MAGETWO-81503: XSS in Sales

svitja · svitja · commit ce50daeaca06 · 2018-03-07T14:40:58.000+02:00
diff --git a/app/code/Magento/Backend/Block/Widget/Grid/Column/Filter/Date.php b/app/code/Magento/Backend/Block/Widget/Grid/Column/Filter/Date.php
@@ -127,7 +127,7 @@ public function getHtml()
 
     /**
      * @param string|null $index
-     * @return string
+     * @return array|string|int|float|null
      */
     public function getEscapedValue($index = null)
     {
@@ -138,6 +138,11 @@ public function getEscapedValue($index = null)
                 $this->_localeDate->getDateFormat(\IntlDateFormatter::SHORT)
             );
         }
+
+        if (is_string($value)) {
+            return $this->escapeHtml($value);
+        }
+
         return $value;
     }
 
diff --git a/app/code/Magento/Backend/Block/Widget/Grid/Column/Filter/Datetime.php b/app/code/Magento/Backend/Block/Widget/Grid/Column/Filter/Datetime.php
@@ -140,8 +140,8 @@ public function getHtml()
     /**
      * Return escaped value for calendar
      *
-     * @param string $index
-     * @return string
+     * @param string|null $index
+     * @return array|string|int|float|null
      */
     public function getEscapedValue($index = null)
     {
@@ -150,6 +150,11 @@ public function getEscapedValue($index = null)
             if ($value instanceof \DateTimeInterface) {
                 return $this->_localeDate->formatDateTime($value);
             }
+
+            if (is_string($value)) {
+                return $this->escapeHtml($value);
+            }
+
             return $value;
         }
 
diff --git a/app/code/Magento/Backend/Test/Unit/Block/Widget/Grid/Column/Filter/DateTest.php b/app/code/Magento/Backend/Test/Unit/Block/Widget/Grid/Column/Filter/DateTest.php
@@ -30,6 +30,12 @@ class DateTest extends \PHPUnit\Framework\TestCase
     /** @var \Magento\Framework\Stdlib\DateTime\TimezoneInterface|\PHPUnit_Framework_MockObject_MockObject */
     protected $localeDateMock;
 
+    /** @var \Magento\Framework\Escaper|\PHPUnit_Framework_MockObject_MockObject */
+    private $escaperMock;
+
+    /** @var \Magento\Backend\Block\Context|\PHPUnit_Framework_MockObject_MockObject */
+    private $contextMock;
+
     protected function setUp()
     {
         $this->mathRandomMock = $this->getMockBuilder(\Magento\Framework\Math\Random::class)
@@ -58,14 +64,26 @@ protected function setUp()
             ->setMethods([])
             ->getMock();
 
+        $this->escaperMock = $this->getMockBuilder(\Magento\Framework\Escaper::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->contextMock = $this->getMockBuilder(\Magento\Backend\Block\Context::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->contextMock->expects($this->once())->method('getEscaper')->willReturn($this->escaperMock);
+        $this->contextMock->expects($this->once())->method('getLocaleDate')->willReturn($this->localeDateMock);
+
         $objectManagerHelper = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
         $this->model = $objectManagerHelper->getObject(
             \Magento\Backend\Block\Widget\Grid\Column\Filter\Date::class,
             [
                 'mathRandom' => $this->mathRandomMock,
                 'localeResolver' => $this->localeResolverMock,
                 'dateTimeFormatter' => $this->dateTimeFormatterMock,
-                'localeDate' => $this->localeDateMock
+                'localeDate' => $this->localeDateMock,
+                'context' => $this->contextMock,
             ]
         );
         $this->model->setColumn($this->columnMock);
@@ -98,4 +116,16 @@ public function testGetHtmlSuccessfulTimestamp()
         $this->assertContains('id="' . $uniqueHash . '_from" value="' . $yesterday->getTimestamp(), $output);
         $this->assertContains('id="' . $uniqueHash . '_to" value="' . $tomorrow->getTimestamp(), $output);
     }
+
+    public function testGetEscapedValueEscapeString()
+    {
+        $value = "\"><img src=x onerror=alert(2) />";
+        $array = [
+            'orig_from' => $value,
+            'from' => $value,
+        ];
+        $this->model->setValue($array);
+        $this->escaperMock->expects($this->once())->method('escapeHtml')->with($value);
+        $this->model->getEscapedValue('from');
+    }
 }
diff --git a/app/code/Magento/Backend/Test/Unit/Block/Widget/Grid/Column/Filter/DatetimeTest.php b/app/code/Magento/Backend/Test/Unit/Block/Widget/Grid/Column/Filter/DatetimeTest.php
@@ -30,6 +30,12 @@ class DatetimeTest extends \PHPUnit\Framework\TestCase
     /** @var \Magento\Framework\Stdlib\DateTime\TimezoneInterface|\PHPUnit_Framework_MockObject_MockObject */
     protected $localeDateMock;
 
