Merge pull request #1795 from algolia/fix/MAGE-1379-phpcs-phtml-error

MAGE-1377 MAGE-1379 MAGE-1381 Sanitize untrusted inputs

Author: cammonro

CHANGELOG.md

@@ -43,6 +43,7 @@
 - Added support for PHPUnit 10
 - Added support for Magento 2.4.8 on PHP 8.4 - Special shout out to @jajajaime for his help here
 - Refactored code to PHP 8.2 baseline standard
+- Added string escaping to untrusted inputs
 - The InstantSearch "replace categories" feature must now be explicitly enabled on new instances aligning with our documentation: https://www.algolia.com/doc/integration/magento-2/guides/category-pages/#enable-category-pages
 
 ### Breaking Changes

Helper/ConfigHelper.php

@@ -1253,7 +1253,8 @@ public function preventBackendRendering($storeId = null): bool
         if (!isset($_SERVER['HTTP_USER_AGENT'])) {
             return false;
         }
-        $userAgent = mb_strtolower((string) $_SERVER['HTTP_USER_AGENT'], 'utf-8');
+        $userAgent = mb_strtolower((string) filter_input(INPUT_SERVER, 'HTTP_USER_AGENT', FILTER_SANITIZE_SPECIAL_CHARS), 'utf-8');
+
         $allowedUserAgents = $this->configInterface->getValue(
             self::BACKEND_RENDERING_ALLOWED_USER_AGENTS,
             ScopeInterface::SCOPE_STORE,

Model/Backend/QueueCron.php

@@ -7,7 +7,8 @@
 
 class QueueCron extends Value
 {
-    const CRON_REGEX = '/^(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)$/';
+    const CRON_FORMAT_REGEX = '/^(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)$/';
+    const CRON_DISALLOW_REGEX = '/[^@a-z0-9\*\-,\/ ]/';
 
     protected array $mappings = [
         '@yearly' => '0 0 1 1 *',
@@ -27,8 +28,19 @@ public function beforeSave()
             $this->setValue($value);
         }
 
-        if (!preg_match(self::CRON_REGEX, $value)) {
-            throw new InvalidCronException("Cron expression \"$value\" is not valid.");
+        if (!preg_match(self::CRON_FORMAT_REGEX, $value)) {
+            // This use of preg_replace is safe — static regex without /e modifier.
+            // phpcs:ignore
+            $safeValue = preg_replace(self::CRON_DISALLOW_REGEX, '', (string) $value);
+            $msg = ($safeValue !== $value)
+                ? 'Cron expression is invalid.'
+                : sprintf(
+                    'Cron expression "%s" is not valid.',
+                    htmlspecialchars($safeValue, ENT_QUOTES, 'UTF-8')
+                );
+            // Content is already escaped at this point
+            // phpcs:ignore
+            throw new InvalidCronException($msg);
         }
 
         return parent::beforeSave();

Test/Unit/Model/Backend/QueueCronTest.php

@@ -31,7 +31,7 @@ protected function setUp(): void
     /**
      * @dataProvider valuesProvider
      */
-    public function testInput($value, $isValid): void
+    public function testInput($value, $isValid, $canReplay = true): void
     {
         $this->queueCronModel->setValue($value);
 
@@ -45,8 +45,11 @@ public function testInput($value, $isValid): void
                 "Cron expression \"$value\" is not valid but it should be."
             );
 
+            $msg = $canReplay
+                ? "Cron expression \"$value\" is not valid."
+                : "Cron expression is invalid.";
             $this->assertEquals(
-                "Cron expression \"$value\" is not valid.",
+                $msg,
                 $exception->getMessage()
             );
         }
@@ -94,6 +97,11 @@ public static function valuesProvider(): array
             [
                 'value' => '@foo', // Not working alias
                 'isValid' => false
+            ],
+            [
+                'value' => '"><script>alert(\'XSS\')</script>',
+                'isValid' => false,
+                'canReplay' => false
             ]
         ];
     }

view/adminhtml/templates/analytics/form.phtml

@@ -1,35 +1,36 @@
 <?php
 /** @var \Magento\Backend\Block\Template $block */
+/** @var \Magento\Framework\Escaper $escaper */
 /** @var \Algolia\AlgoliaSearch\ViewModel\Adminhtml\Analytics\Form $form */
 $form = $block->getViewModel();
 ?>
 
