MAGETWO-90410: Prepare codebase for 2.1.14

Author: zakdma

app/code/Magento/Catalog/Model/ImageUploader.php

@@ -64,6 +64,18 @@ class ImageUploader
      */
     protected $allowedExtensions;
 
+    /**
+     * List of allowed image mime types.
+     *
+     * @var array
+     */
+    private $allowedMimeTypes = [
+        'image/jpg',
+        'image/jpeg',
+        'image/gif',
+        'image/png',
+    ];
+
     /**
      * ImageUploader constructor
      *
@@ -218,6 +230,7 @@ public function moveFileFromTmp($imageName)
      * @return string[]
      *
      * @throws \Magento\Framework\Exception\LocalizedException
+     * @throws \Exception
      */
     public function saveFileToTmpDir($fileId)
     {
@@ -228,6 +241,10 @@ public function saveFileToTmpDir($fileId)
         $uploader->setAllowedExtensions($this->getAllowedExtensions());
         $uploader->setAllowRenameFiles(true);
 
+        if (!$uploader->checkMimeType($this->allowedMimeTypes)) {
+            throw new \Magento\Framework\Exception\LocalizedException(__('File validation failed.'));
+        }
+
         $result = $uploader->save($this->mediaDirectory->getAbsolutePath($baseTmpPath));
         unset($result['path']);
 

app/code/Magento/Catalog/Model/Product/Gallery/UpdateHandler.php

@@ -28,6 +28,9 @@ protected function processDeletedImages($product, array &$images)
         foreach ($images as &$image) {
             if (!empty($image['removed'])) {
                 if (!empty($image['value_id']) && !isset($picturesInOtherStores[$image['file']])) {
+                    if (preg_match('/\.\.(\\\|\/)/', $image['file'])) {
+                        continue;
+                    }
                     $recordsToDelete[] = $image['value_id'];
                     $catalogPath = $this->mediaConfig->getBaseMediaPath();
                     $isFile = $this->mediaDirectory->isFile($catalogPath . $image['file']);

