MAGETWO-41964: Log created on random requests - leads to DoS attack

Author: Maksym Aposov

app/code/Magento/Store/App/Request/PathInfoProcessor.php

@@ -5,19 +5,21 @@
  */
 namespace Magento\Store\App\Request;
 
+use Magento\Framework\Exception\NoSuchEntityException;
+
 class PathInfoProcessor implements \Magento\Framework\App\Request\PathInfoProcessorInterface
 {
     /**
      * @var \Magento\Store\Model\StoreManagerInterface
      */
-    private $_storeManager;
+    private $storeManager;
 
     /**
      * @param \Magento\Store\Model\StoreManagerInterface $storeManager
      */
     public function __construct(\Magento\Store\Model\StoreManagerInterface $storeManager)
     {
-        $this->_storeManager = $storeManager;
+        $this->storeManager = $storeManager;
     }
 
     /**
@@ -33,14 +35,15 @@ public function process(\Magento\Framework\App\RequestInterface $request, $pathI
         $storeCode = $pathParts[0];
 
         try {
-            $store = $this->_storeManager->getStore($storeCode);
-        } catch (\InvalidArgumentException $e) { // TODO: MAGETWO-39826 Need to replace on NoSuchEntityException
+            /** @var \Magento\Store\Api\Data\StoreInterface $store */
+            $store = $this->storeManager->getStore($storeCode);
+        } catch (NoSuchEntityException $e) {
             return $pathInfo;
         }
 
         if ($store->isUseStoreInUrl()) {
             if (!$request->isDirectAccessFrontendName($storeCode)) {
-                $this->_storeManager->setCurrentStore($storeCode);
+                $this->storeManager->setCurrentStore($storeCode);
                 $pathInfo = '/' . (isset($pathParts[1]) ? $pathParts[1] : '');
                 return $pathInfo;
             } elseif (!empty($storeCode)) {

app/code/Magento/Store/Model/StoreRepository.php

@@ -57,8 +57,7 @@ public function get($code)
         $store = $this->storeFactory->create();
         $store->load($code, 'code');
         if ($store->getId() === null) {
-            // TODO: MAGETWO-39826 Need to replace on NoSuchEntityException
-            throw new \InvalidArgumentException();
+            throw new NoSuchEntityException();
         }
         $this->entities[$code] = $store;
         $this->entitiesById[$store->getId()] = $store;

app/code/Magento/Store/Model/StoreResolver.php

@@ -137,14 +137,9 @@ protected function getRequestedStoreByCode($storeCode)
         try {
             $store = $this->storeRepository->getActiveStoreByCode($storeCode);
         } catch (StoreIsInactiveException $e) {
-            $error = __('Requested store is inactive');
-        } catch (\InvalidArgumentException $e) { // TODO: MAGETWO-39826 Need to replace on NoSuchEntityException
-            $error = __('Requested store is not found');
+            throw new NoSuchEntityException(__('Requested store is inactive'));
         }
 
-        if (isset($error, $e)) {
-            throw new NoSuchEntityException($error, $e);
-        }
         return $store;
     }
 
@@ -160,14 +155,9 @@ protected function getDefaultStoreById($id)
         try {
             $store = $this->storeRepository->getActiveStoreById($id);
         } catch (StoreIsInactiveException $e) {
-            $error = __('Default store is inactive');
-        } catch (\InvalidArgumentException $e) { // TODO: MAGETWO-39826 Need to replace on NoSuchEntityException
-            $error = __('Default store is not found');
+            throw new NoSuchEntityException(__('Default store is inactive'));
         }
 
-        if (isset($error, $e)) {
-            throw new NoSuchEntityException($error, $e);
-        }
         return $store;
     }
 }

app/code/Magento/Store/Test/Unit/App/Request/PathInfoProcessorTest.php

@@ -5,6 +5,8 @@
  */
 namespace Magento\Store\Test\Unit\App\Request;
 
+use Magento\Framework\Exception\NoSuchEntityException;
+
 class PathInfoProcessorTest extends \PHPUnit_Framework_TestCase
 {
     /**
@@ -112,8 +114,7 @@ public function testProcessIfStoreCodeIsNotExist()
     {
         $store = $this->getMock('\Magento\Store\Model\Store', [], [], '', false);
         $this->_storeManagerMock->expects($this->once())->method('getStore')->with('storeCode')
-            // TODO: MAGETWO-39826 Need to replace on NoSuchEntityException
-            ->willThrowException(new \InvalidArgumentException());
+            ->willThrowException(new NoSuchEntityException());
         $store->expects($this->never())->method('isUseStoreInUrl');
         $this->_requestMock->expects($this->never())->method('isDirectAccessFrontendName');
 

dev/tests/integration/testsuite/Magento/Store/App/Request/PathInfoProcessorTest.php