+    /** @var \Magento\Framework\Escaper|\PHPUnit_Framework_MockObject_MockObject */
+    private $escaperMock;
+
+    /** @var \Magento\Backend\Block\Context|\PHPUnit_Framework_MockObject_MockObject */
+    private $contextMock;
+
     protected function setUp()
     {
         $this->mathRandomMock = $this->getMockBuilder(\Magento\Framework\Math\Random::class)
@@ -50,22 +56,34 @@ protected function setUp()
 
         $this->columnMock = $this->getMockBuilder(\Magento\Backend\Block\Widget\Grid\Column::class)
             ->disableOriginalConstructor()
-            ->setMethods(['getTimezone', 'getHtmlId', 'getId'])
+            ->setMethods(['getTimezone', 'getHtmlId', 'getId', 'getFilterTime'])
             ->getMock();
 
         $this->localeDateMock = $this->getMockBuilder(\Magento\Framework\Stdlib\DateTime\TimezoneInterface::class)
             ->disableOriginalConstructor()
             ->setMethods([])
             ->getMock();
 
+        $this->escaperMock = $this->getMockBuilder(\Magento\Framework\Escaper::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->contextMock = $this->getMockBuilder(\Magento\Backend\Block\Context::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->contextMock->expects($this->once())->method('getEscaper')->willReturn($this->escaperMock);
+        $this->contextMock->expects($this->once())->method('getLocaleDate')->willReturn($this->localeDateMock);
+
         $objectManagerHelper = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
         $this->model = $objectManagerHelper->getObject(
             \Magento\Backend\Block\Widget\Grid\Column\Filter\Datetime::class,
             [
                 'mathRandom' => $this->mathRandomMock,
                 'localeResolver' => $this->localeResolverMock,
                 'dateTimeFormatter' => $this->dateTimeFormatterMock,
-                'localeDate' => $this->localeDateMock
+                'localeDate' => $this->localeDateMock,
+                'context' => $this->contextMock,
             ]
         );
         $this->model->setColumn($this->columnMock);
@@ -98,4 +116,17 @@ public function testGetHtmlSuccessfulTimestamp()
         $this->assertContains('id="' . $uniqueHash . '_from" value="' . $yesterday->getTimestamp(), $output);
         $this->assertContains('id="' . $uniqueHash . '_to" value="' . $tomorrow->getTimestamp(), $output);
     }
+
+    public function testGetEscapedValueEscapeString()
+    {
+        $value = "\"><img src=x onerror=alert(2) />";
+        $array = [
+            'orig_from' => $value,
+            'from' => $value,
+        ];
+        $this->model->setValue($array);
+        $this->escaperMock->expects($this->once())->method('escapeHtml')->with($value);
+        $this->columnMock->expects($this->once())->method('getFilterTime')->willReturn(true);
+        $this->model->getEscapedValue('from');
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -127,7 +127,7 @@ public function getHtml()`
`127`	`127`
`128`	`128`	`/**`
`129`	`129`	`* @param string\|null $index`
`130`		`- * @return string`
	`130`	`+ * @return array\|string\|int\|float\|null`
`131`	`131`	`*/`
`132`	`132`	`public function getEscapedValue($index = null)`
`133`	`133`	`{`
`@@ -138,6 +138,11 @@ public function getEscapedValue($index = null)`
`138`	`138`	`$this->_localeDate->getDateFormat(\IntlDateFormatter::SHORT)`
`139`	`139`	`);`
`140`	`140`	`}`
	`141`	`+`
	`142`	`+ if (is_string($value)) {`
	`143`	`+ return $this->escapeHtml($value);`
	`144`	`+ }`
	`145`	`+`
`141`	`146`	`return $value;`
`142`	`147`	`}`
`143`	`148`
Original file line number	Diff line number	Diff line change
`@@ -140,8 +140,8 @@ public function getHtml()`
`140`	`140`	`/**`
`141`	`141`	`* Return escaped value for calendar`
`142`	`142`	`*`
`143`		`- * @param string $index`
`144`		`- * @return string`
	`143`	`+ * @param string\|null $index`
	`144`	`+ * @return array\|string\|int\|float\|null`
`145`	`145`	`*/`
`146`	`146`	`public function getEscapedValue($index = null)`
`147`	`147`	`{`
`@@ -150,6 +150,11 @@ public function getEscapedValue($index = null)`
`150`	`150`	`if ($value instanceof \DateTimeInterface) {`
`151`	`151`	`return $this->_localeDate->formatDateTime($value);`
`152`	`152`	`}`
	`153`	`+`
	`154`	`+ if (is_string($value)) {`
	`155`	`+ return $this->escapeHtml($value);`
	`156`	`+ }`
	`157`	`+`
`153`	`158`	`return $value;`
`154`	`159`	`}`
`155`	`160`