Merge pull request #6646 from magento-tsg/2.4.3-develop-pr124

[Condor] Fixes for 2.4 (pr124) (2.4.3-develop)

Author: zakdma

app/code/Magento/Customer/Model/Metadata/Form/File.php

@@ -14,6 +14,7 @@
 use Magento\Framework\Exception\LocalizedException;
 use Magento\Framework\File\UploaderFactory;
 use Magento\Framework\Filesystem;
+use Magento\Framework\Filesystem\Io\File as IoFile;
 
 /**
  * Processes files that are save for customer.
@@ -62,6 +63,11 @@ class File extends AbstractData
      */
     protected $fileProcessorFactory;
 
+    /**
+     * @var IoFile|null
+     */
+    private $ioFile;
+
     /**
      * Constructor
      *
@@ -77,6 +83,7 @@ class File extends AbstractData
      * @param Filesystem $fileSystem
      * @param UploaderFactory $uploaderFactory
      * @param \Magento\Customer\Model\FileProcessorFactory|null $fileProcessorFactory
+     * @param IoFile|null $ioFile
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -91,7 +98,8 @@ public function __construct(
         \Magento\MediaStorage\Model\File\Validator\NotProtectedExtension $fileValidator,
         Filesystem $fileSystem,
         UploaderFactory $uploaderFactory,
-        \Magento\Customer\Model\FileProcessorFactory $fileProcessorFactory = null
+        \Magento\Customer\Model\FileProcessorFactory $fileProcessorFactory = null,
+        IoFile $ioFile = null
     ) {
         $value = $this->prepareFileValue($value);
         parent::__construct($localeDate, $logger, $attribute, $localeResolver, $value, $entityTypeCode, $isAjax);
@@ -102,6 +110,8 @@ public function __construct(
         $this->fileProcessorFactory = $fileProcessorFactory ?: ObjectManager::getInstance()
             ->get(FileProcessorFactory::class);
         $this->fileProcessor = $this->fileProcessorFactory->create(['entityTypeCode' => $this->_entityTypeCode]);
+        $this->ioFile = $ioFile ?: ObjectManager::getInstance()
+            ->get(IoFile::class);
     }
 
     /**
@@ -183,7 +193,7 @@ protected function _validateByRules($value)
     {
         $label = $value['name'];
         $rules = $this->getAttribute()->getValidationRules();
-        $extension = $this->getFileExtension($value['name']);
+        $extension = $this->ioFile->getPathInfo($value['name'])['extension'];
         $fileExtensions = ArrayObjectSearch::getArrayElementByName(
             $rules,
             'file_extensions'
@@ -221,28 +231,6 @@ protected function _validateByRules($value)
         return [];
     }
 
-    /**
-     * Get file extension from the file if it exists, otherwise, get from filename.
-     *
-     * @param string $fileName
-     * @return string
-     */
-    private function getFileExtension(string $fileName): string
-    {
-        return pathinfo($fileName, PATHINFO_EXTENSION);
-    }
-
-    /**
-     * Get file basename from the file if it exists, otherwise, get from filename.
-     *
-     * @param string $fileName
-     * @return string
-     */
-    private function getFileBasename(string $fileName): string
-    {
-        return pathinfo($fileName, PATHINFO_BASENAME);
-    }
-
     /**
      * Helper function that checks if the file was uploaded.
      *
@@ -259,7 +247,7 @@ protected function _isUploadedFile($filename)
         }
 
         // This case is required for file uploader UI component
-        $temporaryFile = FileProcessor::TMP_DIR . '/' . $this->getFileBasename($filename);
+        $temporaryFile = FileProcessor::TMP_DIR . '/' . $this->ioFile->getPathInfo($filename)['basename'];
         if ($this->fileProcessor->isExist($temporaryFile)) {
             return true;
         }

app/code/Magento/Security/view/base/web/js/escaper.js

@@ -157,7 +157,8 @@ define([], function () {
                     attribute = treeWalker.currentNode.attributes[i];
                     nodeName = treeWalker.currentNode.nodeName.toLowerCase();
 
-                    if (this.generallyAllowedAttributes.indexOf(attribute.name) === -1 || // eslint-disable-line max-depth,max-len
+                    if (this.generallyAllowedAttributes.indexOf(attribute.name) === -1  || // eslint-disable-line max-depth,max-len
+                        this._checkHrefValue(attribute) ||
                         this.forbiddenAttributesByElement[nodeName] &&
                         this.forbiddenAttributesByElement[nodeName].indexOf(attribute.name) !== -1
                     ) {
@@ -169,6 +170,16 @@ define([], function () {
             attributesToRemove.forEach(function (attributeToRemove) {
                 attributeToRemove.ownerElement.removeAttribute(attributeToRemove.name);
             });
+        },
+
+        /**
+         * Check that attribute contains script content
+         *
+         * @param {Object} attribute
+         * @private
+         */
+        _checkHrefValue: function (attribute) {
+            return attribute.nodeName === 'href' && attribute.nodeValue.startsWith('javascript');
         }
     };
 });

dev/tests/js/jasmine/tests/app/code/Magento/Security/view/base/web/js/escaper.test.js

