ACP2E-340: [Magento Cloud] Empty API request causes 500

Author: dhorytskyi

app/code/Magento/Webapi/Controller/Rest.php

@@ -6,13 +6,11 @@
 
 namespace Magento\Webapi\Controller;
 
-use Magento\Framework\App\DeploymentConfig;
-use Magento\Framework\Config\ConfigOptionsListConstants;
 use Magento\Framework\Exception\AuthorizationException;
 use Magento\Framework\Webapi\Authorization;
 use Magento\Framework\Webapi\ErrorProcessor;
-use Magento\Framework\Webapi\Request;
 use Magento\Framework\Webapi\Rest\Request as RestRequest;
+use Magento\Framework\Webapi\Rest\RequestValidatorInterface;
 use Magento\Framework\Webapi\Rest\Response as RestResponse;
 use Magento\Framework\Webapi\ServiceInputProcessor;
 use Magento\Store\Model\Store;
@@ -35,7 +33,7 @@ class Rest implements \Magento\Framework\App\FrontControllerInterface
      *
      * @deprecated 100.3.0
      */
-    const SCHEMA_PATH = '/schema';
+    public const SCHEMA_PATH = '/schema';
 
     /**
      * @var Router
@@ -112,6 +110,11 @@ class Rest implements \Magento\Framework\App\FrontControllerInterface
      */
     protected $requestProcessorPool;
 
+    /**
+     * @var RequestValidatorInterface
+     */
+    private $requestValidator;
+
     /**
      * @var StoreManagerInterface
      * @deprecated 100.1.0
@@ -134,6 +137,7 @@ class Rest implements \Magento\Framework\App\FrontControllerInterface
      * @param ParamsOverrider $paramsOverrider
      * @param StoreManagerInterface $storeManager
      * @param RequestProcessorPool $requestProcessorPool
+     * @param RequestValidatorInterface $requestValidator
      *
      * TODO: Consider removal of warning suppression
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
@@ -151,7 +155,8 @@ public function __construct(
         \Magento\Framework\App\AreaList $areaList,
         ParamsOverrider $paramsOverrider,
         StoreManagerInterface $storeManager,
-        RequestProcessorPool $requestProcessorPool
+        RequestProcessorPool $requestProcessorPool,
+        RequestValidatorInterface $requestValidator
     ) {
         $this->_router = $router;
         $this->_request = $request;
@@ -166,6 +171,7 @@ public function __construct(
         $this->paramsOverrider = $paramsOverrider;
         $this->storeManager = $storeManager;
         $this->requestProcessorPool = $requestProcessorPool;
+        $this->requestValidator = $requestValidator;
     }
 
     /**
@@ -184,6 +190,7 @@ public function dispatch(\Magento\Framework\App\RequestInterface $request)
         $this->areaList->getArea($this->_appState->getAreaCode())
             ->load(\Magento\Framework\App\Area::PART_TRANSLATE);
         try {
+            $this->requestValidator->validate($this->_request);
             $processor = $this->requestProcessorPool->getProcessor($this->_request);
             $processor->process($this->_request);
         } catch (\Exception $e) {

app/code/Magento/Webapi/etc/di.xml

@@ -7,6 +7,7 @@
 -->
 <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
     <preference for="Magento\Webapi\Model\ConfigInterface" type="Magento\Webapi\Model\Config" />
+    <preference for="Magento\Framework\Webapi\Rest\RequestValidatorInterface" type="Magento\Framework\Webapi\Rest\RequestMethodValidator" />
     <type name="Magento\Framework\App\AreaList">
         <arguments>
             <argument name="areas" xsi:type="array">

dev/tests/integration/testsuite/Magento/Webapi/Controller/RestTest.php

@@ -0,0 +1,56 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Webapi\Controller;
+
+use Magento\Framework\Webapi\Exception as WebapiException;
+use Magento\Framework\Webapi\Rest\Request;
+use Magento\Framework\Webapi\Rest\Response;
+use Magento\TestFramework\Helper\Bootstrap;
+use PHPUnit\Framework\TestCase;
+
+class RestTest extends TestCase
+{
+    /**
+     * @var Request
+     */
+    private $request;
+
+    /**
+     * @var Response
+     */
+    private $response;
+
+    /**
+     * @var Rest
+     */
+    private $controller;
+
+    protected function setUp(): void
+    {
+        $this->request = Bootstrap::getObjectManager()->create(Request::class);
+        $this->response = Bootstrap::getObjectManager()->create(Response::class);
+        $this->controller = Bootstrap::getObjectManager()->create(
+            Rest::class,
+            [
+                'request' => $this->request,
+                'response' => $this->response,
+            ]
+        );
+    }
+
+    public function testDispatchUnsupportedMethod(): void
+    {
+        $this->request->setMethod('OPTIONS');
+        $this->controller->dispatch($this->request);
+        self::assertTrue($this->response->isException());
+        /** @var WebapiException $exception */
+        $exception = $this->response->getException()[0];
+        self::assertInstanceOf(WebapiException::class, $exception);
+        self::assertEquals(405, $exception->getHttpCode());
+    }
+}

lib/internal/Magento/Framework/Webapi/Rest/Request.php

@@ -1,7 +1,5 @@
 <?php
 /**
- * REST API request.
- *
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
@@ -11,23 +9,28 @@
 use Magento\Framework\Api\SimpleDataObjectConverter;
 use Magento\Framework\Phrase;
 
