Merge pull request #7099 from magento-l3/PR-2021-20-08

L3 PR-2021-20-09

Author: dhorytskyi

app/code/Magento/Backend/App/Action/Plugin/Authentication.php

@@ -102,6 +102,8 @@ public function __construct(
     }
 
     /**
+     * Ensures user is authenticated before accessing backend action controllers.
+     *
      * @param \Magento\Backend\App\AbstractAction $subject
      * @param \Closure $proceed
      * @param \Magento\Framework\App\RequestInterface $request
@@ -225,10 +227,9 @@ protected function _redirectIfNeededAfterLogin(\Magento\Framework\App\RequestInt
 
         // Checks, whether secret key is required for admin access or request uri is explicitly set
         if ($this->_url->useSecretKey()) {
-            $requestParts = explode('/', trim($request->getRequestUri(), '/'), 3);
-            $baseUrlPath = trim(parse_url($this->backendUrl->getBaseUrl(), PHP_URL_PATH), '/');
-            $routeIndex = empty($baseUrlPath) ? 0 : 1;
-            $requestUri = $this->_url->getUrl($requestParts[$routeIndex]);
+            // The requested URL has an invalid secret key and therefore redirecting to this URL
+            // will cause a security vulnerability.
+            $requestUri = $this->_url->getUrl($this->_url->getStartupPageUrl());
         } elseif ($request) {
             $requestUri = $request->getRequestUri();
         }

app/code/Magento/Backend/Test/Mftf/ActionGroup/AdminAssertNoErrorMessageActionGroup.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<actionGroups xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/actionGroupSchema.xsd">
+    <actionGroup name="AdminAssertNoErrorMessageActionGroup">
+        <dontSeeElement selector="{{AdminMessagesSection.error}}" stepKey="dontSeeErrorMessage"/>
+    </actionGroup>
+</actionGroups>

app/code/Magento/Backend/Test/Mftf/ActionGroup/AdminClickLogoutActionGroup.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<actionGroups xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/actionGroupSchema.xsd">
+    <actionGroup name="AdminClickLogoutActionGroup">
+        <grabAttributeFrom selector="{{AdminHeaderSection.signOut}}" userInput="href" stepKey="logoutUrl"/>
+        <amOnPage url="{$logoutUrl}" stepKey="logout2"/>
+    </actionGroup>
+</actionGroups>

app/code/Magento/Backend/Test/Mftf/ActionGroup/AdminLoginWithCustomUrlActionGroup.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<actionGroups xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/actionGroupSchema.xsd">
+    <actionGroup name="AdminLoginWithCustomUrlActionGroup" extends="AdminLoginActionGroup">
+        <annotations>
+            <description>Login to specific backend URL.</description>
+        </annotations>
+        <arguments>
+            <argument name="customUrl" type="string"/>
+        </arguments>
+
+        <amOnPage url="{{customUrl}}" stepKey="navigateToAdmin"/>
+    </actionGroup>
+</actionGroups>

app/code/Magento/Backend/Test/Mftf/Section/AdminHeaderSection.xml

@@ -17,5 +17,6 @@
         <element name="pageHeading" type="text" selector=".page-content .page-heading"/>
         <!-- Used for page not found error -->
         <element name="pageNotFoundTitle" type="text" selector=".page-title span"/>
+        <element name="signOut" type="button" selector=".page-header .account-signout"/>
     </section>
 </sections>

app/code/Magento/Backend/Test/Mftf/Test/AdminRedirectToStartupPageAfterLoginIfSecretKeyEnabledTest.xml