@@ -0,0 +1,106 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Store\App\Request;
+
+use \Magento\TestFramework\Helper\Bootstrap;
+use \Magento\Store\Model\ScopeInterface;
+use \Magento\Store\Model\Store;
+
+class PathInfoProcessorTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @var \Magento\Store\App\Request\PathInfoProcessor
+     */
+    protected $pathProcessor;
+
+    protected function setUp()
+    {
+        $this->pathProcessor = Bootstrap::getObjectManager()->create('Magento\Store\App\Request\PathInfoProcessor');
+    }
+
+    /**
+     * @covers \Magento\Store\App\Request\PathInfoProcessor::process
+     * @dataProvider notValidStoreCodeDataProvider
+     */
+    public function testProcessNotValidStoreCode($pathInfo)
+    {
+        /** @var \Magento\Framework\App\RequestInterface $request */
+        $request = Bootstrap::getObjectManager()->create('Magento\Framework\App\RequestInterface');
+        $this->assertEquals($pathInfo, $this->pathProcessor->process($request, $pathInfo));
+    }
+
+    public function notValidStoreCodeDataProvider()
+    {
+        return [
+            ['not_valid_store_code_int' => '/100500/m/c/a'],
+            ['not_valid_store_code_str' => '/test_string/m/c/a'],
+        ];
+    }
+
+    /**
+     * @covers \Magento\Store\App\Request\PathInfoProcessor::process
+     * @magentoDataFixture Magento/Store/_files/core_fixturestore.php
+     */
+    public function testProcessValidStoreCodeCase1()
+    {
+        /** @var \Magento\Store\Model\Store $store */
+        $store = Bootstrap::getObjectManager()->get('Magento\Store\Model\Store');
+        $store->load('fixturestore', 'code');
+
+        /** @var \Magento\Framework\App\RequestInterface $request */
+        $request = Bootstrap::getObjectManager()->create('Magento\Framework\App\RequestInterface');
+
+        /** @var \Magento\Framework\App\Config\ReinitableConfigInterface $config */
+        $config = Bootstrap::getObjectManager()->get('\Magento\Framework\App\Config\ReinitableConfigInterface');
+        $config->setValue(Store::XML_PATH_STORE_IN_URL, false, ScopeInterface::SCOPE_STORE, $store->getCode());
+        $pathInfo = sprintf('/%s/m/c/a', $store->getCode());
+        $this->assertEquals($pathInfo, $this->pathProcessor->process($request, $pathInfo));
+    }
+
+    /**
+     * @covers \Magento\Store\App\Request\PathInfoProcessor::process
+     * @magentoDataFixture Magento/Store/_files/core_fixturestore.php
+     */
+    public function testProcessValidStoreCodeCase2()
+    {
+        /** @var \Magento\Store\Model\Store $store */
+        $store = Bootstrap::getObjectManager()->get('Magento\Store\Model\Store');
+        $store->load('fixturestore', 'code');
+
+        /** @var \Magento\Framework\App\RequestInterface $request */
+        $request = Bootstrap::getObjectManager()->create('Magento\Framework\App\RequestInterface');
+
+        /** @var \Magento\Framework\App\Config\ReinitableConfigInterface $config */
+        $config = Bootstrap::getObjectManager()->get('\Magento\Framework\App\Config\ReinitableConfigInterface');
+        $config->setValue(Store::XML_PATH_STORE_IN_URL, true, ScopeInterface::SCOPE_STORE, $store->getCode());
+        $pathInfo = sprintf('/%s/m/c/a', $store->getCode());
+        $this->assertEquals('/m/c/a', $this->pathProcessor->process($request, $pathInfo));
+    }
+
+    /**
+     * @covers \Magento\Store\App\Request\PathInfoProcessor::process
+     * @magentoDataFixture Magento/Store/_files/core_fixturestore.php
+     */
+    public function testProcessValidStoreCodeCase3()
+    {
+        /** @var \Magento\Store\Model\Store $store */
+        $store = Bootstrap::getObjectManager()->get('Magento\Store\Model\Store');
+        $store->load('fixturestore', 'code');
+
+        /** @var \Magento\Framework\App\RequestInterface $request */
+        $request = Bootstrap::getObjectManager()->create(
+            'Magento\Framework\App\RequestInterface',
+            ['directFrontNames' => [$store->getCode() => true]]
+        );
+
+        /** @var \Magento\Framework\App\Config\ReinitableConfigInterface $config */
+        $config = Bootstrap::getObjectManager()->get('\Magento\Framework\App\Config\ReinitableConfigInterface');
+        $config->setValue(Store::XML_PATH_STORE_IN_URL, true, ScopeInterface::SCOPE_STORE, $store->getCode());
+        $pathInfo = sprintf('/%s/m/c/a', $store->getCode());
+        $this->assertEquals($pathInfo, $this->pathProcessor->process($request, $pathInfo));
+        $this->assertEquals('noroute', $request->getActionName());
+    }
+}