MAGETWO-70735: [UX][Security] Missing validation and hint for "Compatible File Extensions" in Custom Option of Type=File

Author: OlgaVasyltsun

app/code/Magento/Catalog/Model/Product/Option.php

@@ -377,6 +377,10 @@ public function beforeSave()
                 }
             }
         }
+        if ($this->getGroupByType($this->getData('type')) === self::OPTION_GROUP_FILE) {
+            $this->cleanFileExtensions();
+        }
+
         return $this;
     }
 
@@ -902,4 +906,20 @@ private function getMetadataPool()
     }
 
     //@codeCoverageIgnoreEnd
+
+    /**
+     * Clears all non-accepted characters from file_extension field.
+     *
+     * @return void
+     */
+    private function cleanFileExtensions()
+    {
+        $rawExtensions = $this->getFileExtension();
+        $matches = [];
+        preg_match_all('/(?<extensions>[a-z0-9]+)/i', strtolower($rawExtensions), $matches);
+        if (!empty($matches)) {
+            $extensions = implode(', ', array_unique($matches['extensions']));
+        }
+        $this->setFileExtension($extensions);
+    }
 }

app/code/Magento/Catalog/Test/Unit/Model/Product/OptionTest.php

@@ -68,4 +68,41 @@ public function testGetRegularPrice()
         $this->model->setPriceType(null);
         $this->assertEquals(50, $this->model->getRegularPrice());
     }
+
+    /**
+     * Tests removing ineligible characters from file_extension.
+     *
+     * @param string $rawExtensions
+     * @param string $expectedExtensions
+     * @dataProvider cleanFileExtensionsDataProvider
+     */
+    public function testCleanFileExtensions(string $rawExtensions, string $expectedExtensions)
+    {
+        $this->model->setType(Option::OPTION_GROUP_FILE);
+        $this->model->setFileExtension($rawExtensions);
+        $this->model->beforeSave();
+        $actualExtensions = $this->model->getFileExtension();
+        $this->assertEquals(
+            $expectedExtensions,
+            $actualExtensions
+        );
+    }
+
+    /**
+     * Data provider for testCleanFileExtensions.
+     *
+     * @return array
+     */
+    public function cleanFileExtensionsDataProvider()
+    {
+        return [
+            ['JPG, PNG, GIF', 'jpg, png, gif'],
+            ['jpg, jpg, jpg', 'jpg'],
+            ['jpg, png, gif', 'jpg, png, gif'],
+            ['jpg png gif', 'jpg, png, gif'],
+            ['!jpg@png#gif%', 'jpg, png, gif'],
+            ['jpg, png, 123', 'jpg, png, 123'],
+            ['', '']
+        ];
+    }
 }

app/code/Magento/Catalog/Ui/DataProvider/Product/Form/Modifier/CustomOptions.php

@@ -1046,6 +1046,7 @@ protected function getFileExtensionFieldConfig($sortOrder)
                 'data' => [
                     'config' => [
                         'label' => __('Compatible File Extensions'),
+                        'notice' => __('Enter separated extensions, like: png, jpg, gif. Leave blank to allow any.'),
                         'componentType' => Field::NAME,
                         'formElement' => Input::NAME,
                         'dataScope' => static::FIELD_FILE_EXTENSION_NAME,

dev/tests/functional/tests/app/Magento/Catalog/Test/Block/Adminhtml/Product/Edit/Section/Options.php

@@ -75,6 +75,13 @@ class Options extends Section
      */
     protected $staticDataRow = '[data-index="container_type_static"] div:nth-child(%d)';
 
+    /**
+     * Locator for file_extension field.
+     *
+     * @var string
+     */
+    private $hintMessage = "div[data-index='file_extension'] div[id^='notice']";
+
     /**
      * Sort rows data.
      *
@@ -386,4 +393,14 @@ public function getValuesDataForOption(array $options, string $optionType, strin
 
         return $formDataItem;
     }
+
+    /**
+     * Returns notice-message elements for 'file_extension' fields.
+     *
+     * @return ElementInterface[]
+     */
+    public function getFileOptionElements()
+    {
+        return $this->_rootElement->getElements($this->hintMessage);
+    }
 }

dev/tests/functional/tests/app/Magento/Catalog/Test/Constraint/AssertCustomOptions.php

