Merge branch '2.3-develop' of github.com:magento/magento2ce into MC-15824

Author: slopukhov

README.md

@@ -6,7 +6,7 @@
 Welcome to Magento 2 installation! We're glad you chose to install Magento 2, a cutting-edge, feature-rich eCommerce solution that gets results.
 
 ## Magento System Requirements
-[Magento System Requirements](https://devdocs.magento.com/guides/v2.3/install-gde/system-requirements2.html).
+[Magento System Requirements](https://devdocs.magento.com/guides/v2.3/install-gde/system-requirements.html).
 
 ## Install Magento
 

app/code/Magento/Backend/Controller/Adminhtml/Dashboard/ProductsViewed.php

@@ -6,12 +6,12 @@
  */
 namespace Magento\Backend\Controller\Adminhtml\Dashboard;
 
-use Magento\Framework\App\Action\HttpGetActionInterface;
+use Magento\Framework\App\Action\HttpPostActionInterface;
 
 /**
  * Get most viewed products controller.
  */
-class ProductsViewed extends AjaxBlock implements HttpGetActionInterface
+class ProductsViewed extends AjaxBlock implements HttpPostActionInterface
 {
     /**
      * Gets most viewed products list

app/code/Magento/ConfigurableProduct/Model/LinkManagement.php

@@ -1,6 +1,5 @@
 <?php
 /**
- *
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
@@ -11,6 +10,11 @@
 use Magento\Framework\Exception\NoSuchEntityException;
 use Magento\Framework\Exception\StateException;
 
+/**
+ * Configurable product link management.
+ *
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
+ */
 class LinkManagement implements \Magento\ConfigurableProduct\Api\LinkManagementInterface
 {
     /**
@@ -68,7 +72,7 @@ public function __construct(
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritdoc
      */
     public function getChildren($sku)
     {
@@ -107,11 +111,15 @@ public function getChildren($sku)
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritdoc
+     * @throws InputException
+     * @throws NoSuchEntityException
+     * @throws StateException
+     * @throws \Magento\Framework\Exception\CouldNotSaveException
      */
     public function addChild($sku, $childSku)
     {
-        $product = $this->productRepository->get($sku);
+        $product = $this->productRepository->get($sku, true);
         $child = $this->productRepository->get($childSku);
 
         $childrenIds = array_values($this->configurableType->getChildrenIds($product->getId())[0]);
@@ -150,7 +158,11 @@ public function addChild($sku, $childSku)
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritdoc
+     * @throws InputException
+     * @throws NoSuchEntityException
+     * @throws StateException
+     * @throws \Magento\Framework\Exception\CouldNotSaveException
      */
     public function removeChild($sku, $childSku)
     {

app/code/Magento/GraphQl/Controller/GraphQl.php

@@ -12,6 +12,7 @@
 use Magento\Framework\App\RequestInterface;
 use Magento\Framework\App\ResponseInterface;
 use Magento\Framework\GraphQl\Exception\ExceptionFormatter;
+use Magento\Framework\GraphQl\Exception\GraphQlInputException;
 use Magento\Framework\GraphQl\Query\QueryProcessor;
 use Magento\Framework\GraphQl\Query\Resolver\ContextInterface;
 use Magento\Framework\GraphQl\Schema\SchemaGeneratorInterface;
@@ -47,12 +48,12 @@ class GraphQl implements FrontControllerInterface
     private $queryProcessor;
 
     /**
-     * @var \Magento\Framework\GraphQl\Exception\ExceptionFormatter
+     * @var ExceptionFormatter
      */
     private $graphQlError;
 
     /**
-     * @var \Magento\Framework\GraphQl\Query\Resolver\ContextInterface
+     * @var ContextInterface
      */
     private $resolverContext;
 
