Merge branch '2.3.0-qwerty' of github.com:magento/magento2ce into MAGETWO-95391

Author: omiroshnichenko

dev/tests/static/framework/Magento/CodeMessDetector/Rule/Design/RequestAwareBlockMethod.php

@@ -0,0 +1,53 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\CodeMessDetector\Rule\Design;
+
+use PHPMD\AbstractNode;
+use PHPMD\AbstractRule;
+use PHPMD\Node\ClassNode;
+use PHPMD\Node\MethodNode;
+use PDepend\Source\AST\ASTMethod;
+use PHPMD\Rule\MethodAware;
+
+/**
+ * Detect direct request usages.
+ */
+class RequestAwareBlockMethod extends AbstractRule implements MethodAware
+{
+    /**
+     * @inheritDoc
+     *
+     * @param ASTMethod|MethodNode $method
+     */
+    public function apply(AbstractNode $method)
+    {
+        $definedIn = $method->getParentType();
+        try {
+            $isBlock = ($definedIn instanceof ClassNode)
+                && is_subclass_of(
+                    $definedIn->getFullQualifiedName(),
+                    \Magento\Framework\View\Element\AbstractBlock::class
+                );
+        } catch (\Throwable $exception) {
+            //Failed to load classes.
+            return;
+        }
+
+        if ($isBlock) {
+            $nodes = $method->findChildrenOfType('PropertyPostfix') + $method->findChildrenOfType('MethodPostfix');
+            foreach ($nodes as $node) {
+                $name = mb_strtolower($node->getFirstChildOfType('Identifier')->getImage());
+                if ($name === '_request' || $name === 'getrequest') {
+                    $this->addViolation($method, [$method->getFullQualifiedName()]);
+                    break;
+                }
+            }
+        }
+    }
+}

dev/tests/static/framework/Magento/CodeMessDetector/resources/rulesets/design.xml

@@ -54,6 +54,37 @@ class PostOrder implements ActionInterface
         ...
         return $response;
     }
+}
+            ]]>
+        </example>
+    </rule>
+    <rule name="RequestAwareBlockMethod"
+          class="Magento\CodeMessDetector\Rule\Design\RequestAwareBlockMethod"
+          message="{0} uses request object directly. Add user input validation and suppress this warning.">
+        <description>
+            <![CDATA[
+Blocks must not depend on being used with certain controllers.
+If you use request object in a block directly you must validate all user input inside the block.
+            ]]>
+        </description>
+        <priority>2</priority>
+        <properties />
+        <example>
+            <![CDATA[
+class MyOrder extends AbstractBlock
+{
+
+    .......
+
+    public function getOrder()
+    {
+        $orderId = $this->getRequest()->getParam('order_id');
+        //Validate customer having such order.
+        if (!$this->hasOrder($this->getCustomerId(), $orderId)) {
+            ...deny access...
+        }
+        .....
+    }
 }
             ]]>
         </example>

dev/tests/static/testsuite/Magento/Test/Php/_files/phpmd/ruleset.xml

@@ -48,5 +48,6 @@
     <!-- Magento Specific Rules -->
     <rule ref="Magento/CodeMessDetector/resources/rulesets/design.xml/FinalImplementation" />
     <rule ref="Magento/CodeMessDetector/resources/rulesets/design.xml/AllPurposeAction" />
+    <rule ref="Magento/CodeMessDetector/resources/rulesets/design.xml/RequestAwareBlockMethod" />
 
 </ruleset>