@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<tests xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/testSchema.xsd">
+    <test name="AdminRedirectToStartupPageAfterLoginIfSecretKeyEnabledTest">
+        <annotations>
+            <features value="Backend"/>
+            <stories value="Login on the Admin Backend"/>
+            <title value="Admin should not be redirected to the requested page after login if secret key is enabled"/>
+            <description value="Admin should not be redirected to the requested page after login if secret key is enabled"/>
+            <severity value="AVERAGE"/>
+            <testCaseId value="AC-1145"/>
+            <useCaseId value="MC-43161"/>
+            <group value="backend"/>
+        </annotations>
+        <before>
+            <!-- Add Secret Key to URLs -->
+            <magentoCLI command="config:set admin/security/use_form_key 1" stepKey="enableUrlSecretKeys"/>
+            <actionGroup ref="AdminLoginActionGroup" stepKey="loginAsAdmin"/>
+        </before>
+        <after>
+            <magentoCLI command="config:set admin/security/use_form_key 0" stepKey="disableUrlSecretKeys"/>
+            <actionGroup ref="AdminLogoutActionGroup" stepKey="logoutFromAdmin"/>
+        </after>
+
+        <!-- Assert succesful login without any error message -->
+        <actionGroup ref="AdminAssertNoErrorMessageActionGroup" stepKey="dontSeeErrorMessage1"/>
+        <!-- Assert current page is dashboard -->
+        <seeCurrentUrlMatches regex="~\/admin\/dashboard\/~" stepKey="seeCurrentUrlMatchesDashboardUrl"/>
+        <!-- Navigate to web configuration -->
+        <actionGroup ref="AdminNavigateMenuActionGroup" stepKey="navigateToFindPartnersAndExtensions">
+            <argument name="menuUiId" value="magento-backend-stores"/>
+            <argument name="submenuUiId" value="magento-config-system-config"/>
+        </actionGroup>
+        <actionGroup ref="AdminOpenConfigNavItemActionGroup" stepKey="navigateToWebConfig">
+            <argument name="navItem" value="Web" />
+        </actionGroup>
+        <!-- Grab current URL -->
+        <grabFromCurrentUrl stepKey="webConfigurationUrl"/>
+        <!-- Logout -->
+        <actionGroup ref="AdminClickLogoutActionGroup" stepKey="logout2"/>
+        <!-- Login with directt url -->
+        <actionGroup ref="AdminLoginWithCustomUrlActionGroup" stepKey="loginAndRedirectToRequestedPage">
+            <argument name="customUrl" value="$webConfigurationUrl"/>
+        </actionGroup>
+        <!-- Assert succesful login without any error message -->
+        <actionGroup ref="AdminAssertNoErrorMessageActionGroup" stepKey="dontSeeErrorMessage2"/>
+        <!-- Assert current page is dashboard -->
+        <seeCurrentUrlMatches regex="~\/admin\/dashboard\/~" stepKey="seeCurrentUrlMatchesDashboardUrl2"/>
+    </test>
+</tests>

app/code/Magento/Catalog/Model/Product/Gallery/CreateHandler.php

@@ -550,6 +550,7 @@ private function processMediaAttribute(
      * @param array $clearImages
      * @param array $newImages
      * @param array $existImages
+     * @SuppressWarnings(PHPMD.CyclomaticComplexity)
      */
     private function processMediaAttributeLabel(
         Product $product,
@@ -571,6 +572,9 @@ private function processMediaAttributeLabel(
 
         if (in_array($attrData, array_keys($existImages)) && isset($existImages[$attrData]['label'])) {
             $product->setData($mediaAttrCode . '_label', $existImages[$attrData]['label']);
+            if ($existImages[$attrData]['label'] == null) {
+                $resetLabel = true;
+            }
         }
 
         if ($attrData === 'no_selection' && !empty($product->getData($mediaAttrCode . '_label'))) {

app/code/Magento/CatalogGraphQl/Model/Resolver/Products/Query/Search.php

@@ -9,6 +9,7 @@
 
 use Magento\CatalogGraphQl\DataProvider\Product\SearchCriteriaBuilder;
 use Magento\CatalogGraphQl\Model\Resolver\Products\DataProvider\ProductSearch;
+use Magento\CatalogGraphQl\Model\Resolver\Products\Query\Search\QueryPopularity;
 use Magento\CatalogGraphQl\Model\Resolver\Products\SearchResult;
 use Magento\CatalogGraphQl\Model\Resolver\Products\SearchResultFactory;
 use Magento\Framework\Api\Search\SearchCriteriaInterface;
@@ -22,6 +23,8 @@
 
 /**
  * Full text search for catalog using given search criteria.
+ *
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
 class Search implements ProductQueryInterface
 {
@@ -60,6 +63,11 @@ class Search implements ProductQueryInterface
      */
     private $searchCriteriaBuilder;
 
