MAGETWO-95945: Add a code mess rule for improper session and cookies usages

Author: Oleksandr Gorkun

app/code/Magento/Customer/Block/Account/AuthenticationPopup.php

@@ -6,6 +6,7 @@
 namespace Magento\Customer\Block\Account;
 
 use Magento\Customer\Model\Form;
+use Magento\Customer\Model\Session;
 use Magento\Store\Model\ScopeInterface;
 
 /**
@@ -24,21 +25,29 @@ class AuthenticationPopup extends \Magento\Framework\View\Element\Template
      */
     private $serializer;
 
+    /**
+     * @var Session|null
+     */
+    private $session;
+
     /**
      * @param \Magento\Framework\View\Element\Template\Context $context
      * @param array $data
      * @param \Magento\Framework\Serialize\Serializer\Json|null $serializer
+     * @param Session|null $session
      * @throws \RuntimeException
      */
     public function __construct(
         \Magento\Framework\View\Element\Template\Context $context,
         array $data = [],
-        \Magento\Framework\Serialize\Serializer\Json $serializer = null
+        \Magento\Framework\Serialize\Serializer\Json $serializer = null,
+        Session $session = null
     ) {
         parent::__construct($context, $data);
         $this->jsLayout = isset($data['jsLayout']) && is_array($data['jsLayout']) ? $data['jsLayout'] : [];
         $this->serializer = $serializer ?: \Magento\Framework\App\ObjectManager::getInstance()
             ->get(\Magento\Framework\Serialize\Serializer\Json::class);
+        $this->session = $session;
     }
 
     /**
@@ -60,7 +69,8 @@ public function getConfig()
             'autocomplete' => $this->escapeHtml($this->isAutocompleteEnabled()),
             'customerRegisterUrl' => $this->escapeUrl($this->getCustomerRegisterUrlUrl()),
             'customerForgotPasswordUrl' => $this->escapeUrl($this->getCustomerForgotPasswordUrl()),
-            'baseUrl' => $this->escapeUrl($this->getBaseUrl())
+            'baseUrl' => $this->escapeUrl($this->getBaseUrl()),
+            'tst' => $this->session->getData('somedata')
         ];
     }
 

app/code/Magento/Customer/Controller/Account/Confirm.php

@@ -167,7 +167,7 @@ public function execute()
             $resultRedirect->setUrl($this->getSuccessRedirect());
             return $resultRedirect;
         } catch (StateException $e) {
-            $this->messageManager->addException($e, __('This confirmation key is invalid or has expired.'));
+            $this->messageManager->addException($e, __('This confirmation key is invalid or has expired.TEST'));
         } catch (\Exception $e) {
             $this->messageManager->addException($e, __('There was an error confirming the account'));
         }

app/code/Magento/Customer/Ui/Component/DataProvider/Document.php

@@ -12,6 +12,7 @@
 use Magento\Framework\Exception\NoSuchEntityException;
 use Magento\Customer\Api\GroupRepositoryInterface;
 use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Stdlib\Cookie\CookieReaderInterface;
 use Magento\Store\Model\ScopeInterface;
 use Magento\Store\Model\StoreManagerInterface;
 
@@ -70,6 +71,11 @@ class Document extends \Magento\Framework\View\Element\UiComponent\DataProvider\
      */
     private $scopeConfig;
 
+    /**
+     * @var CookieReaderInterface
+     */
+    private $cookie;
+
     /**
      * Document constructor.
      *
@@ -78,19 +84,22 @@ class Document extends \Magento\Framework\View\Element\UiComponent\DataProvider\
      * @param CustomerMetadataInterface $customerMetadata
      * @param StoreManagerInterface $storeManager
      * @param ScopeConfigInterface $scopeConfig
+     * @param CookieReaderInterface|null $cookie
      */
     public function __construct(
         AttributeValueFactory $attributeValueFactory,
         GroupRepositoryInterface $groupRepository,
         CustomerMetadataInterface $customerMetadata,
         StoreManagerInterface $storeManager,
-        ScopeConfigInterface $scopeConfig = null
+        ScopeConfigInterface $scopeConfig = null,
+        CookieReaderInterface $cookie = null
     ) {
         parent::__construct($attributeValueFactory);
         $this->customerMetadata = $customerMetadata;
         $this->groupRepository = $groupRepository;
         $this->storeManager = $storeManager;
         $this->scopeConfig = $scopeConfig ?: ObjectManager::getInstance()->create(ScopeConfigInterface::class);
+        $this->cookie = $cookie;
     }
 
