MC-15385: Path check for images

omiroshnichenko · omiroshnichenko · commit 92d8bcadd444 · 2019-04-16T11:44:41.000-05:00
diff --git a/app/code/Magento/Cms/Model/Wysiwyg/Images/Storage.php b/app/code/Magento/Cms/Model/Wysiwyg/Images/Storage.php
@@ -424,7 +424,7 @@ public function createDirectory($name, $path)
     /**
      * Recursively delete directory from storage
      *
-     * @param string $path Target dir
+     * @param string $path Absolute path to target directory
      * @return void
      * @throws \Magento\Framework\Exception\LocalizedException
      */
@@ -493,7 +493,7 @@ public function deleteFile($target)
     /**
      * Upload and resize new file
      *
-     * @param string $targetPath Target directory
+     * @param string $targetPath Absolute path to target directory
      * @param string $type Type of storage, e.g. image, media etc.
      * @return array File info Array
      * @throws \Magento\Framework\Exception\LocalizedException
@@ -807,8 +807,8 @@ private function getExtensionsList($type = null): array
     /**
      * Check if path is not in excluded dirs.
      *
-     * @param string $path
-     * @param array $conditions
+     * @param string $path Absolute path
+     * @param array $conditions Exclude conditions
      * @return bool
      */
     private function isPathAllowed($path, array $conditions): bool
diff --git a/dev/tests/integration/testsuite/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFolderTest.php b/dev/tests/integration/testsuite/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFolderTest.php
@@ -7,6 +7,7 @@
 namespace Magento\Cms\Controller\Adminhtml\Wysiwyg\Images;
 
 use Magento\Framework\App\Filesystem\DirectoryList;
+use Magento\Framework\App\Response\HttpFactory as ResponseFactory;
 
 /**
  * Test for \Magento\Cms\Controller\Adminhtml\Wysiwyg\Images\DeleteFolder class.
@@ -38,6 +39,11 @@ class DeleteFolderTest extends \PHPUnit\Framework\TestCase
      */
     private $filesystem;
 
+    /**
+     * @var HttpFactory
+     */
+    private $responseFactory;
+
     /**
      * @inheritdoc
      */
@@ -49,6 +55,7 @@ protected function setUp()
         /** @var \Magento\Cms\Helper\Wysiwyg\Images $imagesHelper */
         $this->imagesHelper = $objectManager->get(\Magento\Cms\Helper\Wysiwyg\Images::class);
         $this->fullDirectoryPath = $this->imagesHelper->getStorageRoot();
+        $this->responseFactory = $objectManager->get(ResponseFactory::class);
         $this->model = $objectManager->get(\Magento\Cms\Controller\Adminhtml\Wysiwyg\Images\DeleteFolder::class);
     }
 
@@ -83,6 +90,7 @@ public function testExecute()
      * can be removed.
      *
      * @magentoDataFixture Magento/Cms/_files/linked_media.php
+     * @magentoAppIsolation enabled
      */
     public function testExecuteWithLinkedMedia()
     {
@@ -106,6 +114,7 @@ public function testExecuteWithLinkedMedia()
      * under media directory.
      *
      * @return void
+     * @magentoAppIsolation enabled
      */
     public function testExecuteWithWrongDirectoryName()
     {
@@ -116,6 +125,31 @@ public function testExecuteWithWrongDirectoryName()
         $this->assertFileExists($this->fullDirectoryPath . $directoryName);
     }
 
