MAGETWO-95638: Upload Extension Validation

Author: ameysar

app/code/Magento/CatalogImportExport/Model/Import/Uploader.php

@@ -108,7 +108,7 @@ class Uploader extends \Magento\MediaStorage\Model\File\Uploader
      * @param \Magento\MediaStorage\Model\File\Validator\NotProtectedExtension $validator
      * @param \Magento\Framework\Filesystem $filesystem
      * @param \Magento\Framework\Filesystem\File\ReadFactory $readFactory
-     * @param null $filePath
+     * @param string|null $filePath
      * @param \Magento\Framework\App\Filesystem\DirectoryResolver|null $directoryResolver
      * @throws \Magento\Framework\Exception\LocalizedException
      */
@@ -157,29 +157,48 @@ public function init()
      * @param string $fileName
      * @param bool $renameFileOff
      * @return array
+     * @throws \Magento\Framework\Exception\LocalizedException
      */
     public function move($fileName, $renameFileOff = false)
     {
         if ($renameFileOff) {
             $this->setAllowRenameFiles(false);
         }
+
+        if ($this->getTmpDir()) {
+            $filePath = $this->getTmpDir() . '/';
+        } else {
+            $filePath = '';
+        }
+
         if (preg_match('/\bhttps?:\/\//i', $fileName, $matches)) {
             $url = str_replace($matches[0], '', $fileName);
+            $driver = $matches[0] === $this->httpScheme ? DriverPool::HTTP : DriverPool::HTTPS;
+            $read = $this->_readFactory->create($url, $driver);
+
+            //only use filename (for URI with query parameters)
+            $parsedUrlPath = parse_url($url, PHP_URL_PATH);
+            if ($parsedUrlPath) {
+                $urlPathValues = explode('/', $parsedUrlPath);
+                if (!empty($urlPathValues)) {
+                    $fileName = end($urlPathValues);
+                }
+            }
 
-            if ($matches[0] === $this->httpScheme) {
-                $read = $this->_readFactory->create($url, DriverPool::HTTP);
-            } else {
-                $read = $this->_readFactory->create($url, DriverPool::HTTPS);
+            $fileExtension = pathinfo($fileName, PATHINFO_EXTENSION);
+            if ($fileExtension && !$this->checkAllowedExtension($fileExtension)) {
+                throw new \Magento\Framework\Exception\LocalizedException(__('Disallowed file type.'));
             }
 
             $fileName = preg_replace('/[^a-z0-9\._-]+/i', '', $fileName);
+            $filePath = $this->_directory->getRelativePath($filePath . $fileName);
             $this->_directory->writeFile(
-                $this->_directory->getRelativePath($this->getTmpDir() . '/' . $fileName),
+                $filePath,
                 $read->readAll()
             );
         }
 
-        $filePath = $this->_directory->getRelativePath($this->getTmpDir() . '/' . $fileName);
+        $filePath = $this->_directory->getRelativePath($filePath . $fileName);
         $this->_setUploadFile($filePath);
         $destDir = $this->_directory->getAbsolutePath($this->getDestDir());
         $result = $this->save($destDir);

app/code/Magento/CatalogImportExport/Test/Unit/Model/Import/UploaderTest.php

@@ -56,6 +56,9 @@ class UploaderTest extends \PHPUnit\Framework\TestCase
      */
     protected $uploader;
 
+    /**
+     * @inheritdoc
+     */
     protected function setUp()
     {
         $this->coreFileStorageDb = $this->getMockBuilder(\Magento\MediaStorage\Helper\File\Storage\Database::class)
@@ -79,7 +82,7 @@ protected function setUp()
             ->setMethods(['create'])
             ->getMock();
 
-        $this->directoryMock = $this->getMockBuilder(\Magento\Framework\Filesystem\Directory\Writer::class)
+        $this->directoryMock = $this->getMockBuilder(\Magento\Framework\Filesystem\Directory\Write::class)
             ->setMethods(['writeFile', 'getRelativePath', 'isWritable', 'isReadable', 'getAbsolutePath'])
             ->disableOriginalConstructor()
             ->getMock();
@@ -109,41 +112,53 @@ protected function setUp()
                 null,
                 $this->directoryResolver
             ])
-            ->setMethods(['_setUploadFile', 'save', 'getTmpDir'])
+            ->setMethods(['_setUploadFile', 'save', 'getTmpDir', 'checkAllowedExtension'])
             ->getMock();
     }
 
     /**
      * @dataProvider moveFileUrlDataProvider
+     * @param string $fileUrl
+     * @param string $expectedHost
+     * @param string $expectedFileName
+     * @param int $checkAllowedExtension
+     * @return void
      */
-    public function testMoveFileUrl($fileUrl, $expectedHost, $expectedFileName)
-    {
+    public function testMoveFileUrl(
+        string $fileUrl,
+        string $expectedHost,
+        string $expectedFileName,
+        int $checkAllowedExtension
+    ) {
         $destDir = 'var/dest/dir';
-        $expectedRelativeFilePath = $this->uploader->getTmpDir() . '/' . $expectedFileName;
+        $expectedRelativeFilePath = $expectedFileName;
         $this->directoryMock->expects($this->once())->method('isWritable')->with($destDir)->willReturn(true);
         $this->directoryMock->expects($this->any())->method('getRelativePath')->with($expectedRelativeFilePath);
         $this->directoryMock->expects($this->once())->method('getAbsolutePath')->with($destDir)
             ->willReturn($destDir . '/' . $expectedFileName);
         // Check writeFile() method invoking.
-        $this->directoryMock->expects($this->any())->method('writeFile')->will($this->returnValue($expectedFileName));
+        $this->directoryMock->expects($this->any())->method('writeFile')->willReturn($expectedFileName);
 
