Merge pull request #9488 from magento-cia/cia-2.4.8-beta2-develop-bugfix-01112025

pawan-adobe-security · web-flow · commit 22a4ba2a4f6a · 2025-01-13T23:45:48.000+05:30
Cia 2.4.8 beta2 develop bugfix 01112025
diff --git a/app/code/Magento/Customer/Plugin/AsyncRequestCustomerGroupAuthorization.php b/app/code/Magento/Customer/Plugin/AsyncRequestCustomerGroupAuthorization.php
@@ -1,6 +1,7 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
+ * Copyright 2025 Adobe
+ * All rights reserved.
  * See COPYING.txt for license details.
  */
 
@@ -9,7 +10,6 @@
 namespace Magento\Customer\Plugin;
 
 use Magento\Customer\Api\Data\CustomerInterface;
-use Magento\Framework\App\ObjectManager;
 use Magento\Framework\AuthorizationInterface;
 use Magento\Framework\Exception\AuthorizationException;
 use Magento\AsynchronousOperations\Model\MassSchedule;
@@ -60,6 +60,11 @@ public function beforePublishMass(
         string       $groupId = null,
         string       $userId = null
     ) {
+        // only apply the plugin on account create.
+        if ($topic !== 'async.magento.customer.api.accountmanagementinterface.createaccount.post') {
+            return;
+        }
+
         foreach ($entitiesArray as $entityParams) {
             foreach ($entityParams as $entity) {
                 if ($entity instanceof CustomerInterface) {
diff --git a/app/code/Magento/Quote/etc/webapi.xml b/app/code/Magento/Quote/etc/webapi.xml
@@ -1,7 +1,8 @@
 <?xml version="1.0"?>
 <!--
 /**
- * Copyright © Magento, Inc. All rights reserved.
+ * Copyright 2025 Adobe
+ * All rights reserved.
  * See COPYING.txt for license details.
  */
 -->
@@ -98,6 +99,9 @@
         <resources>
             <resource ref="self" />
         </resources>
+        <data>
+            <parameter name="customerId" force="true">%customer_id%</parameter>
+        </data>
     </route>
     <route url="/V1/guest-carts/:cartId/order" method="PUT">
         <service class="Magento\Quote\Api\GuestCartManagementInterface" method="placeOrder"/>
diff --git a/app/code/Magento/WebapiAsync/Controller/Rest/Asynchronous/InputParamsResolver.php b/app/code/Magento/WebapiAsync/Controller/Rest/Asynchronous/InputParamsResolver.php
@@ -1,17 +1,20 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
+ * Copyright 2025 Adobe
+ * All rights reserved.
  * See COPYING.txt for license details.
  */
 
 declare(strict_types=1);
 
 namespace Magento\WebapiAsync\Controller\Rest\Asynchronous;
 
+use Magento\Framework\Api\SimpleDataObjectConverter;
 use Magento\Framework\App\ObjectManager;
 use Magento\Framework\Exception\AuthorizationException;
 use Magento\Framework\Exception\InputException;
 use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\Reflection\MethodsMap;
 use Magento\Framework\Webapi\Exception;
 use Magento\Framework\Webapi\Rest\Request as RestRequest;
 use Magento\Framework\Webapi\ServiceInputProcessor;
@@ -24,6 +27,8 @@
 
 /**
  * This class is responsible for retrieving resolved input data
+ *
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
 class InputParamsResolver
 {
@@ -61,6 +66,11 @@ class InputParamsResolver
      */
     private $inputArraySizeLimitValue;
 
