AC-2571: Implemented Input Validation

pawan-adobe-security · pawan-adobe-security · commit 64b398cee0ff · 2022-04-18T16:22:51.000+05:30
* Add Input Validation
diff --git a/app/code/Magento/CatalogRule/Controller/Adminhtml/Promo/Catalog/NewConditionHtml.php b/app/code/Magento/CatalogRule/Controller/Adminhtml/Promo/Catalog/NewConditionHtml.php
@@ -6,14 +6,17 @@
  */
 namespace Magento\CatalogRule\Controller\Adminhtml\Promo\Catalog;
 
+use Magento\CatalogRule\Controller\Adminhtml\Promo\Catalog as CatalogAction;
 use Magento\Framework\App\Action\HttpGetActionInterface;
 use Magento\Framework\App\Action\HttpPostActionInterface as HttpPostActionInterface;
 use Magento\Rule\Model\Condition\AbstractCondition;
-use Magento\CatalogRule\Controller\Adminhtml\Promo\Catalog as CatalogAction;
+use Magento\Rule\Model\Condition\ConditionInterface;
 
 class NewConditionHtml extends CatalogAction implements HttpPostActionInterface, HttpGetActionInterface
 {
     /**
+     * New condition html action
+     *
      * @return void
      */
     public function execute()
@@ -23,6 +26,18 @@ public function execute()
         $typeArr = explode('|', str_replace('-', '/', $this->getRequest()->getParam('type')));
         $type = $typeArr[0];
 
+        /**
+         * @SuppressWarnings(PHPCPD-START)
+         */
+        if (class_exists($type) && !in_array(ConditionInterface::class, class_implements($type))) {
+            $html = '';
+            $this->getResponse()->setBody($html);
+            return;
+        }
+        /**
+         * @SuppressWarnings(PHPCPD-END)
+         */
+
         $model = $this->_objectManager->create($type)
             ->setId($id)
             ->setType($type)
diff --git a/app/code/Magento/SalesRule/Controller/Adminhtml/Promo/Quote/NewConditionHtml.php b/app/code/Magento/SalesRule/Controller/Adminhtml/Promo/Quote/NewConditionHtml.php
@@ -7,6 +7,7 @@
 
 use Magento\Framework\App\Action\HttpPostActionInterface;
 use Magento\Rule\Model\Condition\AbstractCondition;
+use Magento\Rule\Model\Condition\ConditionInterface;
 use Magento\SalesRule\Controller\Adminhtml\Promo\Quote;
 
 /**
@@ -26,6 +27,18 @@ public function execute()
         $typeArr = explode('|', str_replace('-', '/', $this->getRequest()->getParam('type')));
         $type = $typeArr[0];
 
+        /**
+         * @SuppressWarnings(PHPCPD-START)
+         */
+        if (class_exists($type) && !in_array(ConditionInterface::class, class_implements($type))) {
+            $html = '';
+            $this->getResponse()->setBody($html);
+            return;
+        }
+        /**
+         * @SuppressWarnings(PHPCPD-END)
+         */
+
         $model = $this->_objectManager->create(
             $type
         )->setId(
