Merge branch 'AC-12755-2' into cia-2.4.8-beta2-develop-bugfix-01112025

pawan-adobe-security · pawan-adobe-security · commit dc763c48354e · 2025-01-10T23:38:31.000+05:30
diff --git a/app/code/Magento/Customer/Plugin/AsyncRequestCustomerGroupAuthorization.php b/app/code/Magento/Customer/Plugin/AsyncRequestCustomerGroupAuthorization.php
@@ -9,7 +9,6 @@
 namespace Magento\Customer\Plugin;
 
 use Magento\Customer\Api\Data\CustomerInterface;
-use Magento\Framework\App\ObjectManager;
 use Magento\Framework\AuthorizationInterface;
 use Magento\Framework\Exception\AuthorizationException;
 use Magento\AsynchronousOperations\Model\MassSchedule;
@@ -60,6 +59,11 @@ public function beforePublishMass(
         string       $groupId = null,
         string       $userId = null
     ) {
+        // only apply the plugin on account create.
+        if ($topic !== 'async.magento.customer.api.accountmanagementinterface.createaccount.post') {
+            return;
+        }
+
         foreach ($entitiesArray as $entityParams) {
             foreach ($entityParams as $entity) {
                 if ($entity instanceof CustomerInterface) {
diff --git a/app/code/Magento/Quote/etc/webapi.xml b/app/code/Magento/Quote/etc/webapi.xml
@@ -98,6 +98,9 @@
         <resources>
             <resource ref="self" />
         </resources>
+        <data>
+            <parameter name="customerId" force="true">%customer_id%</parameter>
+        </data>
     </route>
     <route url="/V1/guest-carts/:cartId/order" method="PUT">
         <service class="Magento\Quote\Api\GuestCartManagementInterface" method="placeOrder"/>
diff --git a/app/code/Magento/WebapiAsync/Controller/Rest/Asynchronous/InputParamsResolver.php b/app/code/Magento/WebapiAsync/Controller/Rest/Asynchronous/InputParamsResolver.php
@@ -8,10 +8,12 @@
 
 namespace Magento\WebapiAsync\Controller\Rest\Asynchronous;
 
+use Magento\Framework\Api\SimpleDataObjectConverter;
 use Magento\Framework\App\ObjectManager;
 use Magento\Framework\Exception\AuthorizationException;
 use Magento\Framework\Exception\InputException;
 use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\Reflection\MethodsMap;
 use Magento\Framework\Webapi\Exception;
 use Magento\Framework\Webapi\Rest\Request as RestRequest;
 use Magento\Framework\Webapi\ServiceInputProcessor;
@@ -24,6 +26,8 @@
 
 /**
  * This class is responsible for retrieving resolved input data
+ *
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
 class InputParamsResolver
 {
@@ -61,6 +65,11 @@ class InputParamsResolver
      */
     private $inputArraySizeLimitValue;
 
+    /**
+     * @var MethodsMap
+     */
+    private $methodsMap;
+
     /**
      * Initialize dependencies.
      *
@@ -72,6 +81,7 @@ class InputParamsResolver
      * @param WebapiInputParamsResolver $inputParamsResolver
      * @param bool $isBulk
      * @param InputArraySizeLimitValue|null $inputArraySizeLimitValue
+     * @param MethodsMap|null $methodsMap
      */
     public function __construct(
         RestRequest $request,
@@ -81,7 +91,8 @@ public function __construct(
         RequestValidator $requestValidator,
         WebapiInputParamsResolver $inputParamsResolver,
         bool $isBulk = false,
-        ?InputArraySizeLimitValue $inputArraySizeLimitValue = null
+        ?InputArraySizeLimitValue $inputArraySizeLimitValue = null,
+        ?MethodsMap $methodsMap = null
     ) {
         $this->request = $request;
         $this->paramsOverrider = $paramsOverrider;
@@ -92,6 +103,8 @@ public function __construct(
         $this->isBulk = $isBulk;
         $this->inputArraySizeLimitValue = $inputArraySizeLimitValue ?? ObjectManager::getInstance()
                 ->get(InputArraySizeLimitValue::class);
+        $this->methodsMap = $methodsMap ?? ObjectManager::getInstance()
+            ->get(MethodsMap::class);
     }
 
     /**
@@ -119,7 +132,13 @@ public function resolve()
         $routeServiceMethod = $route->getServiceMethod();
         $this->inputArraySizeLimitValue->set($route->getInputArraySizeLimit());
 
+        $this->validateParameters($routeServiceClass, $routeServiceMethod, array_keys($route->getParameters()));
+
         foreach ($inputData as $key => $singleEntityParams) {
+            if (!is_array($singleEntityParams)) {
+                continue;
+            }
+
             $webapiResolvedParams[$key] = $this->resolveBulkItemParams(
                 $singleEntityParams,
                 $routeServiceClass,
@@ -143,11 +162,22 @@ public function getInputData()
         $inputData = $this->request->getRequestData();
 
