cia-2.4.7-beta1-develop-bugfixes-01132023

pawan-adobe-security · pawan-adobe-security · commit f6ac4d2db4a6 · 2023-01-13T14:56:25.000+05:30
Merge branch 'AC-7025' into cia-2.4.7-beta1-develop-bugfixes-01132023
diff --git a/app/code/Magento/Catalog/Controller/Adminhtml/Product/NewAction.php b/app/code/Magento/Catalog/Controller/Adminhtml/Product/NewAction.php
@@ -4,18 +4,21 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\Catalog\Controller\Adminhtml\Product;
 
-use Magento\Framework\App\Action\HttpGetActionInterface as HttpGetActionInterface;
-use Magento\Backend\App\Action;
 use Magento\Catalog\Controller\Adminhtml\Product;
+use Magento\Framework\App\Action\HttpGetActionInterface as HttpGetActionInterface;
 use Magento\Framework\App\ObjectManager;
+use Magento\Framework\RegexValidator;
 
 class NewAction extends \Magento\Catalog\Controller\Adminhtml\Product implements HttpGetActionInterface
 {
     /**
      * @var Initialization\StockDataFilter
      * @deprecated 101.0.0
+     * @see Initialization\StockDataFilter
      */
     protected $stockFilter;
 
@@ -30,23 +33,32 @@ class NewAction extends \Magento\Catalog\Controller\Adminhtml\Product implements
     protected $resultForwardFactory;
 
     /**
-     * @param Action\Context $context
+     * @var RegexValidator
+     */
+    private RegexValidator $regexValidator;
+
+    /**
+     * @param Context $context
      * @param Builder $productBuilder
      * @param Initialization\StockDataFilter $stockFilter
      * @param \Magento\Framework\View\Result\PageFactory $resultPageFactory
      * @param \Magento\Backend\Model\View\Result\ForwardFactory $resultForwardFactory
+     * @param RegexValidator|null $regexValidator
      */
     public function __construct(
         \Magento\Backend\App\Action\Context $context,
         Product\Builder $productBuilder,
         Initialization\StockDataFilter $stockFilter,
         \Magento\Framework\View\Result\PageFactory $resultPageFactory,
-        \Magento\Backend\Model\View\Result\ForwardFactory $resultForwardFactory
+        \Magento\Backend\Model\View\Result\ForwardFactory $resultForwardFactory,
+        RegexValidator $regexValidator = null
     ) {
         $this->stockFilter = $stockFilter;
         parent::__construct($context, $productBuilder);
         $this->resultPageFactory = $resultPageFactory;
         $this->resultForwardFactory = $resultForwardFactory;
+        $this->regexValidator = $regexValidator
+            ?: ObjectManager::getInstance()->get(RegexValidator::class);
     }
 
     /**
@@ -56,6 +68,11 @@ public function __construct(
      */
     public function execute()
     {
+        $typeId = $this->getRequest()->getParam('type');
+        if (!$this->regexValidator->validateParamRegex($typeId)) {
+            return $this->resultForwardFactory->create()->forward('noroute');
+        }
+
         if (!$this->getRequest()->getParam('set')) {
             return $this->resultForwardFactory->create()->forward('noroute');
         }
diff --git a/app/code/Magento/Catalog/Test/Unit/Controller/Adminhtml/Product/NewActionTest.php b/app/code/Magento/Catalog/Test/Unit/Controller/Adminhtml/Product/NewActionTest.php
@@ -16,6 +16,9 @@
 use Magento\Catalog\Controller\Adminhtml\Product\NewAction;
 use Magento\Catalog\Model\Product;
 use Magento\Catalog\Test\Unit\Controller\Adminhtml\ProductTest;
+use Magento\Framework\RegexValidator;
+use Magento\Framework\Validator\Regex;
+use Magento\Framework\Validator\RegexFactory;
 use Magento\Framework\TestFramework\Unit\Helper\ObjectManager;
 use Magento\Framework\View\Result\PageFactory;
 use PHPUnit\Framework\MockObject\MockObject;
@@ -42,6 +45,26 @@ class NewActionTest extends ProductTest
      */
     protected $initializationHelper;
 
+    /**
+     * @var RegexValidator|MockObject
+     */
+    private $regexValidator;
+
+    /**
+     * @var RegexFactory
+     */
+    private $regexValidatorFactoryMock;
+
+    /**
+     * @var Regex|MockObject
+     */
+    private $regexValidatorMock;
+
+    /**
+     * @var ForwardFactory&MockObject|MockObject
+     */
+    private $resultForwardFactory;
+
     protected function setUp(): void
     {
         $this->productBuilder = $this->createPartialMock(
@@ -63,37 +86,78 @@ protected function setUp(): void
             ->disableOriginalConstructor()
             ->setMethods(['create'])
             ->getMock();
-        $resultPageFactory->expects($this->atLeastOnce())
-            ->method('create')
-            ->willReturn($this->resultPage);
 
