MC-18100: Changes in Downloadable product upload controller

OlgaVasyltsun · OlgaVasyltsun · commit 4b3b814f3954 · 2019-07-25T09:12:48.000+03:00
diff --git a/app/code/Magento/Downloadable/Controller/Adminhtml/Downloadable/File/Upload.php b/app/code/Magento/Downloadable/Controller/Adminhtml/Downloadable/File/Upload.php
@@ -17,6 +17,8 @@
 use Magento\MediaStorage\Helper\File\Storage\Database;
 use Magento\Framework\App\RequestInterface;
 use Magento\Framework\App\State;
+use Magento\Framework\Exception\FileSystemException;
+use Magento\Framework\Exception\LocalizedException;
 
 /**
  * Upload controller
@@ -109,23 +111,27 @@ public function dispatch(RequestInterface $request)
      */
     public function execute()
     {
-        $type = $this->getRequest()->getParam('type');
-        $tmpPath = '';
-        if ($type == 'samples') {
-            $tmpPath = $this->_sample->getBaseTmpPath();
-        } elseif ($type == 'links') {
-            $tmpPath = $this->_link->getBaseTmpPath();
-        } elseif ($type == 'link_samples') {
-            $tmpPath = $this->_link->getBaseSampleTmpPath();
-        }
-
         try {
+            $type = $this->getRequest()->getParam('type');
+            $tmpPath = '';
+            if ($type === 'samples') {
+                $tmpPath = $this->_sample->getBaseTmpPath();
+            } elseif ($type === 'links') {
+                $tmpPath = $this->_link->getBaseTmpPath();
+            } elseif ($type === 'link_samples') {
+                $tmpPath = $this->_link->getBaseSampleTmpPath();
+            } else {
+                throw new LocalizedException(__('Upload type can not be determined.'));
+            }
+
             $uploader = $this->uploaderFactory->create(['fileId' => $type]);
 
             $result = $this->_fileHelper->uploadFromTmp($tmpPath, $uploader);
 
             if (!$result) {
-                throw new \Exception('File can not be moved from temporary folder to the destination folder.');
+                throw new FileSystemException(
+                    __('File can not be moved from temporary folder to the destination folder.')
+                );
             }
 
             unset($result['tmp_name'], $result['path']);
@@ -137,6 +143,7 @@ public function execute()
         } catch (\Exception $e) {
             $result = ['error' => $e->getMessage(), 'errorcode' => $e->getCode()];
         }
+
         return $this->resultFactory->create(ResultFactory::TYPE_JSON)->setData($result);
     }
 }
diff --git a/dev/tests/integration/testsuite/Magento/Downloadable/Controller/Adminhtml/Downloadable/File/UploadTest.php b/dev/tests/integration/testsuite/Magento/Downloadable/Controller/Adminhtml/Downloadable/File/UploadTest.php
@@ -0,0 +1,65 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Magento\Downloadable\Controller\Adminhtml\Downloadable\File;
+
+use Magento\Framework\Serialize\Serializer\Json;
+
+/**
+ * Test for Magento\Downloadable\Controller\Adminhtml\Downloadable\File\Upload
+ *
+ * @magentoAppArea adminhtml
+ */
+class UploadTest extends \Magento\TestFramework\TestCase\AbstractBackendController
+{
+    /**
+     * @var Json
+     */
+    private $jsonSerializer;
+
+    /**
+     * @inheritdoc
+     */
+    protected function setUp()
+    {
+        parent::setUp();
+
+        $this->jsonSerializer = $this->_objectManager->get(Json::class);
+    }
+
+    /**
+     * @dataProvider uploadWrongUploadTypeDataProvider
+     * @return void
+     */
+    public function testUploadWrongUploadType($postData): void
+    {
+        $this->getRequest()->setPostValue($postData);
+        $this->getRequest()->setMethod('POST');
+
+        $this->dispatch('backend/admin/downloadable_file/upload');
+
+        $body = $this->getResponse()->getBody();
+        $result = $this->jsonSerializer->unserialize($body);
+        $this->assertEquals('Upload type can not be determined.', $result['error']);
+        $this->assertEquals(0, $result['errorcode']);
+    }
+
+    public function uploadWrongUploadTypeDataProvider(): array
+    {
+        return [
+            [
+                ['type' => 'test'],
+            ],
+            [
+                [
+                    'type' => [
+                        'type1' => 'test',
+                    ],
+                ],
+            ],
+        ];
+    }
+}
diff --git a/dev/tests/integration/testsuite/Magento/Framework/File/UploaderTest.php b/dev/tests/integration/testsuite/Magento/Framework/File/UploaderTest.php
@@ -0,0 +1,101 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Framework\File;
+
+use Magento\Framework\App\Filesystem\DirectoryList;
+
+/**
+ * Test for \Magento\Framework\File\Uploader
+ */
+class UploaderTest extends \PHPUnit\Framework\TestCase
+{
+    /**
+     * @var \Magento\MediaStorage\Model\File\UploaderFactory
+     */
+    private $uploaderFactory;
+
+    /**
+     * @var \Magento\Framework\Filesystem
+     */
+    private $filesystem;
+
+    /**
+     * @inheritdoc
+     */
+    protected function setUp()
+    {
+        $this->uploaderFactory = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()
+            ->get(\Magento\MediaStorage\Model\File\UploaderFactory::class);
+
+        $this->filesystem = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()
+            ->get(\Magento\Framework\Filesystem::class);
+    }
+
+    /**
+     * @return void
+     */
+    public function testUploadFileFromAllowedFolder(): void
+    {
+        $mediaDirectory = $this->filesystem->getDirectoryWrite(DirectoryList::MEDIA);
+        $tmpDirectory = $this->filesystem->getDirectoryWrite(DirectoryList::SYS_TMP);
+
+        $fileName = 'text.txt';
+        $tmpDir = 'tmp';
+        $filePath = $tmpDirectory->getAbsolutePath($fileName);
+
+        $tmpDirectory->writeFile($fileName, 'just a text');
+
+        $type = [
+            'tmp_name' => $filePath,
+            'name' => $fileName,
+        ];
+
+        $uploader = $this->uploaderFactory->create(['fileId' => $type]);
+        $uploader->save($mediaDirectory->getAbsolutePath($tmpDir));
+
+        $this->assertTrue($mediaDirectory->isFile($tmpDir . DIRECTORY_SEPARATOR . $fileName));
+    }
+
+    /**
+     * @expectedException \InvalidArgumentException
+     * @expectedExceptionMessage Invalid parameter given. A valid $fileId[tmp_name] is expected.
+     *
+     * @return void
+     */
+    public function testUploadFileFromNotAllowedFolder(): void
+    {
+        $fileName = 'text.txt';
+        $tmpDir = 'tmp';
+        $tmpDirectory = $this->filesystem->getDirectoryWrite(DirectoryList::LOG);
+        $filePath = $tmpDirectory->getAbsolutePath() . $tmpDir . DIRECTORY_SEPARATOR . $fileName;
+
+        $tmpDirectory->writeFile($tmpDir . DIRECTORY_SEPARATOR . $fileName, 'just a text');
+
+        $type = [
+            'tmp_name' => $filePath,
+            'name' => $fileName,
+        ];
+
+        $this->uploaderFactory->create(['fileId' => $type]);
+    }
+
+    /**
+     * @inheritdoc
+     */
+    protected function tearDown()
+    {
+        parent::tearDown();
+
+        $tmpDir = 'tmp';
+        $mediaDirectory = $this->filesystem->getDirectoryWrite(DirectoryList::MEDIA);
+        $mediaDirectory->delete($tmpDir);
+
+        $logDirectory = $this->filesystem->getDirectoryWrite(DirectoryList::LOG);
+        $logDirectory->delete($tmpDir);
+    }
+}
diff --git a/lib/internal/Magento/Framework/File/Uploader.php b/lib/internal/Magento/Framework/File/Uploader.php
@@ -5,6 +5,7 @@
  */
 namespace Magento\Framework\File;
 
