MAGETWO-85126: LFI in Import History - 2

Author: svitja

app/code/Magento/ImportExport/Helper/Report.php

@@ -121,9 +121,14 @@ public function getReportSize($filename)
      *
      * @param string $filename
      * @return string
+     * @throws \InvalidArgumentException
      */
     protected function getFilePath($filename)
     {
+        if (preg_match('/\.\.(\\\|\/)/', $filename)) {
+            throw new \InvalidArgumentException('Filename has not permitted symbols in it');
+        }
+
         return $this->varDirectory->getRelativePath(Import::IMPORT_HISTORY_DIR . $filename);
     }
 

app/code/Magento/ImportExport/Test/Unit/Helper/ReportTest.php

@@ -147,9 +147,38 @@ public function testGetSummaryStats()
         $this->assertInstanceOf(\Magento\Framework\Phrase::class, $message);
     }
 
+    /**
+     * @dataProvider importFileExistsDataProvider
+     * @expectedException \InvalidArgumentException
+     * @expectedExceptionMessage Filename has not permitted symbols in it
+     * @param string $fileName
+     * return void
+     */
+    public function testImportFileExistsException($fileName)
+    {
+        $this->report->importFileExists($fileName);
+    }
+
     public function testImportFileExists()
     {
-        $this->assertEquals($this->report->importFileExists('file'), true);
+        $this->assertEquals($this->report->importFileExists('..file..name'), true);
+    }
+
+    /**
+     * Dataprovider for testImportFileExistsException()
+     *
+     * @return array
+     */
+    public function importFileExistsDataProvider()
+    {
+        return [
+            [
+                'fileName' => 'some_folder/../another_folder',
+            ],
+            [
+                'fileName' => 'some_folder\..\another_folder',
+            ]
+        ];
     }
 
     /**