MDVA-281: Portdown MAGETWO-51461: Reflected XSS in Authorize.net - 3rd try

Author: Yuriy Denyshchenko

app/code/Magento/Authorizenet/Controller/Directpost/Payment/Redirect.php

@@ -8,18 +8,12 @@
 
 use Magento\Framework\App\ObjectManager;
 use Magento\Payment\Block\Transparent\Iframe;
-use Magento\Framework\Escaper;
 
 /**
  * Class Redirect
  */
 class Redirect extends \Magento\Authorizenet\Controller\Directpost\Payment
 {
-    /**
-     * @var Escaper
-     */
-    private $escaper;
-
     /**
      * Retrieve params and put javascript into iframe
      *
@@ -29,7 +23,7 @@ public function execute()
     {
         $helper = $this->dataFactory->create('frontend');
 
-        $redirectParams = $this->filterData($this->getRequest()->getParams());
+        $redirectParams = $this->getRequest()->getParams();
         $params = [];
         if (!empty($redirectParams['success'])
             && isset($redirectParams['x_invoice_num'])
@@ -38,9 +32,11 @@ public function execute()
             $this->_getDirectPostSession()->unsetData('quote_id');
             $params['redirect_parent'] = $helper->getSuccessOrderUrl([]);
         }
+
         if (!empty($redirectParams['error_msg'])) {
             $cancelOrder = empty($redirectParams['x_invoice_num']);
             $this->_returnCustomerQuote($cancelOrder, $redirectParams['error_msg']);
+            $params['error_msg'] = $redirectParams['error_msg'];
         }
 
         if (isset($redirectParams['controller_action_name'])
@@ -50,34 +46,8 @@ public function execute()
             unset($params['redirect_parent']);
         }
 
-        $this->_coreRegistry->register(Iframe::REGISTRY_KEY, array_merge($params, $redirectParams));
+        $this->_coreRegistry->register(Iframe::REGISTRY_KEY, $params);
         $this->_view->addPageLayoutHandles();
         $this->_view->loadLayout(false)->renderLayout();
     }
-
-    /**
-     * Escape xss in request data
-     * @param array $data
-     * @return array
-     */
-    private function filterData(array $data)
-    {
-        $self = $this;
-        array_walk($data, function (&$item) use ($self) {
-            $item = $self->getEscaper()->escapeXssInUrl($item);
-        });
-        return $data;
-    }
-
-    /**
-     * Get Escaper instance
-     * @return Escaper
-     */
-    private function getEscaper()
-    {
-        if (!$this->escaper) {
-            $this->escaper = ObjectManager::getInstance()->get(Escaper::class);
-        }
-        return $this->escaper;
-    }
 }

app/code/Magento/Authorizenet/Test/Unit/Controller/Directpost/Payment/RedirectTest.php

@@ -8,7 +8,6 @@
 use Magento\Authorizenet\Controller\Directpost\Payment\Redirect;
 use Magento\Framework\App\RequestInterface;
 use Magento\Framework\App\ViewInterface;
-use Magento\Framework\Escaper;
 use Magento\Framework\Registry;
 use Magento\Framework\TestFramework\Unit\Helper\ObjectManager;
 use Magento\Payment\Block\Transparent\Iframe;
@@ -34,11 +33,6 @@ class RedirectTest extends \PHPUnit_Framework_TestCase
      */
     private $coreRegistry;
 
-    /**
-     * @var Escaper|MockObject
-     */
-    private $escaper;
-
     /**
      * @var Redirect
      */
@@ -57,21 +51,11 @@ protected function setUp()
             ->setMethods(['register'])
             ->getMock();
 
-        $this->escaper = static::getMockBuilder(Escaper::class)
-            ->disableOriginalConstructor()
-            ->setMethods(['escapeXssInUrl'])
-            ->getMock();
-
         $this->controller = $objectManager->getObject(Redirect::class, [
             'request' => $this->request,
             'view' => $this->view,
             'coreRegistry' => $this->coreRegistry
         ]);
-
-        $refClass = new \ReflectionClass(Redirect::class);
-        $refProperty = $refClass->getProperty('escaper');
-        $refProperty->setAccessible(true);
-        $refProperty->setValue($this->controller, $this->escaper);
     }
 
     /**
@@ -87,14 +71,9 @@ public function testExecute()
             ->method('getParams')
             ->willReturn($params);
 
-        $this->escaper->expects(static::once())
-            ->method('escapeXssInUrl')
-            ->with($url)
-            ->willReturn($url);
-
         $this->coreRegistry->expects(static::once())
             ->method('register')
-            ->with(Iframe::REGISTRY_KEY, $params);
+            ->with(Iframe::REGISTRY_KEY, []);
 
         $this->view->expects(static::once())
             ->method('addPageLayoutHandles');