MC-41013: Prevent errors from incorrect configurations

Author: StasKozar

app/etc/di.xml

@@ -698,6 +698,9 @@
                 <item name="0" xsi:type="string">Magento\Framework\Data\OptionSourceInterface</item>
                 <item name="1" xsi:type="string">Magento\Framework\View\Element\UiComponent\DataProvider\DataProviderInterface</item>
             </argument>
+            <argument name="deniedClassList" xsi:type="array">
+                <item name="0" xsi:type="string">Magento\Framework\Model\ResourceModel\AbstractResource</item>
+            </argument>
         </arguments>
     </type>
     <type name="Magento\Framework\Mview\View">

lib/internal/Magento/Framework/View/Element/UiComponent/Argument/Interpreter/ConfigurableObject.php

@@ -24,6 +24,11 @@ class ConfigurableObject implements InterpreterInterface
      */
     private $classWhitelist = [];
 
+    /**
+     * @var array
+     */
+    private $deniedClassList = [];
+
     /**
      * @var ObjectManagerInterface
      */
@@ -52,17 +57,20 @@ class ConfigurableObject implements InterpreterInterface
      * @param array $classWhitelist
      * @param ClassReader|null $classReader
      * @param ConfigInterface|null $objectManagerConfig
+     * @param array $deniedClassList
      */
     public function __construct(
         ObjectManagerInterface $objectManager,
         InterpreterInterface $argumentInterpreter,
         array $classWhitelist = [],
         ClassReader $classReader = null,
-        ConfigInterface $objectManagerConfig = null
+        ConfigInterface $objectManagerConfig = null,
+        array $deniedClassList = []
     ) {
         $this->objectManager = $objectManager;
         $this->argumentInterpreter = $argumentInterpreter;
         $this->classWhitelist = $classWhitelist;
+        $this->deniedClassList = $deniedClassList;
         $this->classReader = $classReader ?? $objectManager->get(ClassReader::class);
         $this->objectManagerConfig = $objectManagerConfig ?? $objectManager->get(ConfigInterface::class);
     }
@@ -85,25 +93,12 @@ public function evaluate(array $data)
             if (!isset($arguments['class'])) {
                 throw new \InvalidArgumentException('Node "argument" with name "class" is required for this type.');
             }
-
             $className = $arguments['class'];
             unset($arguments['class']);
-
-            $type = $this->objectManagerConfig->getInstanceType(
-                $this->objectManagerConfig->getPreference($className)
-            );
-
-            $classParents = $this->getParents($type);
-
-            $whitelistIntersection = array_intersect($classParents, $this->classWhitelist);
-
-            if (empty($whitelistIntersection)) {
-                throw new \InvalidArgumentException(
-                    sprintf('Class argument is invalid: %s', $className)
-                );
-            }
         }
 
+        $this->isValid($className);
+
         return $this->objectManager->create($className, $arguments);
     }
 
@@ -115,7 +110,7 @@ public function evaluate(array $data)
      */
     private function getParents(string $type)
     {
-        $classParents = $this->classReader->getParents($type);
+        $classParents = $this->classReader->getParents($type) ?? [];
         foreach ($classParents as $parent) {
             if (empty($parent)) {
                 continue;
@@ -125,4 +120,30 @@ private function getParents(string $type)
 
         return $classParents;
     }
+
+    /**
+     * Check that provided class could be evaluated like an argument.
+     *
+     * @param string $className
+     * @throws \InvalidArgumentException
+     */
+    private function isValid(string $className): void
+    {
+        $type = $this->objectManagerConfig->getInstanceType(
+            $this->objectManagerConfig->getPreference($className)
+        );
+
+        $classParents = $this->getParents($type);
+
+        if (!empty($classParents)) {
+            $whitelistIntersection = array_intersect($classParents, $this->classWhitelist);
+            $deniedIntersection = array_intersect($classParents, $this->deniedClassList);
+
+            if (empty($whitelistIntersection) || !empty($deniedIntersection)) {
+                throw new \InvalidArgumentException(
+                    sprintf('Class argument is invalid: %s', $className)
+                );
+            }
+        }
+    }
 }

lib/internal/Magento/Framework/View/Test/Unit/UiComponent/Argument/Interpreter/ConfigurableObjectTest.php

@@ -65,6 +65,10 @@ protected function setUp(): void
                 ],
                 'classReader' => $this->classReader,
                 'objectManagerConfig' => $this->objectManagerConfig,
+                'deniedClassList' => [
+                    \Foo\Bar\ClassC::class,
+                    \Foo\Bar\InterfaceC::class,
+                ],
             ]
         );
     }
@@ -268,6 +272,27 @@ public function invalidDataProvider()
                 \InvalidArgumentException::class,
                 'Class argument is invalid: MyFooClass'
             ],
+            [
+                [
+                    'argument' => [
+                        'class' => ['value' => 'MyFooClass'],
+                        'myarg' => ['value' => 'bar'],
+                    ],
+                ],
+                'MyFooClass',
+                [
+                    ['MyFooClass', ['Something', 'skipme']],
+                    ['Something', ['dontcare', 'SomethingElse']],
+                    ['SomethingElse', [\Foo\Bar\ClassC::class, 'unrelated']],
+                    ['skipme', []],
+                    ['dontcare', []],
+                    ['unrelated', [\Foo\Bar\InterfaceC::class]],
+                    [\Foo\Bar\ClassC::class, []],
+                    [\Foo\Bar\InterfaceC::class, []],
+                ],
+                \InvalidArgumentException::class,
+                'Class argument is invalid: MyFooClass',
+            ],
         ];
     }
 }