+    /**
+     * @var MethodsMap
+     */
+    private $methodsMap;
+
     /**
      * Initialize dependencies.
      *
@@ -72,6 +82,7 @@ class InputParamsResolver
      * @param WebapiInputParamsResolver $inputParamsResolver
      * @param bool $isBulk
      * @param InputArraySizeLimitValue|null $inputArraySizeLimitValue
+     * @param MethodsMap|null $methodsMap
      */
     public function __construct(
         RestRequest $request,
@@ -81,7 +92,8 @@ public function __construct(
         RequestValidator $requestValidator,
         WebapiInputParamsResolver $inputParamsResolver,
         bool $isBulk = false,
-        ?InputArraySizeLimitValue $inputArraySizeLimitValue = null
+        ?InputArraySizeLimitValue $inputArraySizeLimitValue = null,
+        ?MethodsMap $methodsMap = null
     ) {
         $this->request = $request;
         $this->paramsOverrider = $paramsOverrider;
@@ -92,6 +104,8 @@ public function __construct(
         $this->isBulk = $isBulk;
         $this->inputArraySizeLimitValue = $inputArraySizeLimitValue ?? ObjectManager::getInstance()
                 ->get(InputArraySizeLimitValue::class);
+        $this->methodsMap = $methodsMap ?? ObjectManager::getInstance()
+            ->get(MethodsMap::class);
     }
 
     /**
@@ -119,6 +133,8 @@ public function resolve()
         $routeServiceMethod = $route->getServiceMethod();
         $this->inputArraySizeLimitValue->set($route->getInputArraySizeLimit());
 
+        $this->validateParameters($routeServiceClass, $routeServiceMethod, array_keys($route->getParameters()));
+
         foreach ($inputData as $key => $singleEntityParams) {
             if (!is_array($singleEntityParams)) {
                 continue;
@@ -147,11 +163,22 @@ public function getInputData()
         $inputData = $this->request->getRequestData();
 
         $httpMethod = $this->request->getHttpMethod();
-        if ($httpMethod == RestRequest::HTTP_METHOD_DELETE) {
+        if ($httpMethod === RestRequest::HTTP_METHOD_DELETE) {
             $requestBodyParams = $this->request->getBodyParams();
             $inputData = array_merge($requestBodyParams, $inputData);
         }
-        return $inputData;
+
+        return array_map(function ($singleEntityParams) {
+            if (is_array($singleEntityParams)) {
+                $singleEntityParams = $this->filterInputData($singleEntityParams);
+                $singleEntityParams = $this->paramsOverrider->override(
+                    $singleEntityParams,
+                    $this->getRoute()->getParameters()
+                );
+            }
+
+            return $singleEntityParams;
+        }, $inputData);
     }
 
     /**
@@ -184,4 +211,64 @@ private function resolveBulkItemParams(array $inputData, string $serviceClass, s
     {
         return $this->serviceInputProcessor->process($serviceClass, $serviceMethod, $inputData);
     }
+
+    /**
+     * Validates InputData
+     *
+     * @param array $inputData
+     * @return array
+     */
+    private function filterInputData(array $inputData): array
+    {
+        $result = [];
+
+        $data = array_filter($inputData, function ($k) use (&$result) {
+            $key = is_string($k) ? strtolower(str_replace('_', "", $k)) : $k;
+            return !isset($result[$key]) && ($result[$key] = true);
+        }, ARRAY_FILTER_USE_KEY);
+
+        return array_map(function ($value) {
+            return is_array($value) ? $this->filterInputData($value) : $value;
+        }, $data);
+    }
+
+    /**
+     * Validate that parameters are really used in the current request.
+     *
+     * @param string $serviceClassName
+     * @param string $serviceMethodName
+     * @param array $paramOverriders
+     */
+    private function validateParameters(
+        string $serviceClassName,
+        string $serviceMethodName,
+        array $paramOverriders
+    ): void {
+        $methodParams = $this->methodsMap->getMethodParams($serviceClassName, $serviceMethodName);
+        foreach ($paramOverriders as $key => $param) {
+            $arrayKeys = explode('.', $param ?? '');
+            $value = array_shift($arrayKeys);
+
+            foreach ($methodParams as $serviceMethodParam) {
+                $serviceMethodParamName = $serviceMethodParam[MethodsMap::METHOD_META_NAME];
+                $serviceMethodType = $serviceMethodParam[MethodsMap::METHOD_META_TYPE];
+
+                $camelCaseValue = SimpleDataObjectConverter::snakeCaseToCamelCase($value);
+                if ($serviceMethodParamName === $value || $serviceMethodParamName === $camelCaseValue) {
+                    if (count($arrayKeys) > 0) {
+                        $camelCaseKey = SimpleDataObjectConverter::snakeCaseToCamelCase('set_' . $arrayKeys[0]);
+                        $this->validateParameters($serviceMethodType, $camelCaseKey, [implode('.', $arrayKeys)]);
+                    }
+                    unset($paramOverriders[$key]);
+                    break;
+                }
+            }
+        }
+
+        if (!empty($paramOverriders)) {
+             $message = 'The current request does not expect the next parameters: '
+                 . implode(', ', $paramOverriders);
+             throw new \UnexpectedValueException(__($message)->__toString());
+        }
+    }
 }
diff --git a/app/code/Magento/WebapiAsync/Controller/Rest/AsynchronousRequestProcessor.php b/app/code/Magento/WebapiAsync/Controller/Rest/AsynchronousRequestProcessor.php
@@ -1,6 +1,7 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
+ * Copyright 2025 Adobe
+ * All rights reserved.
  * See COPYING.txt for license details.
  */
 
