ENGCOM-5688: Throw exception to prevent infinite loop caused by third party code. #18678

Author: sidolov

app/code/Magento/Checkout/Model/Session.php

@@ -17,6 +17,7 @@
  * @api
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  * @SuppressWarnings(PHPMD.CookieAndSessionMisuse)
+ * @SuppressWarnings(PHPMD.TooManyFields)
  */
 class Session extends \Magento\Framework\Session\SessionManager
 {
@@ -46,6 +47,15 @@ class Session extends \Magento\Framework\Session\SessionManager
      */
     protected $_loadInactive = false;
 
+    /**
+     * A flag to track when the quote is being loaded and attached to the session object.
+     *
+     * Used in trigger_recollect infinite loop detection.
+     *
+     * @var bool
+     */
+    private $isLoading = false;
+
     /**
      * Loaded order instance
      *
@@ -227,6 +237,10 @@ public function getQuote()
         $this->_eventManager->dispatch('custom_quote_process', ['checkout_session' => $this]);
 
         if ($this->_quote === null) {
+            if ($this->isLoading) {
+                throw new \LogicException("Infinite loop detected, review the trace for the looping path");
+            }
+            $this->isLoading = true;
             $quote = $this->quoteFactory->create();
             if ($this->getQuoteId()) {
                 try {
@@ -289,6 +303,7 @@ public function getQuote()
 
             $quote->setStore($this->_storeManager->getStore());
             $this->_quote = $quote;
+            $this->isLoading = false;
         }
 
         if (!$this->isQuoteMasked() && !$this->_customerSession->isLoggedIn() && $this->getQuoteId()) {

dev/tests/integration/_files/Magento/TestModuleQuoteTotalsObserver/Model/Config.php

@@ -0,0 +1,28 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\TestModuleQuoteTotalsObserver\Model;
+
+class Config
+{
+    private $active = false;
+
+    public function enableObserver()
+    {
+        $this->active = true;
+    }
+
+    public function disableObserver()
+    {
+        $this->active = false;
+    }
+
+    public function isActive()
+    {
+        return $this->active;
+    }
+}

dev/tests/integration/_files/Magento/TestModuleQuoteTotalsObserver/Observer/AfterCollectTotals.php

@@ -0,0 +1,49 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\TestModuleQuoteTotalsObserver\Observer;
+
+use Magento\Framework\Event\Observer;
+use Magento\Framework\Event\ObserverInterface;
+
+class AfterCollectTotals implements ObserverInterface
+{
+    /**
+     * @var \Magento\Checkout\Model\Session
+     */
+    private $session;
+
+    /**
+     * @var \Magento\TestModuleQuoteTotalsObserver\Model\Config
+     */
+    private $config;
+
+    /**
+     * AfterCollectTotals constructor.
+     * @param \Magento\Checkout\Model\Session $messageManager
+     * @param \Magento\TestModuleQuoteTotalsObserver\Model\Config $config
+     */
+    public function __construct(
+        \Magento\Checkout\Model\Session $messageManager,
+        \Magento\TestModuleQuoteTotalsObserver\Model\Config $config
+    ) {
+        $this->config = $config;
+        $this->session = $messageManager;
+    }
+
+    /**
+     * @param Observer $observer
+     * @return void
+     */
+    public function execute(\Magento\Framework\Event\Observer $observer)
+    {
+        $observer->getEvent();
+        if ($this->config->isActive()) {
+            $this->session->getQuote();
+        }
+    }
+}

dev/tests/integration/_files/Magento/TestModuleQuoteTotalsObserver/etc/events.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+-->
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Event/etc/events.xsd">
+    <event name="sales_quote_collect_totals_after">
+        <observer name="test_module_quote_totals_observer_after_collect_totals" instance="Magento\TestModuleQuoteTotalsObserver\Observer\AfterCollectTotals" />
+    </event>
+</config>

dev/tests/integration/_files/Magento/TestModuleQuoteTotalsObserver/etc/module.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+-->
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Module/etc/module.xsd">
+    <module name="Magento_TestModuleQuoteTotalsObserver" active="true">
+    </module>
+</config>

dev/tests/integration/_files/Magento/TestModuleQuoteTotalsObserver/registration.php