         $this->resultForward = $this->getMockBuilder(Forward::class)
             ->disableOriginalConstructor()
             ->getMock();
-        $resultForwardFactory = $this->getMockBuilder(ForwardFactory::class)
+        $this->resultForwardFactory = $this->getMockBuilder(ForwardFactory::class)
+            ->disableOriginalConstructor()
+            ->onlyMethods(['create'])
+            ->getMock();
+
+        $this->regexValidatorFactoryMock = $this->getMockBuilder(RegexFactory::class)
             ->disableOriginalConstructor()
             ->setMethods(['create'])
             ->getMock();
-        $resultForwardFactory->expects($this->any())
-            ->method('create')
-            ->willReturn($this->resultForward);
+        $this->regexValidatorMock = $this->createMock(Regex::class);
+        $this->regexValidatorFactoryMock->method('create')
+            ->willReturn($this->regexValidatorMock);
 
+        $this->regexValidator = new regexValidator($this->regexValidatorFactoryMock);
         $this->action = (new ObjectManager($this))->getObject(
             NewAction::class,
             [
                 'context' => $this->initContext(),
                 'productBuilder' => $this->productBuilder,
                 'resultPageFactory' => $resultPageFactory,
-                'resultForwardFactory' => $resultForwardFactory,
+                'resultForwardFactory' => $this->resultForwardFactory,
+                'regexValidator' => $this->regexValidator,
             ]
         );
     }
 
-    public function testExecute()
+    /**
+     * Test execute method input validation.
+     *
+     * @param string $value
+     * @param bool $exceptionThrown
+     * @dataProvider validationCases
+     */
+    public function testExecute(string $value, bool $exceptionThrown): void
+    {
+        if ($exceptionThrown) {
+            $this->action->getRequest()->expects($this->any())
+                ->method('getParam')
+                ->willReturn($value);
+            $this->resultForwardFactory->expects($this->any())
+                ->method('create')
+                ->willReturn($this->resultForward);
+            $this->resultForward->expects($this->once())
+                ->method('forward')
+                ->with('noroute')
+                ->willReturn(true);
+            $this->assertTrue($this->action->execute());
+        } else {
+            $this->action->getRequest()->expects($this->any())->method('getParam')->willReturn($value);
+            $this->regexValidatorMock->expects($this->any())
+                ->method('isValid')
+                ->with($value)
+                ->willReturn(true);
+
+            $this->assertEquals(true, $this->regexValidator->validateParamRegex($value));
+        }
+    }
+
+    /**
+     * Validation cases.
+     *
+     * @return array
+     */
+    public function validationCases(): array
     {
-        $this->action->getRequest()->expects($this->any())->method('getParam')->willReturn(true);
-        $this->action->getRequest()->expects($this->any())->method('getFullActionName')
-            ->willReturn('catalog_product_new');
-        $this->action->execute();
+        return [
+            'execute-with-exception' => ['simple\' and true()]|*[self%3a%3ahandle%20or%20self%3a%3alayout',true],
+            'execute-without-exception' => ['catalog_product_new',false]
+        ];
     }
 }
diff --git a/app/code/Magento/Catalog/i18n/en_US.csv b/app/code/Magento/Catalog/i18n/en_US.csv
@@ -819,4 +819,5 @@ Details,Details
 "Failed to retrieve product links for ""%1""","Failed to retrieve product links for ""%1"""
 "The linked product SKU is invalid. Verify the data and try again.","The linked product SKU is invalid. Verify the data and try again."
 "The linked products data is invalid. Verify the data and try again.","The linked products data is invalid. Verify the data and try again."
+"The url has invalid characters. Please correct and try again.","The url has invalid characters. Please correct and try again."
 
diff --git a/app/code/Magento/Sales/Controller/Adminhtml/Order/Create/LoadBlock.php b/app/code/Magento/Sales/Controller/Adminhtml/Order/Create/LoadBlock.php
@@ -3,18 +3,26 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\Sales\Controller\Adminhtml\Order\Create;
 