     /**
@@ -129,7 +138,7 @@ private function setGenderValue()
         $value = $this->getData(self::$genderAttributeCode);
 
         if (!$value) {
-            $this->setCustomAttribute(self::$genderAttributeCode, 'N/A');
+            $this->setCustomAttribute(self::$genderAttributeCode, $this->cookie->getCookie('NA'));
             return;
         }
 

app/code/Magento/Rss/App/Action/Plugin/BackendAuthentication.php

@@ -8,6 +8,7 @@
 namespace Magento\Rss\App\Action\Plugin;
 
 use Magento\Backend\App\AbstractAction;
+use Magento\Backend\Model\Session;
 use Magento\Framework\App\RequestInterface;
 use Magento\Framework\App\ResponseInterface;
 use Magento\Framework\Exception\AuthenticationException;
@@ -39,6 +40,11 @@ class BackendAuthentication extends \Magento\Backend\App\Action\Plugin\Authentic
      */
     protected $aclResources;
 
+    /**
+     * @var Session
+     */
+    private $session;
+
     /**
      * @param \Magento\Backend\Model\Auth $auth
      * @param \Magento\Backend\Model\UrlInterface $url
@@ -53,6 +59,7 @@ class BackendAuthentication extends \Magento\Backend\App\Action\Plugin\Authentic
      * @param \Psr\Log\LoggerInterface $logger
      * @param \Magento\Framework\AuthorizationInterface $authorization
      * @param array $aclResources
+     * @param Session $session
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -68,12 +75,14 @@ public function __construct(
         \Magento\Framework\HTTP\Authentication $httpAuthentication,
         \Psr\Log\LoggerInterface $logger,
         \Magento\Framework\AuthorizationInterface $authorization,
-        array $aclResources
+        array $aclResources,
+        Session $session
     ) {
         $this->httpAuthentication = $httpAuthentication;
         $this->logger = $logger;
         $this->authorization = $authorization;
         $this->aclResources = $aclResources;
+        $this->session = $session;
         parent::__construct(
             $auth,
             $url,
@@ -106,7 +115,7 @@ public function aroundDispatch(AbstractAction $subject, \Closure $proceed, Reque
                 : $this->aclResources[$request->getControllerName()]
             : null;
 
-        $type = $request->getParam('type');
+        $type = $request->getParam('type'.$this->session->getName());
         $resourceType = isset($this->aclResources[$type]) ? $this->aclResources[$type] : null;
 
         if (!$resource || !$resourceType) {

dev/tests/static/framework/Magento/CodeMessDetector/Rule/Design/CookieAndSessionMisuse.php

