositoryInterface
      */
@@ -72,10 +73,14 @@ public function __construct(
      * @inheritdoc
      * @SuppressWarnings(PHPMD.NPathComplexity)
      */
-    public function assign($cartId, \Magento\Quote\Api\Data\AddressInterface $address, $useForShipping = false)
+    public function assign($cartId, AddressInterface $address, $useForShipping = false)
     {
         /** @var \Magento\Quote\Model\Quote $quote */
         $quote = $this->quoteRepository->getActive($cartId);
+
+        // validate the address
+        $this->addressValidator->validateWithExistingAddress($quote, $address);
+
         $address->setCustomerId($quote->getCustomerId());
         $quote->removeAddress($quote->getBillingAddress()->getId());
         $quote->setBillingAddress($address);
@@ -104,6 +109,7 @@ public function get($cartId)
      *
      * @return \Magento\Quote\Model\ShippingAddressAssignment
      * @deprecated 101.0.0
+     * @see \Magento\Quote\Model\ShippingAddressAssignment
      */
     private function getShippingAddressAssignment()
     {