Merge pull request #5203 from magento-borg/borg-2.4.0

[CIA] Bug fixes

Author: nathanjosiah

app/code/Magento/Braintree/Test/Mftf/ActionGroup/AdminDeleteRoleActionGroup.xml

@@ -10,18 +10,32 @@
         xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/actionGroupSchema.xsd">
     <actionGroup name="AdminDeleteRoleActionGroup">
         <annotations>
-            <description>Deletes a User Role that contains the text 'Role'. PLEASE NOTE: The Action Group values are Hardcoded.</description>
+            <description>Deletes a User Role.</description>
         </annotations>
         <arguments>
             <argument name="role" defaultValue=""/>
         </arguments>
 
-        <click stepKey="clickOnRole" selector="{{AdminDeleteRoleSection.theRole}}"/>
+        <click stepKey="clickResetFilterButtonBefore" selector="{{AdminRoleGridSection.resetButton}}"/>
+        <waitForPageLoad stepKey="waitForRolesGridFilterResetBefore" time="10"/>
+        <fillField stepKey="TypeRoleFilter" selector="{{AdminRoleGridSection.roleNameFilterTextField}}" userInput="{{role.name}}"/>
+        <waitForElementVisible stepKey="waitForFilterSearchButtonBefore" selector="{{AdminRoleGridSection.searchButton}}" time="10"/>
+        <click stepKey="clickFilterSearchButton" selector="{{AdminRoleGridSection.searchButton}}"/>
+        <waitForPageLoad stepKey="waitForUserRoleFilter" time="10"/>
+        <waitForElementVisible stepKey="waitForRoleInRoleGrid" selector="{{AdminDeleteRoleSection.role(role.name)}}" time="10"/>
+        <click stepKey="clickOnRole" selector="{{AdminDeleteRoleSection.role(role.name)}}"/>
+        <waitForPageLoad stepKey="waitForRolePageToLoad" time="10"/>
         <fillField stepKey="TypeCurrentPassword" selector="{{AdminDeleteRoleSection.current_pass}}" userInput="{{_ENV.MAGENTO_ADMIN_PASSWORD}}"/>
+        <waitForElementVisible stepKey="waitForDeleteRoleButton" selector="{{AdminDeleteRoleSection.delete}}" time="10"/>
         <click stepKey="clickToDeleteRole" selector="{{AdminDeleteRoleSection.delete}}"/>
-        <waitForAjaxLoad stepKey="waitForDeleteConfirmationPopup" time="5"/>
+        <waitForPageLoad stepKey="waitForDeleteConfirmationPopup" time="5"/>
+        <waitForElementVisible stepKey="waitForConfirmButton" selector="{{AdminDeleteRoleSection.confirm}}" time="10"/>
         <click stepKey="clickToConfirm" selector="{{AdminDeleteRoleSection.confirm}}"/>
         <waitForPageLoad stepKey="waitForPageLoad" time="10"/>
         <see stepKey="seeSuccessMessage" userInput="You deleted the role."/>
+        <waitForPageLoad stepKey="waitForRolesGridLoad" />
+        <waitForElementVisible stepKey="waitForResetFilterButtonAfter" selector="{{AdminRoleGridSection.resetButton}}" time="10"/>
+        <click stepKey="clickResetFilterButtonAfter" selector="{{AdminRoleGridSection.resetButton}}"/>
+        <waitForPageLoad stepKey="waitForRolesGridFilterResetAfter" time="10"/>
     </actionGroup>
 </actionGroups>

app/code/Magento/CardinalCommerce/Model/JwtManagement.php

@@ -8,6 +8,7 @@
 namespace Magento\CardinalCommerce\Model;
 
 use Magento\Framework\Serialize\Serializer\Json;
+use Magento\Framework\Encryption\Helper\Security;
 
 /**
  * JSON Web Token management.
@@ -62,7 +63,8 @@ public function decode(string $jwt, string $key): array
         $payload = $this->json->unserialize($payloadJson);
 