@@ -0,0 +1,12 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+use Magento\Framework\Component\ComponentRegistrar;
+
+$registrar = new ComponentRegistrar();
+if ($registrar->getPath(ComponentRegistrar::MODULE, 'Magento_TestModuleQuoteTotalsObserver') === null) {
+    ComponentRegistrar::register(ComponentRegistrar::MODULE, 'Magento_TestModuleQuoteTotalsObserver', __DIR__);
+}

dev/tests/integration/testsuite/Magento/Quote/Model/QuoteInfiniteLoopTest.php

@@ -0,0 +1,138 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Quote\Model;
+
+use Magento\TestFramework\Helper\Bootstrap;
+use Magento\TestFramework\ObjectManager;
+
+/**
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
+ */
+class QuoteInfiniteLoopTest extends \PHPUnit\Framework\TestCase
+{
+    /**
+     * @var ObjectManager
+     */
+    private $objectManager;
+
+    /**
+     * @var \Magento\TestModuleQuoteTotalsObserver\Model\Config
+     */
+    private $config;
+
+    /**
+     * @inheritdoc
+     */
+    protected function setUp()
+    {
+        $this->objectManager = Bootstrap::getObjectManager();
+        $this->config = $this->objectManager->get(\Magento\TestModuleQuoteTotalsObserver\Model\Config::class);
+        $this->config->disableObserver();
+    }
+
+    /**
+     * @inheritdoc
+     */
+    protected function tearDown()
+    {
+        $this->config->disableObserver();
+        $this->objectManager->removeSharedInstance(\Magento\Checkout\Model\Session::class);
+    }
+
+    /**
+     * @dataProvider getLoadQuoteParametersProvider
+     *
+     * @param $triggerRecollect
+     * @param $observerEnabled
+     * @return void
+     */
+    public function testLoadQuoteSuccessfully($triggerRecollect, $observerEnabled): void
+    {
+        $originalQuote = $this->generateQuote($triggerRecollect);
+        $quoteId = $originalQuote->getId();
+
+        $this->assertGreaterThan(0, $quoteId, "The quote should have a database id");
+        $this->assertEquals(
+            $triggerRecollect,
+            $originalQuote->getTriggerRecollect(),
+            "trigger_recollect failed to be set"
+        );
+
+        if ($observerEnabled) {
+            $this->config->enableObserver();
+        }
+
+        /** @var  $session \Magento\Checkout\Model\Session */
+        $this->objectManager->removeSharedInstance(\Magento\Checkout\Model\Session::class);
+        $session = $this->objectManager->get(\Magento\Checkout\Model\Session::class);
+        $session->setQuoteId($quoteId);
+
+        $quote = $session->getQuote();
+        $this->assertEquals($quoteId, $quote->getId(), "The loaded quote should have the same ID as the initial quote");
+        $this->assertEquals(0, $quote->getTriggerRecollect(), "trigger_recollect should be unset after a quote reload");
+    }
+
+    /**
+     * @return array
+     */
+    public function getLoadQuoteParametersProvider()
+    {
+        return [
+            [0, false],
+            [0, true],
+            [1, false],
+            //[1, true], this combination of trigger recollect and third party code causes the loop, tested separately
+        ];
+    }
+
+    /**
+     * @expectedException \LogicException
+     * @expectedExceptionMessage Infinite loop detected, review the trace for the looping path
+     *
+     * @return void
+     */
+    public function testLoadQuoteWithTriggerRecollectInfiniteLoop(): void
+    {
+        $originalQuote = $this->generateQuote();
+        $quoteId = $originalQuote->getId();
+
+        $this->assertGreaterThan(0, $quoteId, "The quote should have a database id");
+        $this->assertEquals(1, $originalQuote->getTriggerRecollect(), "The quote has trigger_recollect set");
+
+        // Enable an observer which gets the quote from the session
+        // The observer hooks into part of the collect totals process for an easy demonstration of the loop.
+        $this->config->enableObserver();
+
+        /** @var  $session \Magento\Checkout\Model\Session */
+        $this->objectManager->removeSharedInstance(\Magento\Checkout\Model\Session::class);
+        $session = $this->objectManager->get(\Magento\Checkout\Model\Session::class);
+        $session->setQuoteId($quoteId);
+        $session->getQuote();
+    }
+
+    /**
+     * Generate a quote with trigger_recollect and save it in the database.
+     *
+     * @param int $triggerRecollect
+     * @return Quote
+     */
+    private function generateQuote($triggerRecollect = 1)
+    {
+        //Fully init a quote with standard quote session procedure
+        /** @var  $session \Magento\Checkout\Model\Session */
+        $session = $this->objectManager->create(\Magento\Checkout\Model\Session::class);
+        $session->setQuoteId(null);
+        $quote = $session->getQuote();
+        $quote->setTriggerRecollect($triggerRecollect);
+
+        /** @var \Magento\Quote\Api\CartRepositoryInterface $quoteRepository */
+        $quoteRepository = $this->objectManager->create('\Magento\Quote\Api\CartRepositoryInterface');
+        $quoteRepository->save($quote);
+        return $quote;
+    }
+}