@@ -131,6 +131,11 @@ define([
                 data: '<spa>n id="id1">Some string</span>',
                 expected: 'n id="id1"&gt;Some string',
                 allowedTags: ['span']
+            },
+            'link with script content': {
+                data: '<a href="javascript:void">Click</a>',
+                expected: '<a>Click</a>',
+                allowedTags: ['a']
             }
         };
     }

lib/internal/Magento/Framework/App/StaticResource.php

@@ -9,6 +9,8 @@
 use Magento\Framework\ObjectManager\ConfigLoaderInterface;
 use Magento\Framework\Filesystem;
 use Magento\Framework\Config\ConfigOptionsListConstants;
+use Magento\Framework\Validator\Locale;
+use Magento\Framework\View\Design\Theme\ThemePackageList;
 use Psr\Log\LoggerInterface;
 use Magento\Framework\Debug;
 use Magento\Framework\Filesystem\Driver\File;
@@ -80,6 +82,16 @@ class StaticResource implements \Magento\Framework\AppInterface
      */
     private $driver;
 
+    /**
+     * @var ThemePackageList
+     */
+    private $themePackageList;
+
+    /**
+     * @var Locale
+     */
+    private $localeValidator;
+
     /**
      * @param State $state
      * @param Response\FileInterface $response
@@ -91,6 +103,8 @@ class StaticResource implements \Magento\Framework\AppInterface
      * @param ConfigLoaderInterface $configLoader
      * @param DeploymentConfig|null $deploymentConfig
      * @param File|null $driver
+     * @param ThemePackageList|null $themePackageList
+     * @param Locale|null $localeValidator
      *
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
@@ -104,7 +118,9 @@ public function __construct(
         \Magento\Framework\ObjectManagerInterface $objectManager,
         ConfigLoaderInterface $configLoader,
         DeploymentConfig $deploymentConfig = null,
-        File $driver = null
+        File $driver = null,
+        ThemePackageList $themePackageList = null,
+        Locale $localeValidator = null
     ) {
         $this->state = $state;
         $this->response = $response;
@@ -116,6 +132,8 @@ public function __construct(
         $this->configLoader = $configLoader;
         $this->deploymentConfig = $deploymentConfig ?: ObjectManager::getInstance()->get(DeploymentConfig::class);
         $this->driver = $driver ?: ObjectManager::getInstance()->get(File::class);
+        $this->themePackageList = $themePackageList ?? ObjectManager::getInstance()->get(ThemePackageList::class);
+        $this->localeValidator = $localeValidator ?? ObjectManager::getInstance()->get(Locale::class);
     }
 
     /**
@@ -149,6 +167,16 @@ public function launch()
             throw $e;
         }
 
+        if (!($this->isThemeAllowed($params['area'] . DIRECTORY_SEPARATOR . $params['theme'])
+            && $this->localeValidator->isValid($params['locale']))
+        ) {
+            if ($appMode == \Magento\Framework\App\State::MODE_PRODUCTION) {
+                $this->response->setHttpResponseCode(404);
+                return $this->response;
+            }
+            throw new \InvalidArgumentException('Requested path ' . $path . ' is wrong.');
+        }
+
         $this->state->setAreaCode($params['area']);
         $this->objectManager->configure($this->configLoader->load($params['area']));
         $file = $params['file'];
@@ -247,4 +275,9 @@ private function getLogger()
 
         return $this->logger;
     }
+
+    private function isThemeAllowed(string $theme): bool
+    {
+        return in_array($theme, array_keys($this->themePackageList->getThemes()));
+    }
 }

lib/internal/Magento/Framework/App/Test/Unit/StaticResourceTest.php

@@ -19,8 +19,10 @@
 use Magento\Framework\Filesystem\Driver\File;
 use Magento\Framework\Module\ModuleList;
 use Magento\Framework\ObjectManagerInterface;
+use Magento\Framework\Validator\Locale;
 use Magento\Framework\View\Asset\LocalInterface;
 use Magento\Framework\View\Asset\Repository;
+use Magento\Framework\View\Design\Theme\ThemePackageList;
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
 use Psr\Log\LoggerInterface;
@@ -85,6 +87,16 @@ class StaticResourceTest extends TestCase
      */
     private $driverMock;
 