         $signature = $this->urlSafeB64Decode($signatureB64);
-        if ($signature !== $this->sign($headB64 . '.' . $payloadB64, $key, $header['alg'])) {
+
+        if (!Security::compareStrings($signature, $this->sign($headB64 . '.' . $payloadB64, $key, $header['alg']))) {
             throw new \InvalidArgumentException('JWT signature verification failed');
         }
 

app/code/Magento/Catalog/Block/Product/ListProduct.php

@@ -346,17 +346,16 @@ public function getIdentities()
 
         $category = $this->getLayer()->getCurrentCategory();
         if ($category) {
-            $identities[] = Product::CACHE_PRODUCT_CATEGORY_TAG . '_' . $category->getId();
+            $identities[] = [Product::CACHE_PRODUCT_CATEGORY_TAG . '_' . $category->getId()];
         }
 
         //Check if category page shows only static block (No products)
-        if ($category->getData('display_mode') == Category::DM_PAGE) {
-            return $identities;
-        }
-
-        foreach ($this->_getProductCollection() as $item) {
-            $identities = array_merge($identities, $item->getIdentities());
+        if ($category->getData('display_mode') != Category::DM_PAGE) {
+            foreach ($this->_getProductCollection() as $item) {
+                $identities[] = $item->getIdentities();
+            }
         }
+        $identities = array_merge(...$identities);
 
         return $identities;
     }
@@ -369,7 +368,7 @@ public function getIdentities()
      */
     public function getAddToCartPostParams(Product $product)
     {
-        $url = $this->getAddToCartUrl($product);
+        $url = $this->getAddToCartUrl($product, ['_escape' => false]);
         return [
             'action' => $url,
             'data' => [

app/code/Magento/Catalog/Test/Unit/Block/Product/ListProductTest.php

@@ -217,7 +217,7 @@ public function testGetAddToCartPostParams()
             ->will($this->returnValue(true));
         $this->cartHelperMock->expects($this->any())
             ->method('getAddUrl')
-            ->with($this->equalTo($this->productMock), $this->equalTo([]))
+            ->with($this->equalTo($this->productMock), $this->equalTo(['_escape' => false]))
             ->will($this->returnValue($url));
         $this->productMock->expects($this->once())
             ->method('getEntityId')

app/code/Magento/Cms/Model/Template/Filter.php

@@ -5,8 +5,6 @@
  */
 namespace Magento\Cms\Model\Template;
 
-use Magento\Framework\Exception\LocalizedException;
-
 /**
  * Cms Template Filter Model
  */
@@ -41,8 +39,8 @@ public function mediaDirective($construction)
     {
         // phpcs:ignore Magento2.Functions.DiscouragedFunction
         $params = $this->getParameters(html_entity_decode($construction[2], ENT_QUOTES));
-        if (preg_match('/\.\.(\\\|\/)/', $params['url'])) {
-            throw new \InvalidArgumentException('Image path must be absolute');
+        if (preg_match('/(^.*:\/\/.*|\.\.\/.*)/', $params['url'])) {
+            throw new \InvalidArgumentException('Image path must be absolute and not include URLs');
         }
 
         return $this->_storeManager->getStore()->getBaseMediaDir() . '/' . $params['url'];

app/code/Magento/Cms/Test/Unit/Model/Template/FilterTest.php

@@ -105,4 +105,24 @@ public function testMediaDirectiveRelativePath()
             ->willReturn($baseMediaDir);
         $this->filter->mediaDirective($construction);
     }
+
+    /**
+     * Test using media directive with a URL path including schema.
+     *
+     * @covers \Magento\Cms\Model\Template\Filter::mediaDirective
+     * @expectedException \InvalidArgumentException
+     */
+    public function testMediaDirectiveURL()
+    {
+        $baseMediaDir = 'pub/media';
+        $construction = [
+            '{{media url="http://wysiwyg/images/image.jpg"}}',
+            'media',
+            ' url="http://wysiwyg/images/../image.jpg"'
+        ];
+        $this->storeMock->expects($this->any())
+            ->method('getBaseMediaDir')
+            ->willReturn($baseMediaDir);
+        $this->filter->mediaDirective($construction);
+    }
 }