         // Create adjusted reader which does not validate path.
         $readMock = $this->getMockBuilder(\Magento\Framework\Filesystem\File\Read::class)
             ->disableOriginalConstructor()
             ->setMethods(['readAll'])
             ->getMock();
         // Check readAll() method invoking.
-        $readMock->expects($this->once())->method('readAll')->will($this->returnValue(null));
+        $readMock->expects($this->once())->method('readAll')->willReturn(null);
 
         // Check create() method invoking with expected argument.
         $this->readFactory->expects($this->once())
                         ->method('create')
                         ->will($this->returnValue($readMock))->with($expectedHost);
         //Check invoking of getTmpDir(), _setUploadFile(), save() methods.
-        $this->uploader->expects($this->any())->method('getTmpDir')->will($this->returnValue(''));
-        $this->uploader->expects($this->once())->method('_setUploadFile')->will($this->returnSelf());
+        $this->uploader->expects($this->any())->method('getTmpDir')->willReturn('');
+        $this->uploader->expects($this->once())->method('_setUploadFile')->willReturnSelf();
         $this->uploader->expects($this->once())->method('save')->with($destDir . '/' . $expectedFileName)
             ->willReturn(['name' => $expectedFileName, 'path' => 'absPath']);
+        $this->uploader->expects($this->exactly($checkAllowedExtension))
+            ->method('checkAllowedExtension')
+            ->willReturn(true);
 
         $this->uploader->setDestDir($destDir);
         $result = $this->uploader->move($fileUrl);
@@ -155,14 +170,14 @@ public function testMoveFileName()
     {
         $destDir = 'var/dest/dir';
         $fileName = 'test_uploader_file';
-        $expectedRelativeFilePath = $this->uploader->getTmpDir() . '/' . $fileName;
+        $expectedRelativeFilePath = $fileName;
         $this->directoryMock->expects($this->once())->method('isWritable')->with($destDir)->willReturn(true);
         $this->directoryMock->expects($this->any())->method('getRelativePath')->with($expectedRelativeFilePath);
         $this->directoryMock->expects($this->once())->method('getAbsolutePath')->with($destDir)
             ->willReturn($destDir . '/' . $fileName);
         //Check invoking of getTmpDir(), _setUploadFile(), save() methods.
-        $this->uploader->expects($this->once())->method('getTmpDir')->will($this->returnValue(''));
-        $this->uploader->expects($this->once())->method('_setUploadFile')->will($this->returnSelf());
+        $this->uploader->expects($this->once())->method('getTmpDir')->willReturn('');
+        $this->uploader->expects($this->once())->method('_setUploadFile')->willReturnSelf();
         $this->uploader->expects($this->once())->method('save')->with($destDir . '/' . $fileName)
             ->willReturn(['name' => $fileName]);
 
@@ -239,12 +254,38 @@ public function moveFileUrlDataProvider()
             [
                 '$fileUrl' => 'http://test_uploader_file',
                 '$expectedHost' => 'test_uploader_file',
-                '$expectedFileName' => 'httptest_uploader_file',
+                '$expectedFileName' => 'test_uploader_file',
+                '$checkAllowedExtension' => 0,
             ],
             [
                 '$fileUrl' => 'https://!:^&`;file',
                 '$expectedHost' => '!:^&`;file',
-                '$expectedFileName' => 'httpsfile',
+                '$expectedFileName' => 'file',
+                '$checkAllowedExtension' => 0,
+            ],
+            [
+                '$fileUrl' => 'https://www.google.com/image.jpg',
+                '$expectedHost' => 'www.google.com/image.jpg',
+                '$expectedFileName' => 'image.jpg',
+                '$checkAllowedExtension' => 1,
+            ],
+            [
+                '$fileUrl' => 'https://www.google.com/image.jpg?param=1',
+                '$expectedHost' => 'www.google.com/image.jpg?param=1',
+                '$expectedFileName' => 'image.jpg',
+                '$checkAllowedExtension' => 1,
+            ],
+            [
+                '$fileUrl' => 'https://www.google.com/image.jpg?param=1&param=2',
+                '$expectedHost' => 'www.google.com/image.jpg?param=1&param=2',
+                '$expectedFileName' => 'image.jpg',
+                '$checkAllowedExtension' => 1,
+            ],
+            [
+                '$fileUrl' => 'http://www.google.com/image.jpg?param=1&param=2',
+                '$expectedHost' => 'www.google.com/image.jpg?param=1&param=2',
+                '$expectedFileName' => 'image.jpg',
+                '$checkAllowedExtension' => 1,
             ],
         ];
     }
@@ -253,8 +294,9 @@ public function moveFileUrlDataProvider()
      * @dataProvider validatePathDataProvider
      *
      * @param bool $pathIsValid
+     * @return void
      */
-    public function testSetTmpDir($pathIsValid)
+    public function testSetTmpDir(bool $pathIsValid)
     {
         $path = 'path';
         $absolutePath = 'absolute_path';
@@ -272,11 +314,11 @@ public function testSetTmpDir($pathIsValid)
      *
      * @return array
      */
-    public function validatePathDataProvider()
+    public function validatePathDataProvider(): array
     {
         return [
             [true],
-            [false]
+            [false],
         ];
     }
 }