+    /**
+     * @var ThemePackageList|MockObject
+     */
+    private $themePackageListMock;
+
+    /**
+     * @var Locale|MockObject
+     */
+    private $localeValidatorMock;
+
     /**
      * @var StaticResource
      */
@@ -106,6 +118,8 @@ protected function setUp(): void
         $this->configLoaderMock = $this->createMock(ConfigLoader::class);
         $this->deploymentConfigMock = $this->createMock(DeploymentConfig::class);
         $this->driverMock = $this->createMock(File::class);
+        $this->themePackageListMock = $this->createMock(ThemePackageList::class);
+        $this->localeValidatorMock = $this->createMock(Locale::class);
         $this->object = new StaticResource(
             $this->stateMock,
             $this->responseMock,
@@ -116,7 +130,9 @@ protected function setUp(): void
             $this->objectManagerMock,
             $this->configLoaderMock,
             $this->deploymentConfigMock,
-            $this->driverMock
+            $this->driverMock,
+            $this->themePackageListMock,
+            $this->localeValidatorMock
         );
     }
 
@@ -210,6 +226,16 @@ public function testLaunch(
         $this->driverMock->expects($this->once())
             ->method('getRealPathSafety')
             ->willReturnArgument(0);
+        $this->themePackageListMock->expects($this->atLeastOnce())->method('getThemes')->willReturn(
+            [
+                'area/Magento/theme' => [
+                    'area' => 'area',
+                    'vendor' => 'Magento',
+                    'name' => 'theme',
+                ],
+            ],
+        );
+        $this->localeValidatorMock->expects($this->once())->method('isValid')->willReturn(true);
         $this->object->launch();
     }
 
@@ -353,4 +379,86 @@ public function testLaunchPathAbove()
 
         $this->object->launch();
     }
+
+    /**
+     * @param array $themes
+     * @dataProvider themesDataProvider
+     */
+    public function testLaunchWithInvalidTheme(array $themes): void
+    {
+        $this->expectException('InvalidArgumentException');
+        $path = 'frontend/Test/luma/en_US/calendar.css';
+
+        $this->stateMock->expects($this->once())
+            ->method('getMode')
+            ->willReturn(State::MODE_DEVELOPER);
+        $this->requestMock->expects($this->once())
+            ->method('get')
+            ->with('resource')
+            ->willReturn($path);
+        $this->driverMock->expects($this->once())
+            ->method('getRealPathSafety')
+            ->with($path)
+            ->willReturn($path);
+        $this->themePackageListMock->expects($this->once())->method('getThemes')->willReturn($themes);
+        $this->localeValidatorMock->expects($this->never())->method('isValid');
+        $this->expectExceptionMessage('Requested path ' . $path . ' is wrong.');
+
+        $this->object->launch();
+    }
+
+    /**
+     * @param array $themes
+     * @dataProvider themesDataProvider
+     */
+    public function testLaunchWithInvalidLocale(array $themes): void
+    {
+        $this->expectException('InvalidArgumentException');
+        $path = 'frontend/Magento/luma/test/calendar.css';
+
+        $this->stateMock->expects($this->once())
+            ->method('getMode')
+            ->willReturn(State::MODE_DEVELOPER);
+        $this->requestMock->expects($this->once())
+            ->method('get')
+            ->with('resource')
+            ->willReturn($path);
+        $this->driverMock->expects($this->once())
+            ->method('getRealPathSafety')
+            ->with($path)
+            ->willReturn($path);
+        $this->themePackageListMock->expects($this->once())->method('getThemes')->willReturn($themes);
+        $this->localeValidatorMock->expects($this->once())->method('isValid')->willReturn(false);
+        $this->expectExceptionMessage('Requested path ' . $path . ' is wrong.');
+
+        $this->object->launch();
+    }
+
+    /**
+     * @return array
+     */
+    public function themesDataProvider(): array
+    {
+        return  [
+            [
+                [
+                    'adminhtml/Magento/backend' => [
+                        'area' => 'adminhtml',
+                        'vendor' => 'Magento',
+                        'name' => 'backend',
+                    ],
+                    'frontend/Magento/blank' => [
+                        'area' => 'frontend',
+                        'vendor' => 'Magento',
+                        'name' => 'blank',
+                    ],
+                    'frontend/Magento/luma' => [
+                        'area' => 'frontend',
+                        'vendor' => 'Magento',
+                        'name' => 'luma',
+                    ],
+                ],
+            ],
+        ];
+    }
 }