MAGETWO-72037: Bypass CSRF protection in CMS Block, Page and Email Template via XSS in Custom Variable

Author: svitja

app/code/Magento/Variable/Model/Variable.php

@@ -153,11 +153,11 @@ public function getVariablesOptionArray($withGroup = false)
         foreach ($collection->toOptionArray() as $variable) {
             $variables[] = [
                 'value' => '{{customVar code=' . $variable['value'] . '}}',
-                'label' => __('%1', $variable['label']),
+                'label' => __('%1', $this->_escaper->escapeHtml($variable['label'])),
             ];
         }
         if ($withGroup && $variables) {
-            $variables = [['label' => __('Custom Variables'), 'value' => $variables]];
+            $variables = ['label' => __('Custom Variables'), 'value' => $variables];
         }
         return $variables;
     }

app/code/Magento/Variable/Test/Unit/Model/VariableTest.php

@@ -9,19 +9,34 @@
 
 class VariableTest extends \PHPUnit\Framework\TestCase
 {
-    /** @var  \Magento\Variable\Model\Variable */
+    /**
+     * @var  \Magento\Variable\Model\Variable
+     */
     private $model;
 
-    /** @var  \PHPUnit_Framework_MockObject_MockObject */
+    /**
+     * @var  \PHPUnit_Framework_MockObject_MockObject
+     */
     private $escaperMock;
 
-    /** @var  \PHPUnit_Framework_MockObject_MockObject */
+    /**
+     * @var  \PHPUnit_Framework_MockObject_MockObject
+     */
     private $resourceMock;
 
-    /** @var  \Magento\Framework\Phrase */
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject
+     */
+    private $resourceCollection;
+
+    /**
+     * @var  \Magento\Framework\Phrase
+     */
     private $validationFailedPhrase;
 
-    /** @var  \Magento\Framework\TestFramework\Unit\Helper\ObjectManager */
+    /**
+     * @var  \Magento\Framework\TestFramework\Unit\Helper\ObjectManager
+     */
     private $objectManager;
 
     protected function setUp()
@@ -33,11 +48,17 @@ protected function setUp()
         $this->resourceMock = $this->getMockBuilder(\Magento\Variable\Model\ResourceModel\Variable::class)
             ->disableOriginalConstructor()
             ->getMock();
+        $this->resourceCollection = $this->getMockBuilder(
+            \Magento\Variable\Model\ResourceModel\Variable\Collection::class
+        )
+            ->disableOriginalConstructor()
+            ->getMock();
         $this->model = $this->objectManager->getObject(
             \Magento\Variable\Model\Variable::class,
             [
                 'escaper' => $this->escaperMock,
-                'resource' => $this->resourceMock
+                'resource' => $this->resourceMock,
+                'resourceCollection' => $this->resourceCollection,
             ]
         );
         $this->validationFailedPhrase = __('Validation has failed.');
@@ -101,58 +122,44 @@ public function testValidate($variableArray, $objectId, $expectedResult)
     public function testGetVariablesOptionArrayNoGroup()
     {
         $origOptions = [
-            ['value' => 'VAL', 'label' => 'LBL']
+            ['value' => 'VAL', 'label' => 'LBL'],
         ];
 
         $transformedOptions = [
-            ['value' => '{{customVar code=VAL}}', 'label' => __('%1', 'LBL')]
+            ['value' => '{{customVar code=VAL}}', 'label' => __('%1', 'LBL')],
         ];
 