@@ -9,6 +10,10 @@
 namespace Magento\WebapiAsync\Controller\Rest;
 
 use Magento\Framework\Exception\BulkException;
+use Magento\Framework\Exception\InputException;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\Webapi\Exception;
+use Magento\Framework\Webapi\Rest\Request;
 use Magento\Webapi\Controller\Rest\RequestProcessorInterface;
 use Magento\Framework\Webapi\Rest\Response as RestResponse;
 use Magento\WebapiAsync\Controller\Rest\Asynchronous\InputParamsResolver;
@@ -17,8 +22,6 @@
 use Magento\Framework\Reflection\DataObjectProcessor;
 use Magento\AsynchronousOperations\Api\Data\AsyncResponseInterfaceFactory;
 use Magento\AsynchronousOperations\Api\Data\AsyncResponseInterface;
-use Magento\Framework\Webapi\Rest\Request;
-use Magento\Framework\Webapi\Exception;
 
 /**
  * Responsible for dispatching single and bulk requests.
@@ -121,13 +124,15 @@ public function process(Request $request)
     }
 
     /**
-     * Get topic name from webapi_async_config services config array by route url and http method
-     *
-     * @param \Magento\Framework\Webapi\Rest\Request $request
+     * Get Topic Name
      *
+     * @param Request $request
      * @return string
+     * @throws InputException
+     * @throws LocalizedException
+     * @throws Exception
      */
-    private function getTopicName($request)
+    private function getTopicName(Request $request): string
     {
         $route = $this->inputParamsResolver->getRoute();
 
@@ -147,49 +152,22 @@ public function canProcess(Request $request)
         }
 
         if (preg_match($this->processorPath, $request->getPathInfo()) === 1) {
-            return $this->checkSelfResourceRequest($request);
+            return true;
         }
-
         return false;
     }
 
     /**
-     * Check if current request is bulk request
+     * To check if it is bulk
      *
      * @param Request $request
      * @return bool
      */
-    public function isBulk(Request $request)
+    public function isBulk(Request $request): bool
     {
         if (preg_match(self::BULK_PROCESSOR_PATH, $request->getPathInfo()) === 1) {
             return true;
         }
         return false;
     }
-
-    /**
-     * Check if current request is self resource request
-     *
-     * @param Request $request
-     * @return bool
-     *
-     * @throws Exception
-     */
-    private function checkSelfResourceRequest(Request $request): bool
-    {
-        $path = preg_replace($this->processorPath, "$1", $request->getPathInfo());
-        $request->setPathInfo(
-            $path
-        );
-
-        $route = $this->inputParamsResolver->getRoute();
-        $aclResources = $route->getAclResources();
-
-        // We do not process self resource requests asynchronously
-        if (in_array('self', $aclResources, true)) {
-            return false;
-        }
-
-        return true;
-    }
 }
diff --git a/app/code/Magento/WebapiAsync/Test/Unit/Controller/AsynchronousRequestProcessorTest.php b/app/code/Magento/WebapiAsync/Test/Unit/Controller/AsynchronousRequestProcessorTest.php
diff --git a/dev/tests/api-functional/testsuite/Magento/Quote/Api/GuestCartManagementTest.php b/dev/tests/api-functional/testsuite/Magento/Quote/Api/GuestCartManagementTest.php