app/code/Magento/Customer/view/frontend/templates/js/customer-data.phtml

@@ -5,16 +5,21 @@
  */
 
 /** @var \Magento\Customer\Block\CustomerData $block */
+
+// phpcs:disable Magento2.Templates.ThisInTemplate.FoundHelper
 ?>
 <script type="text/x-magento-init">
     {
         "*": {
             "Magento_Customer/js/customer-data": {
-                "sectionLoadUrl": "<?= $block->escapeJs($block->escapeUrl($block->getCustomerDataUrl('customer/section/load'))) ?>",
+                "sectionLoadUrl": "<?= $block->escapeJs($block->getCustomerDataUrl('customer/section/load')) ?>",
                 "expirableSectionLifetime": <?= (int)$block->getExpirableSectionLifetime() ?>,
-                "expirableSectionNames": <?= /* @noEscape */ $this->helper(\Magento\Framework\Json\Helper\Data::class)->jsonEncode($block->getExpirableSectionNames()) ?>,
+                "expirableSectionNames": <?= /* @noEscape */ $this->helper(\Magento\Framework\Json\Helper\Data::class)
+                    ->jsonEncode($block->getExpirableSectionNames()) ?>,
                 "cookieLifeTime": "<?= $block->escapeJs($block->getCookieLifeTime()) ?>",
-                "updateSessionUrl": "<?= $block->escapeJs($block->escapeUrl($block->getCustomerDataUrl('customer/account/updateSession'))) ?>"
+                "updateSessionUrl": "<?= $block->escapeJs(
+                    $block->getCustomerDataUrl('customer/account/updateSession')
+                ) ?>"
             }
         }
     }

app/code/Magento/Directory/Block/Data.php

@@ -142,7 +142,7 @@ public function getCountryHtmlSelect($defValue = null, $name = 'country_id', $id
         )->setId(
             $id
         )->setTitle(
-            __($title)
+            $this->escapeHtmlAttr(__($title))
         )->setValue(
             $defValue
         )->setOptions(

app/code/Magento/Directory/Test/Unit/Block/DataTest.php

@@ -17,6 +17,7 @@
 use Magento\Store\Model\ScopeInterface;
 use Magento\Store\Model\Store;
 use Magento\Store\Model\StoreManagerInterface;
+use Magento\Framework\Escaper;
 
 /**
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
@@ -56,9 +57,16 @@ class DataTest extends \PHPUnit\Framework\TestCase
     /** @var SerializerInterface|\PHPUnit_Framework_MockObject_MockObject */
     private $serializerMock;
 
+    /** @var \Magento\Framework\Escaper */
+    private $escaper;
+
     protected function setUp()
     {
         $objectManagerHelper = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
+        $this->escaper = $this->getMockBuilder(Escaper::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['escapeHtmlAttr'])
+            ->getMock();
         $this->prepareContext();
 
         $this->helperDataMock = $this->getMockBuilder(\Magento\Directory\Helper\Data::class)
@@ -123,6 +131,10 @@ protected function prepareContext()
         $this->contextMock->expects($this->any())
             ->method('getLayout')
             ->willReturn($this->layoutMock);
+
+        $this->contextMock->expects($this->once())
+            ->method('getEscaper')
+            ->willReturn($this->escaper);
     }
 
     protected function prepareCountryCollection()
@@ -135,9 +147,11 @@ protected function prepareCountryCollection()
             \Magento\Directory\Model\ResourceModel\Country\CollectionFactory::class
         )
             ->disableOriginalConstructor()
-            ->setMethods([
-                'create'
-            ])
+            ->setMethods(
+                [
+                    'create'
+                ]
+            )
             ->getMock();
 
         $this->countryCollectionFactoryMock->expects($this->any())
@@ -285,15 +299,17 @@ protected function mockElementHtmlSelect($defaultCountry, $options, $resultHtml)
 