app/code/Magento/Catalog/Test/Unit/Model/ImageUploaderTest.php

@@ -0,0 +1,166 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Catalog\Test\Unit\Model;
+
+/**
+ * Magento\Catalog\Model\ImageUploader unit tests.
+ */
+class ImageUploaderTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @var \Magento\Catalog\Model\ImageUploader
+     */
+    private $imageUploader;
+
+    /**
+     * Core file storage database.
+     *
+     * @var \Magento\MediaStorage\Helper\File\Storage\Database|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $coreFileStorageDatabaseMock;
+
+    /**
+     * Media directory object (writable).
+     *
+     * @var \Magento\Framework\Filesystem|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $mediaDirectoryMock;
+
+    /**
+     * Media directory object (writable).
+     *
+     * @var \Magento\Framework\Filesystem\Directory\WriteInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $mediaWriteDirectoryMock;
+
+    /**
+     * Uploader factory.
+     *
+     * @var \Magento\MediaStorage\Model\File\UploaderFactory|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $uploaderFactoryMock;
+
+    /**
+     * Store manager.
+     *
+     * @var \Magento\Store\Model\StoreManagerInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $storeManagerMock;
+
+    /**
+     * @var \Psr\Log\LoggerInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $loggerMock;
+
+    /**
+     * Base tmp path.
+     *
+     * @var string
+     */
+    private $baseTmpPath;
+
+    /**
+     * Base path.
+     *
+     * @var string
+     */
+    private $basePath;
+
+    /**
+     * Allowed extensions.
+     *
+     * @var string
+     */
+    private $allowedExtensions;
+
+    /**
+     * @inheritdoc
+     */
+    protected function setUp()
+    {
+        $this->coreFileStorageDatabaseMock = $this->getMockBuilder(
+            \Magento\MediaStorage\Helper\File\Storage\Database::class
+        )
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->mediaDirectoryMock = $this->getMockBuilder(
+            \Magento\Framework\Filesystem::class
+        )
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->mediaWriteDirectoryMock = $this->getMockBuilder(
+            \Magento\Framework\Filesystem\Directory\WriteInterface::class
+        )
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->mediaDirectoryMock->expects($this->any())->method('getDirectoryWrite')->willReturn(
+            $this->mediaWriteDirectoryMock
+        );
+        $this->uploaderFactoryMock = $this->getMockBuilder(
+            \Magento\MediaStorage\Model\File\UploaderFactory::class
+        )
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->storeManagerMock = $this->getMockBuilder(
+            \Magento\Store\Model\StoreManagerInterface::class
+        )
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->loggerMock = $this->getMockBuilder(\Psr\Log\LoggerInterface::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->baseTmpPath = 'base/tmp/';
+        $this->basePath =  'base/real/';
+        $this->allowedExtensions = ['.jpg'];
+
+        $this->imageUploader =
+            new \Magento\Catalog\Model\ImageUploader(
+                $this->coreFileStorageDatabaseMock,
+                $this->mediaDirectoryMock,
+                $this->uploaderFactoryMock,
+                $this->storeManagerMock,
+                $this->loggerMock,
+                $this->baseTmpPath,
+                $this->basePath,
+                $this->allowedExtensions
+            );
+    }
+
+    public function testSaveFileToTmpDir()
+    {
+        $fileId = 'file.jpg';
+        $allowedMimeTypes = [
+            'image/jpg',
+            'image/jpeg',
+            'image/gif',
+            'image/png',
+        ];
+        /** @var \Magento\MediaStorage\Model\File\Uploader|\PHPUnit_Framework_MockObject_MockObject $uploader */
+        $uploader = $this->getMockBuilder(\Magento\MediaStorage\Model\File\Uploader::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->uploaderFactoryMock->expects($this->once())->method('create')->willReturn($uploader);
+        $uploader->expects($this->once())->method('setAllowedExtensions')->with($this->allowedExtensions);
+        $uploader->expects($this->once())->method('setAllowRenameFiles')->with(true);
+        $this->mediaWriteDirectoryMock->expects($this->once())->method('getAbsolutePath')->with($this->baseTmpPath)
+            ->willReturn($this->basePath);
+        $uploader->expects($this->once())->method('save')->with($this->basePath)
+            ->willReturn(['tmp_name' => $this->baseTmpPath, 'file' => $fileId, 'path' => $this->basePath]);
+        $uploader->expects($this->atLeastOnce())->method('checkMimeType')->with($allowedMimeTypes)->willReturn(true);
+        $storeMock = $this->getMockBuilder(\Magento\Store\Model\Store::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['getBaseUrl'])
+            ->getMock();
+
+        $this->storeManagerMock->expects($this->once())->method('getStore')->willReturn($storeMock);
+        $storeMock->expects($this->once())->method('getBaseUrl');
+        $this->coreFileStorageDatabaseMock->expects($this->once())->method('saveFile');
+
+        $result = $this->imageUploader->saveFileToTmpDir($fileId);
+
+        $this->assertArrayNotHasKey('path', $result);
+    }
+}

app/code/Magento/CatalogImportExport/Model/Import/Uploader.php

@@ -7,10 +7,12 @@
 
 use Magento\Framework\App\Filesystem\DirectoryList;
 use Magento\Framework\Filesystem\DriverPool;
+use Magento\Framework\App\ObjectManager;
 
 /**
  * Import entity product model
  *
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  * @author      Magento Core Team <core@magentocommerce.com>
  */
 class Uploader extends \Magento\MediaStorage\Model\File\Uploader
@@ -85,6 +87,11 @@ class Uploader extends \Magento\MediaStorage\Model\File\Uploader
      */
     protected $_coreFileStorage;
 
+    /**
+     * @var \Magento\Framework\App\Filesystem\DirectoryResolver
+     */
+    private $directoryResolver;
+
     /**
      * @param \Magento\MediaStorage\Helper\File\Storage\Database $coreFileStorageDb
      * @param \Magento\MediaStorage\Helper\File\Storage $coreFileStorage
@@ -93,6 +100,7 @@ class Uploader extends \Magento\MediaStorage\Model\File\Uploader
      * @param \Magento\Framework\Filesystem $filesystem
      * @param \Magento\Framework\Filesystem\File\ReadFactory $readFactory
      * @param null $filePath
+     * @param \Magento\Framework\App\Filesystem\DirectoryResolver|null $directoryResolver
      * @throws \Magento\Framework\Exception\LocalizedException
      */
     public function __construct(
@@ -102,7 +110,8 @@ public function __construct(
         \Magento\MediaStorage\Model\File\Validator\NotProtectedExtension $validator,
         \Magento\Framework\Filesystem $filesystem,
         \Magento\Framework\Filesystem\File\ReadFactory $readFactory,
-        $filePath = null
+        $filePath = null,
+        \Magento\Framework\App\Filesystem\DirectoryResolver $directoryResolver = null
     ) {
         if ($filePath !== null) {
             $this->_setUploadFile($filePath);
@@ -113,6 +122,8 @@ public function __construct(
         $this->_validator = $validator;
         $this->_directory = $filesystem->getDirectoryWrite(DirectoryList::ROOT);
         $this->_readFactory = $readFactory;
+        $this->directoryResolver = $directoryResolver
+            ?: ObjectManager::getInstance()->get(\Magento\Framework\App\Filesystem\DirectoryResolver::class);
     }
 