+/**
+ * REST API request.
+ *
+ * @SuppressWarnings(PHPMD.CookieAndSessionMisuse)
+ */
 class Request extends \Magento\Framework\Webapi\Request
 {
     /**#@+
      * HTTP methods supported by REST.
      */
-    const HTTP_METHOD_GET = 'GET';
-    const HTTP_METHOD_DELETE = 'DELETE';
-    const HTTP_METHOD_PUT = 'PUT';
-    const HTTP_METHOD_POST = 'POST';
+    public const HTTP_METHOD_GET = 'GET';
+    public const HTTP_METHOD_DELETE = 'DELETE';
+    public const HTTP_METHOD_PUT = 'PUT';
+    public const HTTP_METHOD_POST = 'POST';
     /**#@-*/
 
     /**
      * Character set which must be used in request.
      */
-    const REQUEST_CHARSET = 'utf-8';
+    public const REQUEST_CHARSET = 'utf-8';
 
-    const DEFAULT_ACCEPT = '*/*';
+    public const DEFAULT_ACCEPT = '*/*';
 
     /**
      * @var string
@@ -192,7 +195,7 @@ public function getRequestData()
         $requestBodyParams = [];
         $params = $this->getParams();
 
-        $httpMethod = $this->getHttpMethod();
+        $httpMethod = $this->getMethod();
         if ($httpMethod == self::HTTP_METHOD_POST ||
             $httpMethod == self::HTTP_METHOD_PUT
         ) {

lib/internal/Magento/Framework/Webapi/Rest/RequestMethodValidator.php

@@ -0,0 +1,33 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Framework\Webapi\Rest;
+
+use Magento\Framework\Exception\InputException;
+use Magento\Framework\Webapi\Exception as WebapiException;
+
+/**
+ * Validator of supported HTTP methods.
+ */
+class RequestMethodValidator implements RequestValidatorInterface
+{
+    /**
+     * @inheritdoc
+     */
+    public function validate(Request $request): void
+    {
+        try {
+            $request->getHttpMethod();
+        } catch (InputException $e) {
+            throw new WebapiException(
+                __('The %1 HTTP method is not supported.', $request->getMethod()),
+                0,
+                WebapiException::HTTP_METHOD_NOT_ALLOWED
+            );
+        }
+    }
+}

lib/internal/Magento/Framework/Webapi/Rest/RequestValidatorInterface.php

@@ -0,0 +1,25 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Framework\Webapi\Rest;
+
+use Magento\Framework\Webapi\Exception as WebapiException;
+
+/**
+ * Interface for validating REST requests.
+ */
+interface RequestValidatorInterface
+{
+    /**
+     * Validate provided request.
+     *
+     * @param Request $request
+     * @return void
+     * @throws WebapiException
+     */
+    public function validate(Request $request): void;
+}

lib/internal/Magento/Framework/Webapi/Test/Unit/Rest/RequestMethodValidatorTest.php

@@ -0,0 +1,47 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Framework\Webapi\Test\Unit\Rest;
+
+use Magento\Framework\Exception\InputException;
+use Magento\Framework\Webapi\Exception as WebapiException;
+use Magento\Framework\Webapi\Rest\Request;
+use Magento\Framework\Webapi\Rest\RequestMethodValidator;
+use PHPUnit\Framework\TestCase;
+
+class RequestMethodValidatorTest extends TestCase
+{
+    protected function setUp(): void
+    {
+        $this->validator = new RequestMethodValidator();
+    }
+
+    public function testValidate(): void
+    {
+        $requestMock = $this->createMock(Request::class);
+        $requestMock->expects(self::once())
+            ->method('getHttpMethod')
+            ->willReturn('POST');
+        $this->validator->validate($requestMock);
+    }
+
+    public function testValidateWithException(): void
+    {
+        $this->expectException(WebapiException::class);
+        $this->expectExceptionMessage('The OPTIONS HTTP method is not supported.');
+
+        $exceptionMock = $this->createMock(InputException::class);
+        $requestMock = $this->createMock(Request::class);
+        $requestMock->expects(self::once())
+            ->method('getHttpMethod')
+            ->willThrowException($exceptionMock);
+        $requestMock->expects(self::once())
+            ->method('getMethod')
+            ->willReturn('OPTIONS');
+        $this->validator->validate($requestMock);
+    }
+}