 <?php $isFormDisabled = !$form->isAnalyticsApiEnabled() ? ' disabled' : '' ?>
 <div class="algolia-analytics-form" id="algolia-analytics-daterange">
-    <form id="algolia-analytics-form" data-mage-init='{"validation":{}}' action="<?php echo $form->getFormAction() ?>" method="post">
-        <input type="hidden" name="form_key" value="<?php echo $block->getFormKey() ?>" />
+    <form id="algolia-analytics-form" data-mage-init='{"validation":{}}' action="<?= $escaper->escapeUrl($form->getFormAction()) ?>" method="post">
+        <input type="hidden" name="form_key" value="<?= $escaper->escapeHtmlAttr($block->getFormKey()) ?>" />
         <div class="inline-field">
-            <select name="type" class="select admin__control-select"<?php echo $isFormDisabled ?>>
-                <?php foreach ($form->getSections() as $key => $section) : ?>
-                    <option value="<?php echo $key ?>"<?php echo ($key == $form->getFormValue('type')) ? ' selected' : '' ?>>
-                        <?php echo ucwords($key) ?>
+            <select name="type" class="select admin__control-select"<?= /** phpcs:ignore Magento2.Security.XssTemplate.FoundUnescaped **/ $isFormDisabled ?>>
+                <?php foreach ($form->getSections() as $key => $section): ?>
+                    <option value="<?= $escaper->escapeHtmlAttr($key) ?>"<?= ($key == $form->getFormValue('type')) ? ' selected' : '' ?>>
+                        <?= $escaper->escapeHtml(ucwords($key)) ?>
                     </option>
                 <?php endforeach; ?>
             </select>
         </div>
         <div class="inline-field">
-            <input type="text" id="analytics_from" name="from" <?php echo $isFormDisabled ?>
+            <input type="text" id="analytics_from" name="from" <?= /** phpcs:ignore Magento2.Security.XssTemplate.FoundUnescaped **/ $isFormDisabled ?>
                    class="admin__control-text input-text date-range-analytics-from"
-                   placeholder="<?php echo $block->escapeHtmlAttr(__('Start Date')) ?>" value="<?php echo $form->getFormValue('from') ?>"/>
+                   placeholder="<?= $escaper->escapeHtmlAttr(__('Start Date')) ?>" value="<?= $escaper->escapeHtmlAttr($form->getFormValue('from')) ?>"/>
         </div>
         <span class="divide">-</span>
         <div class="inline-field">
-            <input type="text" id="analytics_to" name="to" <?php echo $isFormDisabled ?>
+            <input type="text" id="analytics_to" name="to" <?= /** phpcs:ignore Magento2.Security.XssTemplate.FoundUnescaped **/ $isFormDisabled ?>
                    class="admin__control-text input-text validate-date-range date-range-analytics-to"
-                   placeholder="<?php echo $block->escapeHtmlAttr(__('End Date')) ?>" value="<?php echo $form->getFormValue('to') ?>"/>
+                   placeholder="<?= $escaper->escapeHtmlAttr(__('End Date')) ?>" value="<?= $escaper->escapeHtmlAttr($form->getFormValue('to'))  ?>"/>
         </div>
-        <button type="submit" class="action submit primary algolia-daterange-submit" <?php echo $isFormDisabled ?>>
-            <?php echo $block->escapeHtml(__('Update')) ?>
+        <button type="submit" class="action submit primary algolia-daterange-submit" <?= /** phpcs:ignore Magento2.Security.XssTemplate.FoundUnescaped **/ $isFormDisabled ?>>
+            <?= $escaper->escapeHtml(__('Update')) ?>
         </button>
     </form>
 </div>
@@ -70,4 +71,4 @@ $form = $block->getViewModel();
             }
         });
     });
-</script>
+</script>