-        $collectionMock = $this->getMockBuilder(\Magento\Variable\Model\ResourceModel\Variable\Collection::class)
-            ->disableOriginalConstructor()
-            ->getMock();
-        $collectionMock->expects($this->any())
+        $this->resourceCollection->expects($this->any())
             ->method('toOptionArray')
             ->willReturn($origOptions);
-        $mockVariable = $this->getMockBuilder(\Magento\Variable\Model\Variable::class)
-            ->setMethods(['getCollection'])
-            ->setConstructorArgs($this->objectManager->getConstructArguments(\Magento\Variable\Model\Variable::class))
-            ->getMock();
-        $mockVariable->expects($this->any())
-            ->method('getCollection')
-            ->willReturn($collectionMock);
-        $this->assertEquals($transformedOptions, $mockVariable->getVariablesOptionArray());
+        $this->escaperMock->expects($this->once())
+            ->method('escapeHtml')
+            ->with($origOptions[0]['label'])
+            ->willReturn($origOptions[0]['label']);
+        $this->assertEquals($transformedOptions, $this->model->getVariablesOptionArray());
     }
 
     public function testGetVariablesOptionArrayWithGroup()
     {
         $origOptions = [
-            ['value' => 'VAL', 'label' => 'LBL']
+            ['value' => 'VAL', 'label' => 'LBL'],
         ];
 
         $transformedOptions = [
-            [
-                'label' => __('Custom Variables'),
-                'value' => [
-                    ['value' => '{{customVar code=VAL}}', 'label' => __('%1', 'LBL')]
-                ]
-            ]
+            'label' => __('Custom Variables'),
+            'value' => [
+                ['value' => '{{customVar code=VAL}}', 'label' => __('%1', 'LBL')],
+            ],
         ];
 
-        $collectionMock = $this->getMockBuilder(\Magento\Variable\Model\ResourceModel\Variable\Collection::class)
-            ->disableOriginalConstructor()
-            ->getMock();
-        $collectionMock->expects($this->any())
+        $this->resourceCollection->expects($this->any())
             ->method('toOptionArray')
             ->willReturn($origOptions);
-        $mockVariable = $this->getMockBuilder(\Magento\Variable\Model\Variable::class)
-            ->setMethods(['getCollection'])
-            ->setConstructorArgs($this->objectManager->getConstructArguments(\Magento\Variable\Model\Variable::class))
-            ->getMock();
-        $mockVariable->expects($this->any())
-            ->method('getCollection')
-            ->willReturn($collectionMock);
-        $this->assertEquals($transformedOptions, $mockVariable->getVariablesOptionArray(true));
+        $this->escaperMock->expects($this->atLeastOnce())
+            ->method('escapeHtml')
+            ->with($origOptions[0]['label'])
+            ->willReturn($origOptions[0]['label']);
+        $this->assertEquals($transformedOptions, $this->model->getVariablesOptionArray(true));
     }
 
     public function validateDataProvider()
@@ -163,15 +170,15 @@ public function validateDataProvider()
         return [
             'Empty Variable' => [[], null, true],
             'IDs match' => [$variable, 'matching_id', true],
-            'IDs do not match' => [$variable, 'non_matching_id', __('Variable Code must be unique.')]
+            'IDs do not match' => [$variable, 'non_matching_id', __('Variable Code must be unique.')],
         ];
     }
 
     public function validateMissingInfoDataProvider()
     {
         return [
             'Missing code' => ['', 'some-name'],
-            'Missing name' => ['some-code', '']
+            'Missing name' => ['some-code', ''],
         ];
     }
 }

dev/tests/integration/testsuite/Magento/Variable/Model/VariableTest.php

@@ -77,4 +77,20 @@ public function testCollection()
         $collection->addValuesToResult();
         $this->assertContains('variable_value', (string)$collection->getSelect());
     }
+
+    /**
+     * Test to verify that returned by getVariablesOptionArray()
+     * custom variable label is HTML escaped.
+     */
+    public function testGetVariablesOptionArrayWithHtmlLabel()
+    {
+        $expectedLabel = '<b>HTML Name value</b>';
+        $data = [
+            'code' => 'html_name',
+            'name' => '<b>HTML Name value</b>'
+        ];
+        $this->_model->setData($data)->save();
+        $actualLabel = current(current($this->_model->getVariablesOptionArray())['label']->getArguments());
+        $this->assertEquals($expectedLabel, $actualLabel);
+    }
 }