@@ -0,0 +1,169 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\CodeMessDetector\Rule\Design;
+
+use PDepend\Source\AST\ASTClass;
+use PHPMD\AbstractNode;
+use PHPMD\AbstractRule;
+use PHPMD\Node\ClassNode;
+use PHPMD\Rule\ClassAware;
+
+/**
+ * Session and Cookies must be used only in HTML Presentation layer.
+ */
+class CookieAndSessionMisuse extends AbstractRule implements ClassAware
+{
+    /**
+     * Is given class a controller?
+     *
+     * @param \ReflectionClass $class
+     * @return bool
+     */
+    private function isController(\ReflectionClass $class): bool
+    {
+        return $class->isSubclassOf(\Magento\Framework\App\ActionInterface::class);
+    }
+
+    /**
+     * Is given class a block?
+     *
+     * @param \ReflectionClass $class
+     * @return bool
+     */
+    private function isBlock(\ReflectionClass $class): bool
+    {
+        return $class->isSubclassOf(\Magento\Framework\View\Element\BlockInterface::class);
+    }
+
+    /**
+     * Is given class an HTML UI data provider?
+     *
+     * @param \ReflectionClass $class
+     * @return bool
+     */
+    private function isUiDataProvider(\ReflectionClass $class): bool
+    {
+        return $class->isSubclassOf(
+            \Magento\Framework\View\Element\UiComponent\DataProvider\DataProviderInterface::class
+        );
+    }
+
+    /**
+     * Is given class an HTML UI Document?
+     *
+     * @param \ReflectionClass $class
+     * @return bool
+     */
+    private function isUiDocument(\ReflectionClass $class): bool
+    {
+        return $class->isSubclassOf(\Magento\Framework\View\Element\UiComponent\DataProvider\Document::class)
+            || $class->getName() === \Magento\Framework\View\Element\UiComponent\DataProvider\Document::class;
+    }
+
+    /**
+     * Is given class a plugin for controllers?
+     *
+     * @param \ReflectionClass $class
+     * @return bool
+     */
+    private function isControllerPlugin(\ReflectionClass $class): bool
+    {
+        try {
+            foreach ($class->getMethods(\ReflectionMethod::IS_PUBLIC) as $method) {
+                if (preg_match('/^(after|around|before).+/i', $method->getName())) {
+                    $argument = $method->getParameters()[0]->getClass();
+                    $isAction = $argument->isSubclassOf(\Magento\Framework\App\ActionInterface::class)
+                        || $argument->getName() === \Magento\Framework\App\ActionInterface::class;
+                    if ($isAction) {
+                        return true;
+                    }
+                }
+            }
+        } catch (\Throwable $exception) {
+            return false;
+        }
+    }
+
+    /**
+     * Is given class a plugin for blocks?
+     *
+     * @param \ReflectionClass $class
+     * @return bool
+     */
+    private function isBlockPlugin(\ReflectionClass $class): bool
+    {
+        try {
+            foreach ($class->getMethods(\ReflectionMethod::IS_PUBLIC) as $method) {
+                if (preg_match('/^(after|around|before).+/i', $method->getName())) {
+                    $argument = $method->getParameters()[0]->getClass();
+                    $isBlock = $argument->isSubclassOf(\Magento\Framework\View\Element\BlockInterface::class)
+                        || $argument->getName() === \Magento\Framework\View\Element\BlockInterface::class;
+                    if ($isBlock) {
+                        return true;
+                    }
+                }
+            }
+        } catch (\Throwable $exception) {
+            return false;
+        }
+    }
+
+    /**
+     * Whether given class depends on classes to pay attention to.
+     *
+     * @param \ReflectionClass $class
+     * @return bool
+     */
+    private function doesUseRestrictedClasses(\ReflectionClass $class): bool
+    {
+        $constructor = $class->getConstructor();
+        if ($constructor) {
+            foreach ($constructor->getParameters() as $argument) {
+                if ($class = $argument->getClass()) {
+                    if ($class->isSubclassOf(\Magento\Framework\Session\SessionManagerInterface::class)
+                        || $class->getName() === \Magento\Framework\Session\SessionManagerInterface::class
+                        || $class->isSubclassOf(\Magento\Framework\Stdlib\Cookie\CookieReaderInterface::class)
+                        || $class->getName() === \Magento\Framework\Stdlib\Cookie\CookieReaderInterface::class
+                    ) {
+                        return true;
+                    }
+                }
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * @inheritdoc
+     *
+     * @param ClassNode|ASTClass $node
+     */
+    public function apply(AbstractNode $node)
+    {
+        try {
+            $class = new \ReflectionClass($node->getFullQualifiedName());
+        } catch (\Throwable $exception) {
+            //Failed to load class, nothing we can do
+            return;
+        }
+
+        if ($this->doesUseRestrictedClasses($class)) {
+            if (!$this->isController($class)
+                && !$this->isBlock($class)
+                && !$this->isUiDataProvider($class)
+                && !$this->isUiDocument($class)
+                && !$this->isControllerPlugin($class)
+                && !$this->isBlockPlugin($class)
+            ) {
+                $this->addViolation($node, [$node->getFullQualifiedName()]);
+            }
+        }
+    }
+}

dev/tests/static/framework/Magento/CodeMessDetector/resources/rulesets/design.xml

@@ -54,6 +54,35 @@ class PostOrder implements ActionInterface
         ...
         return $response;
     }
+}
+            ]]>
+        </example>
+    </rule>
+    <rule name="CookieAndSessionMisuse"
+          class="Magento\CodeMessDetector\Rule\Design\CookieAndSessionMisuse"
+          message= "The class {0} uses sessions or cookies while not being a part of HTML Presentation layer">
+        <description>
+            <![CDATA[
+Sessions and cookies must only be used in classes directly responsible for HTML presentation because Web APIs do not
+rely on cookies and sessions
+            ]]>
+        </description>
+        <priority>2</priority>
+        <properties />
+        <example>
+            <![CDATA[
+class OrderProcessor
+{
+    public function __construct(SessionManagerInterface $session) {
+        $this->session = $session;
+    }
+
+    public function place(OrderInterface $order)
+    {
+        //Will not be present if processing a WebAPI request
+        $currentOrder = $this->session->get('current_order');
+        ...
+    }
 }
             ]]>
         </example>

dev/tests/static/testsuite/Magento/Test/Php/_files/phpmd/ruleset.xml

@@ -48,5 +48,6 @@
     <!-- Magento Specific Rules -->
     <rule ref="Magento/CodeMessDetector/resources/rulesets/design.xml/FinalImplementation" />
     <rule ref="Magento/CodeMessDetector/resources/rulesets/design.xml/AllPurposeAction" />
+    <rule ref="Magento/CodeMessDetector/resources/rulesets/design.xml/CookieAndSessionMisuse" />
 
 </ruleset>