Validate PHP class-names in di.xml files via schema

The preferenceType @for/@type attributes, the typeType @name attribute,
the virtualTypeType @type attribute and the pluginType @type attribute
contain class-names (FQCNs) which should not start with a leading
backslash (U+005C "\") and should not contain other invalid character
sequences that would represent an invalid PHP class-name.

Previously this was possible and these errors got unnoticed within di.xml
configuration file validation.

The ObjectManager - a user of these configurations - handles this common
error in user input in part so far by removing any trailing slashes with
multiple calls like:

        $type = ltrim($type, '\\');

This change has been introduced in 33ebc24 and could be classified as a
workaround for a quite common mistake when specifying an FQCN that despite
the varying notations in the PHP manual due to the contextual resolution
rules (and different to a file-systems absolute path in POSIX) must not
start with a leading separator as type or class-name.

When using a string-value as class-name (e.g. class_exists() calls) the
class name is always an FQCN as namespacing in PHP is contextual within
source-code for identifiers only and not for strings.

So relative class-names (like those with a leading backslash) do not
apply for strings. This is the case in configuration files like di.xml
files. The di.xml files use the

    urn:magento:framework:ObjectManager/etc/config.xsd

schema location which is resolved by UrnResolver (6379732) to

    lib/internal/Magento/Framework/ObjectManager/etc/config.xsd

That schema did validate class-name attribute values only against the
simple type of being strings (xs:string). As a class-name in PHP is a
valid string also if starting with the backslash character (and other
invalid names, like digits in front), this commit extends the schema
to validate against the regular expression provided by the PHP manual [1]:

    ^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*$

by adding a new simple-type called "phpClassName" that qualifies the string-
base-type with the from PHP manual translated pattern:

    [a-zA-Z_-ÿ][a-zA-Z0-9_-ÿ]*

extended for namespaced class-names:

    ([a-zA-Z_-ÿ][a-zA-Z0-9_-ÿ]*)(\\[a-zA-Z_-ÿ][a-zA-Z0-9_-ÿ]*)*

The change ensures that the said attribute values are validated and
invalid class-names are recognized during schema based validation.

This change verifies that configured PHP-types can be autoloaded when
used w/o smudging (see the ltrim() operation). It has been documented [2]
that the leading backslash prevents correct file-resolution when auto-
loading with the Composer autoloader, a component actively used by the
Magento application.

This change adheres to existing PR #8638 and relates to issue #8635.

Additionally this commit adds tests for the new phpClassName xsd type with
config xml material.

Refs:

- #8635

- #8638

- [1] https://php.net/language.oop5.basic

- [2] http://magento.stackexchange.com/a/161010

- 33ebc24

- 6379732

Author: ktomk

lib/internal/Magento/Framework/ObjectManager/Test/Unit/Config/_files/invalidConfigXmlArray.php

@@ -172,4 +172,69 @@
             "\nLine: 6\n"
         ],
     ],
+    'virtualtype with empty_name' => [
+        '<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+            <virtualType name="" type="TypeName" shared="true"/>
+        </config>',
+        [
+            "Element 'virtualType', attribute 'name': [facet 'pattern'] The value '' is not accepted by the pattern '" .
+            "([a-zA-Z_\x7f-\xc3\xbf][a-zA-Z0-9_\x7f-\xc3\xbf]*)(\\\\[a-zA-Z_\x7f-\xc3\xbf][a-zA-Z0-9_\x7f-\xc3\xbf]*" .
+            ")*'." .
+            "\nLine: 2\n",
+            "Element 'virtualType', attribute 'name': '' is not a valid value of the atomic type 'phpClassName'." .
+            "\nLine: 2\n",
+            "Element 'virtualType', attribute 'name': Warning: No precomputed value available, the value was either " .
+            "invalid or something strange happend." .
+            "\nLine: 2\n",
+        ],
+    ],
+    'virtualtype with invalid_name' => [
+        '<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+            <virtualType name="\\BackslashPrefix\\IsNotAllowed" type="TypeName" shared="true"/>
+        </config>',
+        [
+            "Element 'virtualType', attribute 'name': [facet 'pattern'] The value '\\BackslashPrefix\\IsNotAllowed' " .
+            "is not accepted by the pattern '" .
+            "([a-zA-Z_\x7f-\xc3\xbf][a-zA-Z0-9_\x7f-\xc3\xbf]*)(\\\\[a-zA-Z_\x7f-\xc3\xbf][a-zA-Z0-9_\x7f-\xc3\xbf]*" .
+            ")*'." .
+            "\nLine: 2\n",
+            "Element 'virtualType', attribute 'name': '\\BackslashPrefix\\IsNotAllowed' " .
+            "is not a valid value of the atomic type 'phpClassName'." .
+            "\nLine: 2\n",
+            "Element 'virtualType', attribute 'name': Warning: No precomputed value available, the value was either " .
+            "invalid or something strange happend." .
+            "\nLine: 2\n",
+        ],
+    ],
+    'virtualtype with empty_type' => [
+        '<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+            <virtualType name="Name" type="" shared="true"/>
+        </config>',
+        [
+            "Element 'virtualType', attribute 'type': [facet 'pattern'] The value '' is not accepted by the pattern '" .
+            "([a-zA-Z_\x7f-\xc3\xbf][a-zA-Z0-9_\x7f-\xc3\xbf]*)(\\\\[a-zA-Z_\x7f-\xc3\xbf][a-zA-Z0-9_\x7f-\xc3\xbf]*" .
+            ")*'." .
+            "\nLine: 2\n",
+            "Element 'virtualType', attribute 'type': '' is not a valid value of the atomic type 'phpClassName'." .
+            "\nLine: 2\n",
+        ],
+    ],
+    'virtualtype with invalid_type' => [
+        '<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+            <virtualType name="777Digits\\IsNotAllowed" type="TypeName" shared="true"/>
+        </config>',
+        [
+            "Element 'virtualType', attribute 'name': [facet 'pattern'] The value '777Digits\\IsNotAllowed' " .
+            "is not accepted by the pattern '" .
+            "([a-zA-Z_\x7f-\xc3\xbf][a-zA-Z0-9_\x7f-\xc3\xbf]*)(\\\\[a-zA-Z_\x7f-\xc3\xbf][a-zA-Z0-9_\x7f-\xc3\xbf]*" .
+            ")*'." .
+            "\nLine: 2\n",
+            "Element 'virtualType', attribute 'name': '777Digits\\IsNotAllowed' " .
+            "is not a valid value of the atomic type 'phpClassName'." .
+            "\nLine: 2\n",
+            "Element 'virtualType', attribute 'name': Warning: No precomputed value available, the value was either " .
+            "invalid or something strange happend." .
+            "\nLine: 2\n",
+        ],
+    ],
 ];

