Merge pull request #7989 from magento-cia/cia-2.4.6-develop-bugfixes-11182022

admanesachin · web-flow · commit 58a0fa111bc5 · 2022-11-30T10:51:18.000-06:00
Cia 2.4.6 develop bugfixes 11182022
diff --git a/app/code/Magento/PageCache/Controller/Block.php b/app/code/Magento/PageCache/Controller/Block.php
@@ -1,6 +1,5 @@
 <?php
 /**
- * PageCache controller
  *
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
@@ -9,6 +8,8 @@
 
 use Magento\Framework\Serialize\Serializer\Base64Json;
 use Magento\Framework\Serialize\Serializer\Json;
+use Magento\Framework\Validator\RegexFactory;
+use Magento\Framework\App\ObjectManager;
 use Magento\Framework\View\Layout\LayoutCacheKeyInterface;
 
 abstract class Block extends \Magento\Framework\App\Action\Action
@@ -40,28 +41,42 @@ abstract class Block extends \Magento\Framework\App\Action\Action
      */
     private $layoutCacheKeyName = 'mage_pagecache';
 
+    /**
+     * @var RegexFactory
+     */
+    private RegexFactory $regexValidatorFactory;
+
+    /**
+     * Validation pattern for handles array
+     */
+    private const VALIDATION_RULE_PATTERN = '/^[a-z0-9]+[a-z0-9_]*$/i';
+
     /**
      * @param \Magento\Framework\App\Action\Context $context
      * @param \Magento\Framework\Translate\InlineInterface $translateInline
      * @param Json $jsonSerializer
      * @param Base64Json $base64jsonSerializer
      * @param LayoutCacheKeyInterface $layoutCacheKey
+     * @param RegexFactory|null $regexValidatorFactory
      */
     public function __construct(
         \Magento\Framework\App\Action\Context $context,
         \Magento\Framework\Translate\InlineInterface $translateInline,
         Json $jsonSerializer = null,
         Base64Json $base64jsonSerializer = null,
-        LayoutCacheKeyInterface $layoutCacheKey = null
+        LayoutCacheKeyInterface $layoutCacheKey = null,
+        ?RegexFactory $regexValidatorFactory = null
     ) {
         parent::__construct($context);
         $this->translateInline = $translateInline;
         $this->jsonSerializer = $jsonSerializer
-            ?: \Magento\Framework\App\ObjectManager::getInstance()->get(Json::class);
+            ?: ObjectManager::getInstance()->get(Json::class);
         $this->base64jsonSerializer = $base64jsonSerializer
-            ?: \Magento\Framework\App\ObjectManager::getInstance()->get(Base64Json::class);
+            ?: ObjectManager::getInstance()->get(Base64Json::class);
         $this->layoutCacheKey = $layoutCacheKey
-            ?: \Magento\Framework\App\ObjectManager::getInstance()->get(LayoutCacheKeyInterface::class);
+            ?: ObjectManager::getInstance()->get(LayoutCacheKeyInterface::class);
+        $this->regexValidatorFactory = $regexValidatorFactory
+            ?: ObjectManager::getInstance()->get(RegexFactory::class);
     }
 
     /**
@@ -79,6 +94,9 @@ protected function _getBlocks()
         }
         $blocks = $this->jsonSerializer->unserialize($blocks);
         $handles = $this->base64jsonSerializer->unserialize($handles);
+        if (!$this->validateHandleParam($handles)) {
+            return [];
+        }
 
         $layout = $this->_view->getLayout();
         $this->layoutCacheKey->addCacheKeys($this->layoutCacheKeyName);
@@ -95,4 +113,22 @@ protected function _getBlocks()
 