@@ -71,8 +72,8 @@ class GraphQl implements FrontControllerInterface
      * @param SchemaGeneratorInterface $schemaGenerator
      * @param SerializerInterface $jsonSerializer
      * @param QueryProcessor $queryProcessor
-     * @param \Magento\Framework\GraphQl\Exception\ExceptionFormatter $graphQlError
-     * @param \Magento\Framework\GraphQl\Query\Resolver\ContextInterface $resolverContext
+     * @param ExceptionFormatter $graphQlError
+     * @param ContextInterface $resolverContext
      * @param HttpRequestProcessor $requestProcessor
      * @param QueryFields $queryFields
      */
@@ -107,12 +108,14 @@ public function dispatch(RequestInterface $request) : ResponseInterface
         $statusCode = 200;
         try {
             /** @var Http $request */
+            $this->requestProcessor->validateRequest($request);
             $this->requestProcessor->processHeaders($request);
-            $data = $this->jsonSerializer->unserialize($request->getContent());
 
-            $query = isset($data['query']) ? $data['query'] : '';
-            $variables = isset($data['variables']) ? $data['variables'] : null;
-            // We have to extract queried field names to avoid instantiation of non necessary fields in webonyx schema
+            $data = $this->getDataFromRequest($request);
+            $query = $data['query'] ?? '';
+            $variables = $data['variables'] ?? null;
+
+            // We must extract queried field names to avoid instantiation of unnecessary fields in webonyx schema
             // Temporal coupling is required for performance optimization
             $this->queryFields->setQuery($query, $variables);
             $schema = $this->schemaGenerator->generate();
@@ -121,7 +124,7 @@ public function dispatch(RequestInterface $request) : ResponseInterface
                 $schema,
                 $query,
                 $this->resolverContext,
-                isset($data['variables']) ? $data['variables'] : []
+                $data['variables'] ?? []
             );
         } catch (\Exception $error) {
             $result['errors'] = isset($result) && isset($result['errors']) ? $result['errors'] : [];
@@ -134,4 +137,26 @@ public function dispatch(RequestInterface $request) : ResponseInterface
         )->setHttpResponseCode($statusCode);
         return $this->response;
     }
+
+    /**
+     * Get data from request body or query string
+     *
+     * @param RequestInterface $request
+     * @return array
+     */
+    private function getDataFromRequest(RequestInterface $request) : array
+    {
+        /** @var Http $request */
+        if ($request->isPost()) {
+            $data = $this->jsonSerializer->unserialize($request->getContent());
+        } elseif ($request->isGet()) {
+            $data = $request->getParams();
+            $data['variables'] = isset($data['variables']) ?
+                $this->jsonSerializer->unserialize($data['variables']) : null;
+        } else {
+            return [];
+        }
+
+        return $data;
+    }
 }

app/code/Magento/GraphQl/Controller/HttpHeaderProcessor/ContentTypeProcessor.php

@@ -7,7 +7,7 @@
 
 namespace Magento\GraphQl\Controller\HttpHeaderProcessor;
 
-use Magento\Framework\Exception\NoSuchEntityException;
+use Magento\Framework\App\HttpRequestInterface;
 use Magento\Framework\GraphQl\Exception\GraphQlInputException;
 use Magento\GraphQl\Controller\HttpHeaderProcessorInterface;
 use Magento\Store\Model\StoreManagerInterface;
@@ -35,8 +35,9 @@ public function __construct(StoreManagerInterface $storeManager)
     /**
      * Handle the value of the store and set the scope
      *
-     * {@inheritDoc}
-     * @throws NoSuchEntityException
+     * @param string $headerValue
+     * @return void
+     * @throws GraphQlInputException
      */
     public function processHeaderValue(string $headerValue) : void
     {

app/code/Magento/GraphQl/Controller/HttpHeaderProcessor/StoreProcessor.php

@@ -19,12 +19,19 @@ class HttpRequestProcessor
      */
     private $headerProcessors = [];
 