-use Magento\Framework\App\Action\HttpGetActionInterface;
-use Magento\Framework\App\Action\HttpPostActionInterface as HttpPostActionInterface;
 use Magento\Backend\App\Action;
+use Magento\Backend\App\Action\Context;
 use Magento\Backend\Model\View\Result\ForwardFactory;
-use Magento\Framework\View\Result\PageFactory;
+use Magento\Framework\App\Action\HttpGetActionInterface;
+use Magento\Framework\App\Action\HttpPostActionInterface as HttpPostActionInterface;
 use Magento\Framework\App\ObjectManager;
 use Magento\Framework\Controller\Result\RawFactory;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\RegexValidator;
+use Magento\Framework\View\Result\PageFactory;
 use Magento\Sales\Controller\Adminhtml\Order\Create as CreateAction;
 use Magento\Store\Model\StoreManagerInterface;
 
+/**
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
+ */
 class LoadBlock extends CreateAction implements HttpPostActionInterface, HttpGetActionInterface
 {
     /**
@@ -28,13 +36,19 @@ class LoadBlock extends CreateAction implements HttpPostActionInterface, HttpGet
     private $storeManager;
 
     /**
-     * @param Action\Context $context
-     * @param \Magento\Catalog\Helper\Product $productHelper
-     * @param \Magento\Framework\Escaper $escaper
+     * @var RegexValidator
+     */
+    private RegexValidator $regexValidator;
+
+    /**
+     * @param Context $context
+     * @param Product $productHelper
+     * @param Escaper $escaper
      * @param PageFactory $resultPageFactory
      * @param ForwardFactory $resultForwardFactory
      * @param RawFactory $resultRawFactory
      * @param StoreManagerInterface|null $storeManager
+     * @param RegexValidator|null $regexValidator
      */
     public function __construct(
         Action\Context $context,
@@ -43,7 +57,8 @@ public function __construct(
         PageFactory $resultPageFactory,
         ForwardFactory $resultForwardFactory,
         RawFactory $resultRawFactory,
-        StoreManagerInterface $storeManager = null
+        StoreManagerInterface $storeManager = null,
+        RegexValidator $regexValidator = null
     ) {
         $this->resultRawFactory = $resultRawFactory;
         parent::__construct(
@@ -55,6 +70,8 @@ public function __construct(
         );
         $this->storeManager = $storeManager ?: ObjectManager::getInstance()
             ->get(StoreManagerInterface::class);
+        $this->regexValidator = $regexValidator
+            ?: ObjectManager::getInstance()->get(RegexValidator::class);
     }
 
     /**
@@ -64,6 +81,7 @@ public function __construct(
      *
      * @SuppressWarnings(PHPMD.CyclomaticComplexity)
      * @SuppressWarnings(PHPMD.NPathComplexity)
+     * @throws LocalizedException
      */
     public function execute()
     {
@@ -84,6 +102,12 @@ public function execute()
         $asJson = $request->getParam('json');
         $block = $request->getParam('block');
 
+        if ($block && !$this->regexValidator->validateParamRegex($block)) {
+            throw new LocalizedException(
+                __('The url has invalid characters. Please correct and try again.')
+            );
+        }
+
         /** @var \Magento\Framework\View\Result\Page $resultPage */
         $resultPage = $this->resultPageFactory->create();
         if ($asJson) {
diff --git a/lib/internal/Magento/Framework/RegexValidator.php b/lib/internal/Magento/Framework/RegexValidator.php
@@ -0,0 +1,53 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Framework;
+
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Validator\RegexFactory;
+
+class RegexValidator extends RegexFactory
+{
+
+    /**
+     * @var RegexFactory
+     */
+    private RegexFactory $regexValidatorFactory;
+
+    /**
+     * Validation pattern for handles array
+     */
+    private const VALIDATION_RULE_PATTERN = '/^[a-z0-9,.]+[a-z0-9_,.]*$/i';
+
+    /**
+     * @param RegexFactory|null $regexValidatorFactory
+     */
+    public function __construct(
+        ?RegexFactory $regexValidatorFactory = null
+    ) {
+        $this->regexValidatorFactory = $regexValidatorFactory
+            ?: ObjectManager::getInstance()->get(RegexFactory::class);
+    }
+
+    /**
+     * Validates parameter regex
+     *
+     * @param string $params
+     * @param string $pattern
+     * @return bool
+     */
+    public function validateParamRegex(string $params, string $pattern = self::VALIDATION_RULE_PATTERN): bool
+    {
+        $validator = $this->regexValidatorFactory->create(['pattern' => $pattern]);
+
+        if ($params && !$validator->isValid($params)) {
+            return false;
+        }
+
+        return true;
+    }
+}