view/adminhtml/templates/analytics/graph.phtml

@@ -1,7 +1,8 @@
 <?php
 /** @var \Magento\Backend\Block\Template $block */
+/** @var \Magento\Framework\Escaper $escaper */
 ?>
-<?php if (!empty($block->getAnalytics())) : ?>
+<?php if (!empty($block->getAnalytics())): ?>
     <div id="algolia-analyatics-diagram"></div>
     <script type="text/javascript" src="https://www.gstatic.com/charts/loader.js"></script>
     <script type="text/javascript">
@@ -11,17 +12,17 @@
 
             var data = new google.visualization.arrayToDataTable([
                 ['Date', 'Searches', {type: 'string', role: 'tooltip', p: {'html': true}}, {role: 'style'}],
-                <?php foreach ($block->getAnalytics() as $item) : ?>
-                ['<?php echo $item['formatted'] ?>', <?php echo $item['count'] ?>,
-                    "<div style='padding: 1.5rem; line-height: 18px;'><strong style='font-size: 14px;'><?php echo $item['formatted'] ?></strong><br/><br/>" +
-                    "<p>Searches: <strong style='color: #5468ff; padding-left: 3px;'><?php echo $item['count'] ?></strong></p>" +
-                    "<p>Users: <strong style='color: #3a46a1; padding-left: 3px;'><?php echo $item['users'] ?></strong></p>" +
-                    "<p>No Result Rate: <strong style='color: #3ab2bd; padding-left: 3px;'><?php echo round((int) $item['rate'] * 100, 2) . '%' ?></strong></p>" +
-                    <?php if (isset($item['ctr'])) : ?>
+                <?php foreach ($block->getAnalytics() as $item): ?>
+                ['<?= $escaper->escapeHtml($item['formatted']) ?>', <?= $escaper->escapeHtml($item['count']) ?>,
+                    "<div style='padding: 1.5rem; line-height: 18px;'><strong style='font-size: 14px;'><?= $escaper->escapeHtml($item['formatted']) ?></strong><br/><br/>" +
+                    "<p>Searches: <strong style='color: #5468ff; padding-left: 3px;'><?= $escaper->escapeHtml($item['count']) ?></strong></p>" +
+                    "<p>Users: <strong style='color: #3a46a1; padding-left: 3px;'><?= $escaper->escapeHtml($item['users']) ?></strong></p>" +
+                    "<p>No Result Rate: <strong style='color: #3ab2bd; padding-left: 3px;'><?= $escaper->escapeHtml(round((int) $item['rate'] * 100, 2) . '%') ?></strong></p>" +
+                    <?php if (isset($item['ctr'])): ?>
                     "<br/>" +
-                    "<p>CTR: <strong style='color: #5468ff; padding-left: 3px;'><?php echo round((int) $item['ctr'] * 100, 2) . '%' ?></strong></p>" +
-                    "<p>Conversion Rate: <strong style='color: #3a46a1; padding-left: 3px;'><?php echo round((int) $item['conversion'] * 100, 2) . '%' ?></strong></p>" +
-                    "<p>Avg Click Position: <strong style='color: #3ab2bd; padding-left: 3px;'><?php echo $item['clickPos'] ? $item['clickPos'] : '-' ?></strong></p>" +
+                    "<p>CTR: <strong style='color: #5468ff; padding-left: 3px;'><?= $escaper->escapeHtml(round((int) $item['ctr'] * 100, 2) . '%') ?></strong></p>" +
+                    "<p>Conversion Rate: <strong style='color: #3a46a1; padding-left: 3px;'><?= $escaper->escapeHtml(round((int) $item['conversion'] * 100, 2) . '%') ?></strong></p>" +
+                    "<p>Avg Click Position: <strong style='color: #3ab2bd; padding-left: 3px;'><?= $escaper->escapeHtml($item['clickPos'] ? $item['clickPos'] : '-') ?></strong></p>" +
                     <?php endif ?>
                     "</div>",
                     'stroke-opacity: 0; fill-opacity: 0.75;'
@@ -57,8 +58,8 @@
             chart.draw(data, options);
         }
     </script>
-<?php else : ?>
+<?php else: ?>
     <div class="dashboard-diagram-nodata">
-        <span><?php echo $block->escapeHtml(__('No Data Found')) ?></span>
+        <span><?= $escaper->escapeHtml(__('No Data Found')) ?></span>
     </div>
-<?php endif ?>
+<?php endif ?>