         return $data;
     }
+
+    /**
+     * Validates handles parameter
+     *
+     * @param array $handles
+     * @return bool
+     */
+    private function validateHandleParam($handles): bool
+    {
+        $validator = $this->regexValidatorFactory->create(['pattern' => self::VALIDATION_RULE_PATTERN]);
+        foreach ($handles as $handle) {
+            if ($handle && !$validator->isValid($handle)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
 }
diff --git a/app/code/Magento/PageCache/Test/Unit/Controller/Block/EsiTest.php b/app/code/Magento/PageCache/Test/Unit/Controller/Block/EsiTest.php
@@ -18,6 +18,8 @@
 use Magento\Framework\View\Element\AbstractBlock;
 use Magento\Framework\View\Layout;
 use Magento\Framework\View\Layout\LayoutCacheKeyInterface;
+use Magento\Framework\Validator\Regex;
+use Magento\Framework\Validator\RegexFactory;
 use Magento\PageCache\Controller\Block;
 use Magento\PageCache\Controller\Block\Esi;
 use Magento\PageCache\Test\Unit\Block\Controller\StubBlock;
@@ -64,6 +66,11 @@ class EsiTest extends TestCase
      */
     protected $translateInline;
 
+    /**
+     * Validation pattern for handles array
+     */
+    private const VALIDATION_RULE_PATTERN = '/^[a-z0-9]+[a-z0-9_]*$/i';
+
     /**
      * Set up before test
      */
@@ -98,6 +105,16 @@ protected function setUp(): void
 
         $this->translateInline = $this->getMockForAbstractClass(InlineInterface::class);
 
+        $regexFactoryMock = $this->getMockBuilder(RegexFactory::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['create'])
+            ->getMock();
+
+        $regexObject = new Regex(self::VALIDATION_RULE_PATTERN);
+
+        $regexFactoryMock->expects($this->any())->method('create')
+            ->willReturn($regexObject);
+
         $helperObjectManager = new ObjectManager($this);
         $this->action = $helperObjectManager->getObject(
             Esi::class,
@@ -106,7 +123,8 @@ protected function setUp(): void
                 'translateInline' => $this->translateInline,
                 'jsonSerializer' => new Json(),
                 'base64jsonSerializer' => new Base64Json(),
-                'layoutCacheKey' => $this->layoutCacheKeyMock
+                'layoutCacheKey' => $this->layoutCacheKeyMock,
+                'regexValidatorFactory' => $regexFactoryMock
             ]
         );
     }
diff --git a/app/code/Magento/PageCache/Test/Unit/Controller/Block/RenderTest.php b/app/code/Magento/PageCache/Test/Unit/Controller/Block/RenderTest.php
@@ -18,6 +18,8 @@
 use Magento\Framework\View\Layout;
 use Magento\Framework\View\Layout\LayoutCacheKeyInterface;
 use Magento\Framework\View\Layout\ProcessorInterface;
+use Magento\Framework\Validator\Regex;
+use Magento\Framework\Validator\RegexFactory;
 use Magento\PageCache\Controller\Block;
 use Magento\PageCache\Controller\Block\Render;
 use Magento\PageCache\Test\Unit\Block\Controller\StubBlock;
@@ -69,6 +71,11 @@ class RenderTest extends TestCase
      */
     protected $layoutCacheKeyMock;
 
+    /**
+     * Validation pattern for handles array
+     */
+    private const VALIDATION_RULE_PATTERN = '/^[a-z0-9]+[a-z0-9_]*$/i';
+
     /**
      * @inheritDoc
      */
@@ -111,6 +118,16 @@ protected function setUp(): void
 
         $this->translateInline = $this->getMockForAbstractClass(InlineInterface::class);
 
+        $regexFactoryMock = $this->getMockBuilder(RegexFactory::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['create'])
+            ->getMock();
+
+        $regexObject = new Regex(self::VALIDATION_RULE_PATTERN);
+
+        $regexFactoryMock->expects($this->any())->method('create')
+            ->willReturn($regexObject);
+
         $helperObjectManager = new ObjectManager($this);
         $this->action = $helperObjectManager->getObject(
             Render::class,
@@ -119,7 +136,8 @@ protected function setUp(): void
                 'translateInline' => $this->translateInline,
                 'jsonSerializer' => new Json(),
                 'base64jsonSerializer' => new Base64Json(),
-                'layoutCacheKey' => $this->layoutCacheKeyMock
+                'layoutCacheKey' => $this->layoutCacheKeyMock,
+                'regexValidatorFactory' => $regexFactoryMock
             ]
         );
     }