+    /**
+     * Execute method to check that there is no ability to remove folder which is in excluded directories list.
+     *
+     * @return void
+     * @magentoAppIsolation enabled
+     */
+    public function testExecuteWithExcludedDirectoryName()
+    {
+        $directoryName = 'downloadable';
+        $expectedResponseMessage = 'We cannot delete directory /downloadable.';
+        $mediaDirectory = $this->filesystem->getDirectoryWrite(DirectoryList::MEDIA);
+        $mediaDirectory->create($directoryName);
+        $this->assertFileExists($this->fullDirectoryPath . $directoryName);
+
+        $this->model->getRequest()->setParams(['node' => $this->imagesHelper->idEncode($directoryName)]);
+        $this->model->getRequest()->setMethod('POST');
+        $jsonResponse = $this->model->execute();
+        $jsonResponse->renderResult($response = $this->responseFactory->create());
+        $data = json_decode($response->getBody(), true);
+
+        $this->assertTrue($data['error']);
+        $this->assertEquals($expectedResponseMessage, $data['message']);
+        $this->assertFileExists($this->fullDirectoryPath . $directoryName);
+    }
+
     /**
      * @inheritdoc
      */
@@ -128,5 +162,8 @@ public static function tearDownAfterClass()
         if ($directory->isExist('wysiwyg')) {
             $directory->delete('wysiwyg');
         }
+        if ($directory->isExist('downloadable')) {
+            $directory->delete('downloadable');
+        }
     }
 }
diff --git a/dev/tests/integration/testsuite/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/UploadTest.php b/dev/tests/integration/testsuite/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/UploadTest.php
@@ -33,6 +33,11 @@ class UploadTest extends \PHPUnit\Framework\TestCase
      */
     private $fullDirectoryPath;
 
+    /**
+     * @var string
+     */
+    private $fullExcludedDirectoryPath;
+
     /**
      * @var string
      */
@@ -60,11 +65,13 @@ protected function setUp()
     {
         $this->objectManager = \Magento\TestFramework\Helper\Bootstrap::getObjectManager();
         $directoryName = 'directory1';
+        $excludedDirName = 'downloadable';
         $this->filesystem = $this->objectManager->get(\Magento\Framework\Filesystem::class);
         /** @var \Magento\Cms\Helper\Wysiwyg\Images $imagesHelper */
         $imagesHelper = $this->objectManager->get(\Magento\Cms\Helper\Wysiwyg\Images::class);
         $this->mediaDirectory = $this->filesystem->getDirectoryWrite(DirectoryList::MEDIA);
         $this->fullDirectoryPath = $imagesHelper->getStorageRoot() . DIRECTORY_SEPARATOR . $directoryName;
+        $this->fullExcludedDirectoryPath = $imagesHelper->getStorageRoot() . DIRECTORY_SEPARATOR . $excludedDirName;
         $this->mediaDirectory->create($this->mediaDirectory->getRelativePath($this->fullDirectoryPath));
         $this->responseFactory = $this->objectManager->get(ResponseFactory::class);
         $this->model = $this->objectManager->get(\Magento\Cms\Controller\Adminhtml\Wysiwyg\Images\Upload::class);
@@ -115,6 +122,34 @@ public function testExecute()
         $this->assertEquals($keys, $dataKeys);
     }
 
+    /**
+     * Execute method with excluded directory path and file name to check that file can't be uploaded.
+     *
+     * @return void
+     * @magentoAppIsolation enabled
+     */
+    public function testExecuteWithExcludedDirectory()
+    {
+        $expectedError = 'We can\'t upload the file to current folder right now. Please try another folder.';
+        $this->model->getRequest()->setParams(['type' => 'image/png']);
+        $this->model->getRequest()->setMethod('POST');
+        $this->model->getStorage()->getSession()->setCurrentPath($this->fullExcludedDirectoryPath);
+        /** @var JsonResponse $jsonResponse */
+        $jsonResponse = $this->model->execute();
+        /** @var Response $response */
+        $jsonResponse->renderResult($response = $this->responseFactory->create());
+        $data = json_decode($response->getBody(), true);
+
+        $this->assertEquals($expectedError, $data['error']);
+        $this->assertFalse(
+            $this->mediaDirectory->isExist(
+                $this->mediaDirectory->getRelativePath(
+                    $this->fullExcludedDirectoryPath . DIRECTORY_SEPARATOR . $this->fileName
+                )
+            )
+        );
+    }
+
     /**
      * Execute method with correct directory path and file name to check that file can be uploaded to the directory
      * located under linked folder.