+    /**
+     * @var HttpRequestValidatorInterface[] array
+     */
+    private $requestValidators = [];
+
     /**
      * @param HttpHeaderProcessorInterface[] $graphQlHeaders
+     * @param HttpRequestValidatorInterface[] $requestValidators
      */
-    public function __construct(array $graphQlHeaders = [])
+    public function __construct(array $graphQlHeaders = [], array $requestValidators = [])
     {
         $this->headerProcessors = $graphQlHeaders;
+        $this->requestValidators = $requestValidators;
     }
 
     /**
@@ -39,4 +46,17 @@ public function processHeaders(Http $request) : void
             $headerClass->processHeaderValue((string)$request->getHeader($headerName));
         }
     }
+
+    /**
+     * Validate HTTP request
+     *
+     * @param Http $request
+     * @return void
+     */
+    public function validateRequest(Http $request) : void
+    {
+        foreach ($this->requestValidators as $requestValidator) {
+            $requestValidator->validate($request);
+        }
+    }
 }

app/code/Magento/GraphQl/Controller/HttpRequestProcessor.php

@@ -0,0 +1,40 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\GraphQl\Controller\HttpRequestValidator;
+
+use Magento\Framework\App\HttpRequestInterface;
+use Magento\Framework\GraphQl\Exception\GraphQlInputException;
+use Magento\GraphQl\Controller\HttpRequestValidatorInterface;
+
+/**
+ * Processes the "Content-Type" header entry
+ */
+class ContentTypeValidator implements HttpRequestValidatorInterface
+{
+    /**
+     * Handle the mandatory application/json header
+     *
+     * @param HttpRequestInterface $request
+     * @return void
+     * @throws GraphQlInputException
+     */
+    public function validate(HttpRequestInterface $request) : void
+    {
+        $headerName = 'Content-Type';
+        $requiredHeaderValue = 'application/json';
+
+        $headerValue = (string)$request->getHeader($headerName);
+        if ($request->isPost()
+            && strpos($headerValue, $requiredHeaderValue) === false
+        ) {
+            throw new GraphQlInputException(
+                new \Magento\Framework\Phrase('Request content type must be application/json')
+            );
+        }
+    }
+}

app/code/Magento/GraphQl/Controller/HttpRequestValidator/ContentTypeValidator.php

@@ -0,0 +1,40 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\GraphQl\Controller\HttpRequestValidator;
+
+use Magento\Framework\App\HttpRequestInterface;
+use Magento\Framework\GraphQl\Exception\GraphQlInputException;
+use Magento\Framework\App\Request\Http;
+use Magento\GraphQl\Controller\HttpRequestValidatorInterface;
+
+/**
+ * Validator to check HTTP verb for Graphql requests
+ */
+class HttpVerbValidator implements HttpRequestValidatorInterface
+{
+    /**
+     * Check if request is using correct verb for query or mutation
+     *
+     * @param HttpRequestInterface $request
+     * @return void
+     * @throws GraphQlInputException
+     */
+    public function validate(HttpRequestInterface $request) : void
+    {
+        /** @var Http $request */
+        if (false === $request->isPost()) {
+            $query = $request->getParam('query', '');
+            // The easiest way to determine mutations without additional parsing
+            if (strpos(trim($query), 'mutation') === 0) {
+                throw new GraphQlInputException(
+                    new \Magento\Framework\Phrase('Mutation requests allowed only for POST requests')
+                );
+            }
+        }
+    }
+}

app/code/Magento/GraphQl/Controller/HttpRequestValidator/HttpVerbValidator.php

@@ -0,0 +1,24 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\GraphQl\Controller;
+
+use Magento\Framework\App\HttpRequestInterface;
+
+/**
+ * Use this interface to implement a validator for a Graphql HTTP requests
+ */
+interface HttpRequestValidatorInterface
+{
+    /**
+     * Perform validation of request
+     *
+     * @param HttpRequestInterface $request
+     * @return void
+     */
+    public function validate(HttpRequestInterface $request) : void;
+}