+    /**
+     * @var QueryPopularity
+     */
+    private $queryPopularity;
+
     /**
      * @param SearchInterface $search
      * @param SearchResultFactory $searchResultFactory
@@ -68,6 +76,7 @@ class Search implements ProductQueryInterface
      * @param ProductSearch $productsProvider
      * @param SearchCriteriaBuilder $searchCriteriaBuilder
      * @param ArgumentsProcessorInterface|null $argsSelection
+     * @param QueryPopularity|null $queryPopularity
      */
     public function __construct(
         SearchInterface $search,
@@ -76,16 +85,17 @@ public function __construct(
         FieldSelection $fieldSelection,
         ProductSearch $productsProvider,
         SearchCriteriaBuilder $searchCriteriaBuilder,
-        ArgumentsProcessorInterface $argsSelection = null
+        ArgumentsProcessorInterface $argsSelection = null,
+        QueryPopularity $queryPopularity = null
     ) {
         $this->search = $search;
         $this->searchResultFactory = $searchResultFactory;
         $this->pageSizeProvider = $pageSize;
         $this->fieldSelection = $fieldSelection;
         $this->productsProvider = $productsProvider;
         $this->searchCriteriaBuilder = $searchCriteriaBuilder;
-        $this->argsSelection = $argsSelection ?: ObjectManager::getInstance()
-            ->get(ArgumentsProcessorInterface::class);
+        $this->argsSelection = $argsSelection ?: ObjectManager::getInstance()->get(ArgumentsProcessorInterface::class);
+        $this->queryPopularity = $queryPopularity ?: ObjectManager::getInstance()->get(QueryPopularity::class);
     }
 
     /**
@@ -124,6 +134,11 @@ public function getResult(
 
         $totalPages = $realPageSize ? ((int)ceil($searchResults->getTotalCount() / $realPageSize)) : 0;
 
+        // add query statistics data
+        if (!empty($args['search'])) {
+            $this->queryPopularity->execute($context, $args['search'], (int) $searchResults->getTotalCount());
+        }
+
         $productArray = [];
         /** @var \Magento\Catalog\Model\Product $product */
         foreach ($searchResults->getItems() as $product) {

app/code/Magento/CatalogGraphQl/Model/Resolver/Products/Query/Search/QueryPopularity.php

@@ -0,0 +1,66 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\CatalogGraphQl\Model\Resolver\Products\Query\Search;
+
+use Magento\Framework\Stdlib\StringUtils as StdlibString;
+use Magento\Framework\Exception\NoSuchEntityException;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\GraphQl\Model\Query\ContextInterface;
+use Magento\Search\Model\QueryFactory;
+
+/**
+ * Query statics handler
+ */
+class QueryPopularity
+{
+    /**
+     * @var QueryFactory
+     */
+    private $queryFactory;
+
+    /**
+     * @var StdlibString
+     */
+    private $string;
+
+    /**
+     * @param QueryFactory $queryFactory
+     * @param StdlibString $string
+     */
+    public function __construct(
+        QueryFactory $queryFactory,
+        StdlibString $string
+    ) {
+        $this->queryFactory = $queryFactory;
+        $this->string = $string;
+    }
+
+    /**
+     * Fill the query popularity
+     *
+     * @param ContextInterface $context
+     * @param string $queryText
+     * @param int $numResults
+     * @return void
+     * @throws NoSuchEntityException
+     * @throws LocalizedException
+     */
+    public function execute(ContextInterface $context, string $queryText, int $numResults) : void
+    {
+        $query = $this->queryFactory->create();
+        $maxQueryLength = (int) $query->getMaxQueryLength();
+        if ($maxQueryLength && $this->string->strlen($queryText) > $maxQueryLength) {
+            $queryText = $this->string->substr($queryText, 0, $maxQueryLength);
+        }
+        $query->setQueryText($queryText);
+        $store = $context->getExtensionAttributes()->getStore();
+        $query->setStoreId($store->getId());
+        $query->saveIncrementalPopularity();
+        $query->saveNumResults($numResults);
+    }
+}