ACP2E-3544: Async Bulk Operation remains in open state for async.magento.configurableproduct.api.optionrepositoryinterface.save.post

bubasuma · bubasuma · commit f9bda584d1ef · 2025-01-13T09:45:57.000-06:00
- Add validation to Bulk endpoints to only allow an array of array in the request body with the topmost array keys consisting of consecutive numbers from 0 to count. This will prevent consumers from defining invalid request item IDs which must be a numeric value between 0 and 4294967295.
diff --git a/app/code/Magento/WebapiAsync/Controller/Rest/Asynchronous/InputParamsResolver.php b/app/code/Magento/WebapiAsync/Controller/Rest/Asynchronous/InputParamsResolver.php
@@ -1,7 +1,7 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2018 Adobe
+ * All Rights Reserved.
  */
 
 declare(strict_types=1);
@@ -119,6 +119,12 @@ public function resolve()
         $routeServiceMethod = $route->getServiceMethod();
         $this->inputArraySizeLimitValue->set($route->getInputArraySizeLimit());
 
+        if (!array_is_list($inputData)) {
+            throw new Exception(
+                __('Request body must be an array'),
+            );
+        }
+
         foreach ($inputData as $key => $singleEntityParams) {
             $webapiResolvedParams[$key] = $this->resolveBulkItemParams(
                 $singleEntityParams,
diff --git a/app/code/Magento/WebapiAsync/Test/Unit/Controller/Rest/Asynchronous/InputParamsResolverTest.php b/app/code/Magento/WebapiAsync/Test/Unit/Controller/Rest/Asynchronous/InputParamsResolverTest.php
@@ -0,0 +1,145 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\WebapiAsync\Test\Unit\Controller\Rest\Asynchronous;
+
+use Magento\Framework\Webapi\Rest\Request;
+use Magento\Framework\Webapi\ServiceInputProcessor;
+use Magento\Framework\Webapi\Validator\EntityArrayValidator\InputArraySizeLimitValue;
+use Magento\Webapi\Controller\Rest\InputParamsResolver as WebapiInputParamsResolver;
+use Magento\Webapi\Controller\Rest\ParamsOverrider;
+use Magento\Webapi\Controller\Rest\RequestValidator;
+use Magento\Webapi\Controller\Rest\Router;
+use Magento\Webapi\Controller\Rest\Router\Route;
+use Magento\WebapiAsync\Controller\Rest\Asynchronous\InputParamsResolver;
+use PHPUnit\Framework\Attributes\DataProvider;
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+
+class InputParamsResolverTest extends TestCase
+{
+    /**
+     * @var Request|MockObject
+     */
+    private $requestMock;
+
+    /**
+     * @var ParamsOverrider|MockObject
+     */
+    private $paramsOverriderMock;
+
+    /**
+     * @var ServiceInputProcessor|MockObject
+     */
+    private $serviceInputProcessorMock;
+
+    /**
+     * @var Router|MockObject
+     */
+    private $routerMock;
+
+    /**
+     * @var RequestValidator|MockObject
+     */
+    private $requestValidatorMock;
+
+    /**
+     * @var WebapiInputParamsResolver|MockObject
+     */
+    private $webapiInputParamsResolverMock;
+
+    /**
+     * @var InputArraySizeLimitValue|MockObject
+     */
+    private $inputArraySizeLimitValueMock;
+
+    protected function setUp(): void
+    {
+        $this->requestMock = $this->createMock(Request::class);
+        $this->paramsOverriderMock = $this->createMock(ParamsOverrider::class);
+        $this->serviceInputProcessorMock = $this->createMock(ServiceInputProcessor::class);
+        $this->routerMock = $this->createMock(Router::class);
+        $this->requestValidatorMock = $this->createMock(RequestValidator::class);
+        $this->webapiInputParamsResolverMock = $this->createMock(WebapiInputParamsResolver::class);
+        $this->inputArraySizeLimitValueMock = $this->createMock(InputArraySizeLimitValue::class);
+    }
+
+    #[DataProvider('requestBodyDataProvider')]
+    public function testResolveAsyncBulkShouldThrowAnErrorForInvalidRequestData(
+        array $requestData,
+        string $expectedExceptionMessage
+    ): void {
+        $routeMock = $this->createMock(Route::class);
+        $this->webapiInputParamsResolverMock->expects($this->once())
+            ->method('getRoute')
+            ->willReturn($routeMock);
+        $this->requestMock->expects($this->once())
+            ->method('getRequestData')
+            ->willReturn($requestData);
+        $this->expectException(\Magento\Framework\Webapi\Exception::class);
+        $this->expectExceptionMessage($expectedExceptionMessage);
+        $this->getModel(true)->resolve();
+    }
+
+    public function testResolveAsyncBulk(): void
+    {
+        $requestData = [['param1' => 'value1'], ['param1' => 'value1']];
+        $routeMock = $this->createMock(Route::class);
+        $routeMock->expects($this->once())
+            ->method('getServiceClass')
+            ->willReturn('serviceClass');
+        $routeMock->expects($this->once())
+            ->method('getServiceMethod')
+            ->willReturn('serviceMethod');
+        $this->webapiInputParamsResolverMock->expects($this->once())
+            ->method('getRoute')
+            ->willReturn($routeMock);
+        $this->requestMock->expects($this->once())
+            ->method('getRequestData')
+            ->willReturn($requestData);
+        $this->serviceInputProcessorMock->expects($this->exactly(2))
+            ->method('process')
+            ->willReturnArgument(2);
+        $this->assertEquals($requestData, $this->getModel(true)->resolve());
+    }
+
+    #[DataProvider('requestBodyDataProvider')]
+    public function testResolveAsync(array $requestData): void
+    {
+        $this->webapiInputParamsResolverMock->expects($this->once())
+            ->method('resolve')
+            ->willReturn($requestData);
+        $this->requestMock->method('getRequestData')
+            ->willReturn($requestData);
+        $this->assertEquals([$requestData], $this->getModel(false)->resolve());
+    }
+
+    public static function requestBodyDataProvider(): array
+    {
+        return [
+            [[1 => []], 'Request body must be an array'],
+            [['0str' => []], 'Request body must be an array'],
+            [['str' => []], 'Request body must be an array'],
+            [['str' => [], 1 => []], 'Request body must be an array'],
+            [['str' => [], 0 => [], 1 => []], 'Request body must be an array'],
+        ];
+    }
+
+    private function getModel(bool $isBulk = false): InputParamsResolver
+    {
+        return new InputParamsResolver(
+            $this->requestMock,
+            $this->paramsOverriderMock,
+            $this->serviceInputProcessorMock,
+            $this->routerMock,
+            $this->requestValidatorMock,
+            $this->webapiInputParamsResolverMock,
+            $isBulk,
+            $this->inputArraySizeLimitValueMock
+        );
+    }
+}
diff --git a/app/code/Magento/WebapiAsync/i18n/en_US.csv b/app/code/Magento/WebapiAsync/i18n/en_US.csv
@@ -0,0 +1 @@
+"Request body must be an array","Request body must be an array"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+"Request body must be an array","Request body must be an array"`