Merge pull request #6852 from magento-tsg/MC-41013

[Condor] MC-41013: [Backport for 2.4.x] [PSIRT-16297] Widget update layout xml leads to RCE

Author: zakdma

app/etc/di.xml

@@ -698,6 +698,9 @@
                 <item name="0" xsi:type="string">Magento\Framework\Data\OptionSourceInterface</item>
                 <item name="1" xsi:type="string">Magento\Framework\View\Element\UiComponent\DataProvider\DataProviderInterface</item>
             </argument>
+            <argument name="deniedClassList" xsi:type="array">
+                <item name="0" xsi:type="string">Magento\Framework\Model\ResourceModel\AbstractResource</item>
+            </argument>
         </arguments>
     </type>
     <type name="Magento\Framework\Mview\View">

lib/internal/Magento/Framework/View/Element/UiComponent/Argument/Interpreter/ConfigurableObject.php

@@ -24,6 +24,11 @@ class ConfigurableObject implements InterpreterInterface
      */
     private $classWhitelist = [];
 
+    /**
+     * @var array
+     */
+    private $deniedClassList = [];
+
     /**
      * @var ObjectManagerInterface
      */
@@ -52,17 +57,20 @@ class ConfigurableObject implements InterpreterInterface
      * @param array $classWhitelist
      * @param ClassReader|null $classReader
      * @param ConfigInterface|null $objectManagerConfig
+     * @param array $deniedClassList
      */
     public function __construct(
         ObjectManagerInterface $objectManager,
         InterpreterInterface $argumentInterpreter,
         array $classWhitelist = [],
         ClassReader $classReader = null,
-        ConfigInterface $objectManagerConfig = null
+        ConfigInterface $objectManagerConfig = null,
+        array $deniedClassList = []
     ) {
         $this->objectManager = $objectManager;
         $this->argumentInterpreter = $argumentInterpreter;
         $this->classWhitelist = $classWhitelist;
+        $this->deniedClassList = $deniedClassList;
         $this->classReader = $classReader ?? $objectManager->get(ClassReader::class);
         $this->objectManagerConfig = $objectManagerConfig ?? $objectManager->get(ConfigInterface::class);
     }
@@ -72,6 +80,7 @@ public function __construct(
      */
     public function evaluate(array $data)
     {
+        $type = null;
         if (isset($data['value'])) {
             $className = $data['value'];
             $arguments = [];
@@ -104,6 +113,21 @@ public function evaluate(array $data)
             }
         }
 
+        if ($type === null) {
+            $type = $this->objectManagerConfig->getInstanceType(
+                $this->objectManagerConfig->getPreference($className)
+            );
+            $classParents = array_merge([$type], $this->getParents($type));
+        }
+
+        $deniedIntersection = array_intersect($classParents, $this->deniedClassList);
+
+        if (!empty($deniedIntersection)) {
+            throw new \InvalidArgumentException(
+                sprintf('Class argument is invalid: %s', $className)
+            );
+        }
+
         return $this->objectManager->create($className, $arguments);
     }
 
@@ -115,7 +139,7 @@ public function evaluate(array $data)
      */
     private function getParents(string $type)
     {
-        $classParents = $this->classReader->getParents($type);
+        $classParents = $this->classReader->getParents($type) ?? [];
         foreach ($classParents as $parent) {
             if (empty($parent)) {
                 continue;

lib/internal/Magento/Framework/View/Test/Unit/UiComponent/Argument/Interpreter/ConfigurableObjectTest.php

@@ -65,6 +65,10 @@ protected function setUp(): void
                 ],
                 'classReader' => $this->classReader,
                 'objectManagerConfig' => $this->objectManagerConfig,
+                'deniedClassList' => [
+                    \Foo\Bar\ClassC::class,
+                    \Foo\Bar\InterfaceC::class,
+                ],
             ]
         );
     }
@@ -268,6 +272,27 @@ public function invalidDataProvider()
                 \InvalidArgumentException::class,
                 'Class argument is invalid: MyFooClass'
             ],
+            [
+                [
+                    'argument' => [
+                        'class' => ['value' => 'MyFooClass'],
+                        'myarg' => ['value' => 'bar'],
+                    ],
+                ],
+                'MyFooClass',
+                [
+                    ['MyFooClass', ['Something', 'skipme']],
+                    ['Something', ['dontcare', 'SomethingElse']],
+                    ['SomethingElse', [\Foo\Bar\ClassC::class, 'unrelated']],
+                    ['skipme', []],
+                    ['dontcare', []],
+                    ['unrelated', [\Foo\Bar\InterfaceC::class]],
+                    [\Foo\Bar\ClassC::class, []],
+                    [\Foo\Bar\InterfaceC::class, []],
+                ],
+                \InvalidArgumentException::class,
+                'Class argument is invalid: MyFooClass',
+            ],
         ];
     }
 }