lib/internal/Magento/Framework/ObjectManager/Test/Unit/Config/_files/valid_config.xml

@@ -7,7 +7,7 @@
 -->
 <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
     <preference for="Some_For_Name" type="Some_Type_Name" />
-    <virtualType name="" type="" shared="true">
+    <virtualType name="Php\Namespace\VirtualClassName" type="Php\Namespace\ConcreteClassName" shared="true">
         <arguments>
             <argument name="object" xsi:type="object" shared="true">Object</argument>
             <argument name="init_parameter" xsi:type="init_parameter">INIT_PARAMETER</argument>

lib/internal/Magento/Framework/ObjectManager/etc/config.xsd

@@ -26,6 +26,20 @@
         </xs:complexType>
     </xs:redefine>
 
+    <xs:simpleType name="phpClassName">
+        <xs:annotation>
+            <xs:documentation>
+                A string that matches a Fully Qualified Class Name from PHP, especially not starting
+                with a backslash as this is an invalid character to start a class name with but a
+                somewhat common mistake so this simple type can be used to validate against it
+                already
+            </xs:documentation>
+        </xs:annotation>
+        <xs:restriction base="xs:string">
+            <xs:pattern value="([a-zA-Z_&#x7f;-&#xff;][a-zA-Z0-9_&#x7f;-&#xff;]*)(\\[a-zA-Z_&#x7f;-&#xff;][a-zA-Z0-9_&#x7f;-&#xff;]*)*"/>
+        </xs:restriction>
+    </xs:simpleType>
+
     <xs:complexType name="init_parameter">
         <xs:complexContent>
             <xs:extension base="argumentType" />
@@ -102,8 +116,8 @@
                 Preference help Object Manager to choose class for corresponding interface
             </xs:documentation>
         </xs:annotation>
-        <xs:attribute name="for" type="xs:string" use="required" />
-        <xs:attribute name="type" type="xs:string" use="required" />
+        <xs:attribute name="for" type="phpClassName" use="required"/>
+        <xs:attribute name="type" type="phpClassName" use="required" />
     </xs:complexType>
 
     <xs:complexType name="typeType">
@@ -121,7 +135,7 @@
             </xs:element>
             <xs:element name="plugin" type="pluginType" minOccurs="0" maxOccurs="unbounded" />
         </xs:choice>
-        <xs:attribute name="name" type="xs:string" use="required" />
+        <xs:attribute name="name" type="phpClassName" use="required" />
         <xs:attribute name="shared" type="xs:boolean" use="optional" />
     </xs:complexType>
 
@@ -133,14 +147,14 @@
                         With 'virtualType' tag you can point parameters and plugins for autogenerated class
                     </xs:documentation>
                 </xs:annotation>
-                <xs:attribute name="type" type="xs:string" use="optional" />
+                <xs:attribute name="type" type="phpClassName" use="optional" />
             </xs:extension>
         </xs:complexContent>
     </xs:complexType>
 
     <xs:complexType name="pluginType">
         <xs:attribute name="name" type="xs:string" use="required" />
-        <xs:attribute name="type" type="xs:string" use="optional" />
+        <xs:attribute name="type" type="phpClassName" use="optional" />
         <xs:attribute name="disabled" type="xs:boolean" use="optional" />
         <xs:attribute name="sortOrder" type="xs:int" use="optional" />
     </xs:complexType>