Merge pull request #3621 from magento-trigger/MC-5899

[trigger] MC-5899: Wishlist - Insecure Direct Object Reference

Author: joanhe

app/code/Magento/Wishlist/Model/Rss/Wishlist.php

@@ -118,10 +118,8 @@ public function __construct(
      */
     public function isAllowed()
     {
-        return $this->scopeConfig->isSetFlag(
-            'rss/wishlist/active',
-            ScopeInterface::SCOPE_STORE
-        );
+        return $this->scopeConfig->isSetFlag('rss/wishlist/active', ScopeInterface::SCOPE_STORE)
+            && $this->getWishlist()->getCustomerId() === $this->wishlistHelper->getCustomer()->getId();
     }
 
     /**
@@ -185,8 +183,8 @@ public function getRssData()
             }
         } else {
             $data = [
-                'title' => __('We cannot retrieve the Wish List.'),
-                'description' => __('We cannot retrieve the Wish List.'),
+                'title' => __('We cannot retrieve the Wish List.')->render(),
+                'description' => __('We cannot retrieve the Wish List.')->render(),
                 'link' => $this->urlBuilder->getUrl(),
                 'charset' => 'UTF-8',
             ];
@@ -202,7 +200,7 @@ public function getRssData()
      */
     public function getCacheKey()
     {
-        return 'rss_wishlist_data';
+        return 'rss_wishlist_data_' . $this->getWishlist()->getId();
     }
 
     /**
@@ -224,7 +222,7 @@ public function getHeader()
     {
         $customerId = $this->getWishlist()->getCustomerId();
         $customer = $this->customerFactory->create()->load($customerId);
-        $title = __('%1\'s Wishlist', $customer->getName());
+        $title = __('%1\'s Wishlist', $customer->getName())->render();
         $newUrl = $this->urlBuilder->getUrl(
             'wishlist/shared/index',
             ['code' => $this->getWishlist()->getSharingCode()]

app/code/Magento/Wishlist/Test/Unit/Model/Rss/WishlistTest.php

@@ -278,15 +278,35 @@ protected function processWishlistItemDescription($wishlistModelMock, $staticArg
 
     public function testIsAllowed()
     {
+        $customerId = 1;
+        $customerServiceMock = $this->createMock(\Magento\Customer\Api\Data\CustomerInterface::class);
+        $wishlist = $this->getMockBuilder(\Magento\Wishlist\Model\Wishlist::class)->setMethods(
+            ['getId', '__wakeup', 'getCustomerId', 'getItemCollection', 'getSharingCode']
+        )->disableOriginalConstructor()->getMock();
+        $wishlist->expects($this->once())->method('getCustomerId')->willReturn($customerId);
+        $this->wishlistHelperMock->expects($this->any())->method('getWishlist')
+            ->will($this->returnValue($wishlist));
+        $this->wishlistHelperMock->expects($this->any())
+            ->method('getCustomer')
+            ->will($this->returnValue($customerServiceMock));
+        $customerServiceMock->expects($this->once())->method('getId')->willReturn($customerId);
         $this->scopeConfig->expects($this->once())->method('isSetFlag')
             ->with('rss/wishlist/active', \Magento\Store\Model\ScopeInterface::SCOPE_STORE)
             ->will($this->returnValue(true));
+
         $this->assertTrue($this->model->isAllowed());
     }
 
     public function testGetCacheKey()
     {
-        $this->assertEquals('rss_wishlist_data', $this->model->getCacheKey());
+        $wishlistId = 1;
+        $wishlist = $this->getMockBuilder(\Magento\Wishlist\Model\Wishlist::class)->setMethods(
+            ['getId', '__wakeup', 'getCustomerId', 'getItemCollection', 'getSharingCode']
+        )->disableOriginalConstructor()->getMock();
+        $wishlist->expects($this->once())->method('getId')->willReturn($wishlistId);
+        $this->wishlistHelperMock->expects($this->any())->method('getWishlist')
+            ->will($this->returnValue($wishlist));
+        $this->assertEquals('rss_wishlist_data_1', $this->model->getCacheKey());
     }
 
     public function testGetCacheLifetime()