     /**
@@ -217,6 +228,7 @@ protected function _validateFile()
 
         $fileExtension = pathinfo($filePath, PATHINFO_EXTENSION);
         if (!$this->checkAllowedExtension($fileExtension)) {
+            $this->_directory->delete($filePath);
             throw new \Exception('Disallowed file type.');
         }
         //run validate callbacks
@@ -262,7 +274,10 @@ public function getTmpDir()
      */
     public function setTmpDir($path)
     {
-        if (is_string($path) && $this->_directory->isReadable($path)) {
+        if (is_string($path)
+            && $this->_directory->isReadable($path)
+            && $this->directoryResolver->validatePath($this->_directory->getAbsolutePath($path), DirectoryList::ROOT)
+        ) {
             $this->_tmpDir = $path;
             return true;
         }

app/code/Magento/CatalogImportExport/Test/Unit/Model/Import/UploaderTest.php

@@ -39,10 +39,15 @@ class UploaderTest extends \PHPUnit_Framework_TestCase
     protected $readFactory;
 
     /**
-     * @var \Magento\Framework\Filesystem\Directory\Writer| \PHPUnit_Framework_MockObject_MockObject
+     * @var \Magento\Framework\Filesystem\Directory\Writer|\PHPUnit_Framework_MockObject_MockObject
      */
     protected $directoryMock;
 
+    /**
+     * @var \Magento\Framework\App\Filesystem\DirectoryResolver|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $directoryResolver;
+
     /**
      * @var \Magento\CatalogImportExport\Model\Import\Uploader|\PHPUnit_Framework_MockObject_MockObject
      */
@@ -72,7 +77,7 @@ protected function setUp()
             ->getMock();
 
         $this->directoryMock = $this->getMockBuilder(\Magento\Framework\Filesystem\Directory\Writer::class)
-            ->setMethods(['writeFile', 'getRelativePath', 'isWritable', 'getAbsolutePath'])
+            ->setMethods(['writeFile', 'getRelativePath', 'isWritable', 'isReadable', 'getAbsolutePath'])
             ->disableOriginalConstructor()
             ->getMock();
 
@@ -84,6 +89,11 @@ protected function setUp()
                         ->method('getDirectoryWrite')
                         ->will($this->returnValue($this->directoryMock));
 
+        $this->directoryResolver = $this->getMockBuilder(\Magento\Framework\App\Filesystem\DirectoryResolver::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['validatePath'])
+            ->getMock();
+
         $this->uploader = $this->getMockBuilder(\Magento\CatalogImportExport\Model\Import\Uploader::class)
             ->setConstructorArgs([
                 $this->coreFileStorageDb,
@@ -92,6 +102,8 @@ protected function setUp()
                 $this->validator,
                 $this->filesystem,
                 $this->readFactory,
+                null,
+                $this->directoryResolver,
             ])
             ->setMethods(['_setUploadFile', 'save', 'getTmpDir'])
             ->getMock();
@@ -169,4 +181,46 @@ public function moveFileUrlDataProvider()
             ],
         ];
     }
+
+    /**
+     * @dataProvider validatePathDataProvider
+     *
+     * @param bool $pathIsValid
+     * @return void
+     */
+    public function testSetTmpDir($pathIsValid)
+    {
+        $path = 'path';
+        $absolutePath = 'absolute_path';
+        $this->directoryMock
+            ->expects($this->atLeastOnce())
+            ->method('isReadable')
+            ->with($path)
+            ->willReturn(true);
+        $this->directoryMock
+            ->expects($this->atLeastOnce())
+            ->method('getAbsolutePath')
+            ->with($path)
+            ->willReturn($absolutePath);
+        $this->directoryResolver
+            ->expects($this->atLeastOnce())
+            ->method('validatePath')
+            ->with($absolutePath, 'base')
+            ->willReturn($pathIsValid);
+
+        $this->assertEquals($pathIsValid, $this->uploader->setTmpDir($path));
+    }
+
+    /**
+     * Data provider for the testSetTmpDir()
+     *
+     * @return array
+     */
+    public function validatePathDataProvider()
+    {
+        return [
+            [true],
+            [false],
+        ];
+    }
 }