         $elementHtmlSelect = $this->getMockBuilder(\Magento\Framework\View\Element\Html\Select::class)
             ->disableOriginalConstructor()
-            ->setMethods([
-                'setName',
-                'setId',
-                'setTitle',
-                'setValue',
-                'setOptions',
-                'setExtraParams',
-                'getHtml',
-            ])
+            ->setMethods(
+                [
+                    'setName',
+                    'setId',
+                    'setTitle',
+                    'setValue',
+                    'setOptions',
+                    'setExtraParams',
+                    'getHtml',
+                ]
+            )
             ->getMock();
 
         $elementHtmlSelect->expects($this->once())
@@ -323,6 +339,10 @@ protected function mockElementHtmlSelect($defaultCountry, $options, $resultHtml)
         $elementHtmlSelect->expects($this->once())
             ->method('getHtml')
             ->willReturn($resultHtml);
+        $this->escaper->expects($this->once())
+            ->method('escapeHtmlAttr')
+            ->with(__($title))
+            ->willReturn(__($title));
 
         return $elementHtmlSelect;
     }

app/code/Magento/Email/Model/Template/Filter.php

@@ -6,8 +6,9 @@
 namespace Magento\Email\Model\Template;
 
 use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Exception\MailException;
+use Magento\Framework\Exception\NoSuchEntityException;
 use Magento\Framework\Filesystem;
-use Magento\Framework\Filesystem\Directory\ReadInterface;
 use Magento\Framework\Filter\VariableResolverInterface;
 use Magento\Framework\View\Asset\ContentProcessorException;
 use Magento\Framework\View\Asset\ContentProcessorInterface;
@@ -734,27 +735,32 @@ public function modifierEscape($value, $type = 'html')
      *     {{protocol store="1"}} - Optional parameter which gets protocol from provide store based on store ID or code
      *
      * @param string[] $construction
-     * @throws \Magento\Framework\Exception\MailException
      * @return string
+     * @throws MailException
+     * @throws NoSuchEntityException
      */
     public function protocolDirective($construction)
     {
         $params = $this->getParameters($construction[2]);
+
         $store = null;
         if (isset($params['store'])) {
             try {
                 $store = $this->_storeManager->getStore($params['store']);
             } catch (\Exception $e) {
-                throw new \Magento\Framework\Exception\MailException(
+                throw new MailException(
                     __('Requested invalid store "%1"', $params['store'])
                 );
             }
         }
+
         $isSecure = $this->_storeManager->getStore($store)->isCurrentlySecure();
         $protocol = $isSecure ? 'https' : 'http';
         if (isset($params['url'])) {
             return $protocol . '://' . $params['url'];
         } elseif (isset($params['http']) && isset($params['https'])) {
+            $this->validateProtocolDirectiveHttpScheme($params);
+
             if ($isSecure) {
                 return $params['https'];
             }
@@ -764,6 +770,37 @@ public function protocolDirective($construction)
         return $protocol;
     }
 
+    /**
+     * Validate protocol directive HTTP parameters.
+     *
+     * @param string[] $params
+     * @return void
+     * @throws MailException
+     */
+    private function validateProtocolDirectiveHttpScheme(array $params) : void
+    {
+        $parsed_http = parse_url($params['http']);
+        $parsed_https = parse_url($params['https']);
+
+        if (empty($parsed_http)) {
+            throw new MailException(
+                __('Contents of %1 could not be loaded or is empty', $params['http'])
+            );
+        } elseif (empty($parsed_https)) {
+            throw new MailException(
+                __('Contents of %1 could not be loaded or is empty', $params['https'])
+            );
+        } elseif ($parsed_http['scheme'] !== 'http') {
+            throw new MailException(
+                __('Contents of %1 could not be loaded or is empty', $params['http'])
+            );
+        } elseif ($parsed_https['scheme'] !== 'https') {
+            throw new MailException(
+                __('Contents of %1 could not be loaded or is empty', $params['https'])
+            );
+        }
+    }
+
     /**
      * Store config directive
      *