MC-36035: Prevent input based resource allocation

- Added min page size validation

Author: hwyu@adobe.com

app/etc/di.xml

@@ -1943,6 +1943,7 @@
     </type>
     <type name="Magento\Framework\Webapi\Validator\SearchCriteriaValidator">
         <arguments>
+            <argument name="minimumPageSize" xsi:type="number">10</argument>
             <argument name="maximumPageSize" xsi:type="number">300</argument>
         </arguments>
     </type>
@@ -1956,6 +1957,7 @@
     </type>
     <type name="Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\SearchCriteriaValidator">
         <arguments>
+            <argument name="minPageSize" xsi:type="number">10</argument>
             <argument name="maxPageSize" xsi:type="number">300</argument>
         </arguments>
     </type>

lib/internal/Magento/Framework/GraphQl/Query/Resolver/Argument/Validator/SearchCriteriaValidator.php

@@ -17,29 +17,42 @@
  */
 class SearchCriteriaValidator implements ValidatorInterface
 {
+    /**
+     * @var int
+     */
+    private $minPageSize;
+
     /**
      * @var int
      */
     private $maxPageSize;
 
     /**
+     * @param int $minPageSize
      * @param int $maxPageSize
      */
-    public function __construct(int $maxPageSize)
+    public function __construct(int $minPageSize, int $maxPageSize)
     {
+        $this->minPageSize = $minPageSize;
         $this->maxPageSize = $maxPageSize;
     }
 
     /**
      * @inheritDoc
-     * @throws GraphQlInputException
      */
     public function validate(Field $field, $args): void
     {
-        if (isset($args['pageSize']) && $args['pageSize'] > $this->maxPageSize) {
-            throw new GraphQlInputException(
-                __("Maximum pageSize is %max", ['max' => $this->maxPageSize])
-            );
+        if (isset($args['pageSize'])) {
+            if ($args['pageSize'] < $this->minPageSize) {
+                throw new GraphQlInputException(
+                    __("Minimum pageSize is %min", ['min' => $this->minPageSize])
+                );
+            }
+            if ($args['pageSize'] > $this->maxPageSize) {
+                throw new GraphQlInputException(
+                    __("Maximum pageSize is %max", ['max' => $this->maxPageSize])
+                );
+            }
         }
     }
 }

lib/internal/Magento/Framework/GraphQl/Test/Unit/Query/Resolver/Argument/Validator/SearchCriteriaValidatorTest.php

@@ -23,18 +23,31 @@ class SearchCriteriaValidatorTest extends TestCase
      */
     public function testValidValue()
     {
-        $validator = new SearchCriteriaValidator(3);
+        $validator = new SearchCriteriaValidator(1, 3);
         $field = self::getMockBuilder(Field::class)
             ->disableOriginalConstructor()
             ->getMock();
+        $validator->validate($field, ['pageSize' => 1]);
+        $validator->validate($field, ['pageSize' => 2]);
         $validator->validate($field, ['pageSize' => 3]);
     }
 
-    public function testValidInvalidValue()
+    public function testValidInvalidMinValue()
+    {
+        $this->expectException(GraphQlInputException::class);
+        $this->expectExceptionMessage("Minimum pageSize is 1");
+        $validator = new SearchCriteriaValidator(1, 3);
+        $field = self::getMockBuilder(Field::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+        $validator->validate($field, ['pageSize' => 0]);
+    }
+
+    public function testValidInvalidMaxValue()
     {
         $this->expectException(GraphQlInputException::class);
         $this->expectExceptionMessage("Maximum pageSize is 3");
-        $validator = new SearchCriteriaValidator(3);
+        $validator = new SearchCriteriaValidator(1, 3);
         $field = self::getMockBuilder(Field::class)
             ->disableOriginalConstructor()
             ->getMock();

lib/internal/Magento/Framework/Webapi/ServiceInputProcessor.php

@@ -135,7 +135,7 @@ public function __construct(
         $this->customAttributePreprocessors = $customAttributePreprocessors;
         $this->serviceInputValidator = $serviceInputValidator
             ?: ObjectManager::getInstance()->get(ServiceInputValidatorInterface::class);
-        $this->defaultPageSize = $defaultPageSize ?: 20;
+        $this->defaultPageSize = $defaultPageSize;
     }
 
     /**

lib/internal/Magento/Framework/Webapi/Test/Unit/Validator/SearchCriteriaValidatorTest.php

@@ -21,19 +21,28 @@ class SearchCriteriaValidatorTest extends TestCase
     /**
      * @doesNotPerformAssertions
      */
-    public function testAllowsPageSizeWhenBelowLimit()
+    public function testAllowsPageSizeWhenAboveMinLimitAndBelowMaxLimit()
     {
         $searchCriteria = new SearchCriteria();
-        $validator = new SearchCriteriaValidator(3);
+        $validator = new SearchCriteriaValidator(1, 3);
         $validator->validateEntityValue($searchCriteria, 'pageSize', 2);
     }
 
-    public function testFailsPageSizeWhenAboveLimit()
+    public function testFailsPageSizeWhenBelowMinLimit()
+    {
+        $this->expectException(InvalidArgumentException::class);
+        $this->expectErrorMessage('Minimum SearchCriteria pageSize is 1');
+        $searchCriteria = new SearchCriteria();
+        $validator = new SearchCriteriaValidator(1, 3);
+        $validator->validateEntityValue($searchCriteria, 'pageSize', 0);
+    }
+
+    public function testFailsPageSizeWhenAboveMaxLimit()
     {
         $this->expectException(InvalidArgumentException::class);
         $this->expectErrorMessage('Maximum SearchCriteria pageSize is 3');
         $searchCriteria = new SearchCriteria();
-        $validator = new SearchCriteriaValidator(3);
+        $validator = new SearchCriteriaValidator(1, 3);
         $validator->validateEntityValue($searchCriteria, 'pageSize', 4);
     }
 }

lib/internal/Magento/Framework/Webapi/Validator/SearchCriteriaValidator.php

@@ -16,16 +16,23 @@
  */
 class SearchCriteriaValidator implements ServiceInputValidatorInterface
 {
+    /**
+     * @var int
+     */
+    private $minimumPageSize;
+
     /**
      * @var int
      */
     private $maximumPageSize;
 
     /**
+     * @param int $minimumPageSize
      * @param int $maximumPageSize
      */
-    public function __construct(int $maximumPageSize)
+    public function __construct(int $minimumPageSize, int $maximumPageSize)
     {
+        $this->minimumPageSize = $minimumPageSize;
         $this->maximumPageSize = $maximumPageSize;
     }
 
@@ -42,13 +49,17 @@ public function validateComplexArrayType(string $className, array $items): void
      */
     public function validateEntityValue(object $entity, string $propertyName, $value): void
     {
-        if ($entity instanceof SearchCriteriaInterface
-            && $propertyName === 'pageSize'
-            && $value > $this->maximumPageSize
-        ) {
-            throw new InvalidArgumentException(
-                __('Maximum SearchCriteria pageSize is %max', ['max' => $this->maximumPageSize])
-            );
+        if ($entity instanceof SearchCriteriaInterface && $propertyName === 'pageSize') {
+            if ($value < $this->minimumPageSize) {
+                throw new InvalidArgumentException(
+                    __('Minimum SearchCriteria pageSize is %min', ['min' => $this->minimumPageSize])
+                );
+            }
+            if ($value > $this->maximumPageSize) {
+                throw new InvalidArgumentException(
+                    __('Maximum SearchCriteria pageSize is %max', ['max' => $this->maximumPageSize])
+                );
+            }
         }
     }
 }