         $httpMethod = $this->request->getHttpMethod();
-        if ($httpMethod == RestRequest::HTTP_METHOD_DELETE) {
+        if ($httpMethod === RestRequest::HTTP_METHOD_DELETE) {
             $requestBodyParams = $this->request->getBodyParams();
             $inputData = array_merge($requestBodyParams, $inputData);
         }
-        return $inputData;
+
+        return array_map(function ($singleEntityParams) {
+            if (is_array($singleEntityParams)) {
+                $singleEntityParams = $this->filterInputData($singleEntityParams);
+                $singleEntityParams = $this->paramsOverrider->override(
+                    $singleEntityParams,
+                    $this->getRoute()->getParameters()
+                );
+            }
+
+            return $singleEntityParams;
+        }, $inputData);
     }
 
     /**
@@ -180,4 +210,64 @@ private function resolveBulkItemParams(array $inputData, string $serviceClass, s
     {
         return $this->serviceInputProcessor->process($serviceClass, $serviceMethod, $inputData);
     }
+
+    /**
+     * Validates InputData
+     *
+     * @param array $inputData
+     * @return array
+     */
+    private function filterInputData(array $inputData): array
+    {
+        $result = [];
+
+        $data = array_filter($inputData, function ($k) use (&$result) {
+            $key = is_string($k) ? strtolower(str_replace('_', "", $k)) : $k;
+            return !isset($result[$key]) && ($result[$key] = true);
+        }, ARRAY_FILTER_USE_KEY);
+
+        return array_map(function ($value) {
+            return is_array($value) ? $this->filterInputData($value) : $value;
+        }, $data);
+    }
+
+    /**
+     * Validate that parameters are really used in the current request.
+     *
+     * @param string $serviceClassName
+     * @param string $serviceMethodName
+     * @param array $paramOverriders
+     */
+    private function validateParameters(
+        string $serviceClassName,
+        string $serviceMethodName,
+        array $paramOverriders
+    ): void {
+        $methodParams = $this->methodsMap->getMethodParams($serviceClassName, $serviceMethodName);
+        foreach ($paramOverriders as $key => $param) {
+            $arrayKeys = explode('.', $param ?? '');
+            $value = array_shift($arrayKeys);
+
+            foreach ($methodParams as $serviceMethodParam) {
+                $serviceMethodParamName = $serviceMethodParam[MethodsMap::METHOD_META_NAME];
+                $serviceMethodType = $serviceMethodParam[MethodsMap::METHOD_META_TYPE];
+
+                $camelCaseValue = SimpleDataObjectConverter::snakeCaseToCamelCase($value);
+                if ($serviceMethodParamName === $value || $serviceMethodParamName === $camelCaseValue) {
+                    if (count($arrayKeys) > 0) {
+                        $camelCaseKey = SimpleDataObjectConverter::snakeCaseToCamelCase('set_' . $arrayKeys[0]);
+                        $this->validateParameters($serviceMethodType, $camelCaseKey, [implode('.', $arrayKeys)]);
+                    }
+                    unset($paramOverriders[$key]);
+                    break;
+                }
+            }
+        }
+
+        if (!empty($paramOverriders)) {
+             $message = 'The current request does not expect the next parameters: '
+                 . implode(', ', $paramOverriders);
+             throw new \UnexpectedValueException(__($message)->__toString());
+        }
+    }
 }
diff --git a/dev/tests/api-functional/testsuite/Magento/Quote/Api/GuestCartManagementTest.php b/dev/tests/api-functional/testsuite/Magento/Quote/Api/GuestCartManagementTest.php
@@ -354,7 +354,7 @@ public function testPlaceOrder()
     public function testAssignCustomerByGuestUser()
     {
         $this->expectException(\Exception::class);
-        $this->expectExceptionMessage('You don\'t have the correct permissions to assign the customer to the cart.');
+        $this->expectExceptionMessage('Enter and try again.');
 
         /** @var $quote \Magento\Quote\Model\Quote */
         $quote = $this->objectManager->create(\Magento\Quote\Model\Quote::class)->load('test01', 'reserved_order_id');

Original file line number	Diff line number	Diff line change
`@@ -354,7 +354,7 @@ public function testPlaceOrder()`
`354`	`354`	`public function testAssignCustomerByGuestUser()`
`355`	`355`	`{`
`356`	`356`	`$this->expectException(\Exception::class);`
`357`		`- $this->expectExceptionMessage('You don\'t have the correct permissions to assign the customer to the cart.');`
	`357`	`+ $this->expectExceptionMessage('Enter and try again.');`
`358`	`358`
`359`	`359`	`/** @var $quote \Magento\Quote\Model\Quote */`
`360`	`360`	`$quote = $this->objectManager->create(\Magento\Quote\Model\Quote::class)->load('test01', 'reserved_order_id');`