+use Magento\Framework\App\Filesystem\DirectoryList;
 use Magento\Framework\Exception\FileSystemException;
 use Magento\Framework\Validation\ValidationException;
 
@@ -14,6 +15,8 @@
  * ATTENTION! This class must be used like abstract class and must added
  * validation by protected file extension list to extended class
  *
+ * @SuppressWarnings(PHPMD.TooManyFields)
+ *
  * @api
  */
 class Uploader
@@ -160,17 +163,27 @@ class Uploader
      */
     protected $_result;
 
+    /**
+     * @var DirectoryList
+     */
+    private $directoryList;
+
     /**
      * Init upload
      *
      * @param string|array $fileId
      * @param \Magento\Framework\File\Mime|null $fileMime
+     * @param DirectoryList|null $directoryList
      * @throws \DomainException
      */
     public function __construct(
         $fileId,
-        Mime $fileMime = null
+        Mime $fileMime = null,
+        DirectoryList $directoryList = null
     ) {
+        $this->directoryList= $directoryList ?: \Magento\Framework\App\ObjectManager::getInstance()
+            ->get(DirectoryList::class);
+
         $this->_setUploadFileId($fileId);
         if (!file_exists($this->_file['tmp_name'])) {
             $code = empty($this->_file['tmp_name']) ? self::TMP_NAME_EMPTY : 0;
@@ -552,6 +565,7 @@ private function _getMimeType()
     private function _setUploadFileId($fileId)
     {
         if (is_array($fileId)) {
+            $this->validateFileId($fileId);
             $this->_uploadType = self::MULTIPLE_STYLE;
             $this->_file = $fileId;
         } else {
@@ -585,6 +599,55 @@ private function _setUploadFileId($fileId)
         }
     }
 
+    /**
+     * Validates explicitly given uploaded file data.
+     *
+     * @param array $fileId
+     * @return void
+     * @throws \InvalidArgumentException
+     */
+    private function validateFileId(array $fileId): void
+    {
+        $isValid = false;
+        if (isset($fileId['tmp_name'])) {
+            $tmpName = trim($fileId['tmp_name']);
+
+            if (preg_match('/\.\.(\\\|\/)/', $tmpName) !== 1) {
+                $allowedFolders = [
+                    sys_get_temp_dir(),
+                    $this->directoryList->getPath(DirectoryList::MEDIA),
+                    $this->directoryList->getPath(DirectoryList::VAR_DIR),
+                    $this->directoryList->getPath(DirectoryList::TMP),
+                    $this->directoryList->getPath(DirectoryList::UPLOAD),
+                ];
+
+                $disallowedFolders = [
+                    $this->directoryList->getPath(DirectoryList::LOG),
+                ];
+
+                foreach ($allowedFolders as $allowedFolder) {
+                    if (stripos($tmpName, $allowedFolder) === 0) {
+                        $isValid = true;
+                        break;
+                    }
+                }
+
+                foreach ($disallowedFolders as $disallowedFolder) {
+                    if (stripos($tmpName, $disallowedFolder) === 0) {
+                        $isValid = false;
+                        break;
+                    }
+                }
+            }
+        }
+
+        if (!$isValid) {
+            throw new \InvalidArgumentException(
+                __('Invalid parameter given. A valid $fileId[tmp_name] is expected.')
+            );
+        }
+    }
+
     /**
      * Create destination folder
      *
