Merge remote-tracking branch 'origin/MAGETWO-72052' into 2.3-develop-pr4

Author: DianaRusin

app/code/Magento/ImportExport/Controller/Adminhtml/History/Download.php

@@ -39,7 +39,7 @@ public function __construct(
      */
     public function execute()
     {
-        $fileName = $this->getRequest()->getParam('filename');
+        $fileName = basename($this->getRequest()->getParam('filename'));
 
         /** @var \Magento\ImportExport\Helper\Report $reportHelper */
         $reportHelper = $this->_objectManager->get(\Magento\ImportExport\Helper\Report::class);

app/code/Magento/ImportExport/Test/Unit/Controller/Adminhtml/History/DownloadTest.php

@@ -72,8 +72,9 @@ class DownloadTest extends \PHPUnit\Framework\TestCase
      */
     protected function setUp()
     {
-        $this->request = $this->createPartialMock(\Magento\Framework\App\Request\Http::class, ['getParam']);
-        $this->request->expects($this->any())->method('getParam')->with('filename')->willReturn('filename');
+        $this->request = $this->getMockBuilder(\Magento\Framework\App\Request\Http::class)
+            ->disableOriginalConstructor()
+            ->getMock();
         $this->reportHelper = $this->createPartialMock(
             \Magento\ImportExport\Helper\Report::class,
             ['importFileExists', 'getReportSize', 'getReportOutput']
@@ -126,21 +127,44 @@ protected function setUp()
     }
 
     /**
-     * Test execute()
+     * Tests download controller with different file names in request.
+     *
+     * @param string $requestFilename
+     * @param string $processedFilename
+     * @dataProvider executeDataProvider
      */
-    public function testExecute()
+    public function testExecute($requestFilename, $processedFilename)
     {
-        $this->reportHelper->expects($this->any())->method('importFileExists')->willReturn(true);
+        $this->request->method('getParam')
+            ->with('filename')
+            ->willReturn($requestFilename);
+
+        $this->reportHelper->method('importFileExists')
+            ->with($processedFilename)
+            ->willReturn(true);
         $this->resultRaw->expects($this->once())->method('setContents');
         $this->downloadController->execute();
     }
 
+    /**
+     * @return array
+     */
+    public function executeDataProvider()
+    {
+        return [
+            'Normal file name' => ['filename.csv', 'filename.csv'],
+            'Relative file name' => ['../../../../../../../../etc/passwd', 'passwd'],
+            'Empty file name' => ['', ''],
+        ];
+    }
+
     /**
      * Test execute() with not found file
      */
     public function testExecuteFileNotFound()
     {
-        $this->reportHelper->expects($this->any())->method('importFileExists')->willReturn(false);
+        $this->request->method('getParam')->with('filename')->willReturn('filename');
+        $this->reportHelper->method('importFileExists')->willReturn(false);
         $this->resultRaw->expects($this->never())->method('setContents');
         $this->downloadController->execute();
     }