dev/tests/integration/testsuite/Magento/Rss/Controller/Feed/IndexTest.php

@@ -0,0 +1,91 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Rss\Controller\Feed;
+
+class IndexTest extends \Magento\TestFramework\TestCase\AbstractBackendController
+{
+    /**
+     * @var \Magento\Rss\Model\UrlBuilder
+     */
+    private $urlBuilder;
+
+    /**
+     * @var \Magento\Customer\Api\CustomerRepositoryInterface
+     */
+    private $customerRepository;
+
+    /**
+     * @var \Magento\Wishlist\Model\Wishlist
+     */
+    private $wishlist;
+
+    /**
+     * @var
+     */
+    private $customerSession;
+
+    protected function setUp()
+    {
+        parent::setUp();
+        $this->urlBuilder = $this->_objectManager->get(\Magento\Rss\Model\UrlBuilder::class);
+        $this->customerRepository = $this->_objectManager->get(
+            \Magento\Customer\Api\CustomerRepositoryInterface::class
+        );
+        $this->wishlist = $this->_objectManager->get(\Magento\Wishlist\Model\Wishlist::class);
+        $this->customerSession = $this->_objectManager->get(\Magento\Customer\Model\Session::class);
+    }
+
+    /**
+     * Check Rss response.
+     *
+     * @magentoAppIsolation enabled
+     * @magentoDataFixture Magento/Wishlist/_files/two_wishlists_for_two_diff_customers.php
+     * @magentoConfigFixture current_store rss/wishlist/active 1
+     * @magentoConfigFixture current_store rss/config/active 1
+     */
+    public function testRssResponse()
+    {
+        $firstCustomerId = 1;
+        $this->customerSession->setCustomerId($firstCustomerId);
+        $customer = $this->customerRepository->getById($firstCustomerId);
+        $customerEmail = $customer->getEmail();
+        $wishlistId = $this->wishlist->loadByCustomerId($firstCustomerId)->getId();
+        $this->dispatch($this->getLink($firstCustomerId, $customerEmail, $wishlistId));
+        $body = $this->getResponse()->getBody();
+        $this->assertContains('<title>John Smith\'s Wishlist</title>', $body);
+    }
+
+    /**
+     * Check Rss with incorrect wishlist id.
+     *
+     * @magentoAppIsolation enabled
+     * @magentoDataFixture Magento/Wishlist/_files/two_wishlists_for_two_diff_customers.php
+     * @magentoConfigFixture current_store rss/wishlist/active 1
+     * @magentoConfigFixture current_store rss/config/active 1
+     */
+    public function testRssResponseWithIncorrectWishlistId()
+    {
+        $firstCustomerId = 1;
+        $secondCustomerId = 2;
+        $this->customerSession->setCustomerId($firstCustomerId);
+        $customer = $this->customerRepository->getById($firstCustomerId);
+        $customerEmail = $customer->getEmail();
+        $wishlistId = $this->wishlist->loadByCustomerId($secondCustomerId, true)->getId();
+        $this->dispatch($this->getLink($firstCustomerId, $customerEmail, $wishlistId));
+        $body = $this->getResponse()->getBody();
+        $this->assertContains('<title>404 Not Found</title>', $body);
+    }
+
+    private function getLink($customerId, $customerEmail, $wishlistId)
+    {
+
+        return 'rss/feed/index/type/wishlist/data/'
+            . base64_encode($customerId . ',' . $customerEmail)
+            . '/wishlist_id/' . $wishlistId;
+    }
+}

dev/tests/integration/testsuite/Magento/Wishlist/_files/two_wishlists_for_two_diff_customers.php

@@ -0,0 +1,25 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+require __DIR__ . '/../../../Magento/Customer/_files/two_customers.php';
+require __DIR__ . '/../../../Magento/Catalog/_files/product_simple.php';
+
+$firstCustomerIdFromFixture = 1;
+$wishlistForFirstCustomer = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()->create(
+    \Magento\Wishlist\Model\Wishlist::class
+);
+$wishlistForFirstCustomer->loadByCustomerId($firstCustomerIdFromFixture, true);
+$item = $wishlistForFirstCustomer->addNewItem($product, new \Magento\Framework\DataObject([]));
+$wishlistForFirstCustomer->save();
+
+$secondCustomerIdFromFixture = 2;
+$wishlistForSecondCustomer = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()->create(
+    \Magento\Wishlist\Model\Wishlist::class
+);
+$wishlistForSecondCustomer->loadByCustomerId($secondCustomerIdFromFixture, true);
+$item = $wishlistForSecondCustomer->addNewItem($product, new \Magento\Framework\DataObject([]));
+$wishlistForSecondCustomer->save();

dev/tests/integration/testsuite/Magento/Wishlist/_files/two_wishlists_for_two_diff_customers_rollback.php

@@ -0,0 +1,19 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+/** @var \Magento\Framework\ObjectManagerInterface $objectManager */
+$objectManager = \Magento\TestFramework\Helper\Bootstrap::getObjectManager();
+
+/** @var \Magento\Wishlist\Model\Wishlist $wishlist */
+$wishlist = $objectManager->create(\Magento\Wishlist\Model\Wishlist::class);
+$wishlist->loadByCustomerId(1);
+$wishlist->delete();
+$wishlist->loadByCustomerId(2);
+$wishlist->delete();
+
+require __DIR__ . '/../../../Magento/Customer/_files/two_customers_rollback.php';
+require __DIR__ . '/../../../Magento/Catalog/_files/product_simple_rollback.php';