@@ -0,0 +1,81 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Magento\Catalog\Test\Constraint;
+
+use Magento\Catalog\Test\Page\Adminhtml\CatalogProductEdit;
+use Magento\Catalog\Test\Page\Adminhtml\CatalogProductIndex;
+use Magento\Mtf\Fixture\FixtureInterface;
+
+/**
+ * Asserts what custom option values are same as expected.
+ */
+class AssertCustomOptions extends AssertProductForm
+{
+    /**
+     * Assert form data equals fixture data
+     *
+     * @param FixtureInterface $product
+     * @param CatalogProductIndex $productGrid
+     * @param CatalogProductEdit $productPage
+     * @return void
+     */
+    public function processAssert(
+        FixtureInterface $product,
+        CatalogProductIndex $productGrid,
+        CatalogProductEdit $productPage
+    ) {
+        $expectedCustomOptions = $this->arguments['expectedCustomOptions'];
+        $filter = ['sku' => $product->getSku()];
+        $productGrid->open();
+        $productGrid->getProductGrid()->searchAndOpen($filter);
+        $productData = [];
+        if ($product->hasData('custom_options')) {
+            $productData = $this->addExpectedOptionValues($product, $expectedCustomOptions);
+        }
+        $fixtureData = $this->prepareFixtureData($productData, $this->sortFields);
+        $formData = $this->prepareFormData($productPage->getProductForm()->getData($product), $this->sortFields);
+        $error = $this->verifyData($fixtureData, $formData);
+        \PHPUnit\Framework\Assert::assertTrue(empty($error), $error);
+    }
+
+    /**
+     * Adds expected value of Custom Options.
+     *
+     * @param FixtureInterface $product
+     * @param array $expectedCustomOptions
+     * @return array
+     */
+    private function addExpectedOptionValues(FixtureInterface $product, array $expectedCustomOptions)
+    {
+        /** @var array $customOptionsSource */
+        $customOptionsSource = $product->getDataFieldConfig('custom_options')['source']->getCustomOptions();
+        foreach (array_keys($customOptionsSource) as $optionKey) {
+            foreach ($expectedCustomOptions as $expectedCustomOption) {
+                if ($customOptionsSource[$optionKey]['type'] === $expectedCustomOption['optionType']) {
+                    $options = array_keys($customOptionsSource[$optionKey]['options']);
+                    $optionField = $expectedCustomOption['optionField'];
+                    $optionValue = $expectedCustomOption['optionValue'];
+                    foreach ($options as $optionsKey) {
+                        $customOptionsSource[$optionKey]['options'][$optionsKey][$optionField] = $optionValue;
+                    }
+                }
+            }
+        }
+
+        return ['custom_options' => $customOptionsSource];
+    }
+
+    /**
+     * Returns a string representation of the object.
+     *
+     * @return string
+     */
+    public function toString()
+    {
+        return 'Custom option values are same as expected.';
+    }
+}

dev/tests/functional/tests/app/Magento/Catalog/Test/Constraint/AssertFileExtensionHints.php

@@ -0,0 +1,57 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Magento\Catalog\Test\Constraint;
+
+use Magento\Catalog\Test\Block\Adminhtml\Product\ProductForm;
+use Magento\Catalog\Test\Page\Adminhtml\CatalogProductEdit;
+use Magento\Mtf\Constraint\AbstractAssertForm;
+
+/**
+ * Checks file_extension field hint on the product page custom options section.
+ */
+class AssertFileExtensionHints extends AbstractAssertForm
+{
+    /**
+     * Expected file_extension field hint.
+     *
+     * @var string
+     */
+    const EXPECTED_MESSAGE = 'Enter separated extensions, like: png, jpg, gif. Leave blank to allow any.';
+
+    /**
+     * Assert that file extension message is showed.
+     *
+     * @param CatalogProductEdit $productPage
+     * @return void
+     */
+    public function processAssert(CatalogProductEdit $productPage)
+    {
+        /** @var  ProductForm $productForm */
+        $productForm = $productPage->getProductForm();
+        $productForm->openSection('customer-options');
+        /** @var \Magento\Catalog\Test\Block\Adminhtml\Product\Edit\Section\Options $options */
+        $options = $productForm->getSection('customer-options');
+        $fileOptionElements = $options->getFileOptionElements();
+        foreach ($fileOptionElements as $fileOptionElement) {
+            \PHPUnit\Framework\Assert::assertEquals(
+                self::EXPECTED_MESSAGE,
+                $fileOptionElement->getText(),
+                'Actual message differ from expected.'
+            );
+        }
+    }
+
+    /**
+     * Returns a string representation of the object.
+     *
+     * @return string
+     */
+    public function toString()
+    {
+        return 'Assert correct file extensions hint is showed.';
+    }
+}

dev/tests/functional/tests/app/Magento/Catalog/Test/Repository/Product/CustomOptions.xml

@@ -726,5 +726,21 @@
                 </item>
             </field>
         </dataset>
+
+        <dataset name="file_option_type">
+            <field name="0" xsi:type="array">
+                <item name="title" xsi:type="string">custom option file %isolation%</item>
+                <item name="is_require" xsi:type="string">Yes</item>
+                <item name="type" xsi:type="string">File/File</item>
+                <item name="options" xsi:type="array">
+                    <item name="0" xsi:type="array">
+                        <item name="price" xsi:type="string">40</item>
+                        <item name="price_type" xsi:type="string">Percent</item>
+                        <item name="sku" xsi:type="string">file_option</item>
+                        <item name="file_extension" xsi:type="string">jpg, jpg gif .png</item>
+                    </item>
+                </item>
+            </field>
+        </dataset>
     </repository>
 </config>