Merge branch 'release/3.16.0-dev' into chore/MAGE-1374-ci-on-3.17

Author: cammonro

.circleci/config.yml

@@ -181,18 +181,18 @@ workflows:
               magento-version: ["2.4.6-p11", "2.4.7-p6"]
       - notify:
           context: mage-slack
-  magento-integration-test-workflow:
-    when:
-      or:
-        - equal: [ main, << pipeline.git.branch >> ]
-        - matches:
-            pattern: ".*release.*"
-            value: << pipeline.git.branch >>
-    jobs:
-      - magento-integration-test:
-          matrix:
-            parameters:
-              php-version: ["8.2"]
-              magento-version: ["2.4.7-p6"]
-      - notify:
-          context: mage-slack
+#  magento-integration-test-workflow:
+#    when:
+#      or:
+#        - equal: [ main, << pipeline.git.branch >> ]
+#        - matches:
+#            pattern: ".*release.*"
+#            value: << pipeline.git.branch >>
+#    jobs:
+#      - magento-integration-test:
+#          matrix:
+#            parameters:
+#              php-version: ["8.2"]
+#              magento-version: ["2.4.7-p6"]
+#      - notify:
+#          context: mage-slack

CHANGELOG.md

@@ -22,13 +22,14 @@
 - Fixed WSOD error on invalid creds when using manual SKU indexer (also included in 3.15.1).
 - Fixed Recommend model validation when configuring through the Magento admin 
 - Fixed edge case with null queries - thank you @PromInc 
+- Removed conditional behavior on setting the vary string from the plugin on `\Magento\Framework\App\Http\Context` so that a consistent `X-Magento-Vary` cookie is sent across all requests 
 
 ### Updates
 - `beforecontent.html` is no longer used and has been deprecated. If you're overriding or referencing this file, please update your layout and customizations accordingly.
 - An additional separate crontab is no longer needed to run the indexing queue. Enable via admin config to run the queue using Magento's built-in cron.  
 - `BatchQueueProcessorInterface` has been introduced to decouple Algolia operations for core `Indexer` models.
 - Magento will set a default `renderingContent` based on its configured facets. Be sure that "Facet Display" is supported by your Algolia plan before attempting to use.
-- Auto full indexing is disabled by default in this release. If you require this legacy feature then it can be re-enabled via the Magento admin under Stores > Configuration > Algolia Search > Indexing Manager
+- Auto full indexing can be disabled in this release under Stores > Configuration > Algolia Search > Indexing Manager. We are moving towards more intentional indexing so please note that this will become the default in a future release.
 - InstantSearch has been refactored to support customization via JavaScript mixins. 
 - A new front end hook called `beforeFacetInitialization` has been added which allows a user to extend the functionality by adding, removing or modifying "builder" functions which are used to define a facet config that will drive the rendering of facets.
 - Removed InstantSearch enablement dependency in Magento admin to prevent losing facet and sorting config when disabling the feature.
@@ -42,6 +43,8 @@
 - Added support for PHPUnit 10
 - Added support for Magento 2.4.8 on PHP 8.4 - Special shout out to @jajajaime for his help here
 - Refactored code to PHP 8.2 baseline standard
+- Added string escaping to untrusted inputs
+- The InstantSearch "replace categories" feature must now be explicitly enabled on new instances aligning with our documentation: https://www.algolia.com/doc/integration/magento-2/guides/category-pages/#enable-category-pages
 
 ### Breaking Changes
 - `ProductHelper::setSettings()` is now taking `IndexOptions` objects as two first parameters instead of index names (strings).

Helper/ConfigHelper.php

@@ -1233,7 +1233,8 @@ public function preventBackendRendering($storeId = null): bool
         if (!isset($_SERVER['HTTP_USER_AGENT'])) {
             return false;
         }
-        $userAgent = mb_strtolower((string) $_SERVER['HTTP_USER_AGENT'], 'utf-8');
+        $userAgent = mb_strtolower((string) filter_input(INPUT_SERVER, 'HTTP_USER_AGENT', FILTER_SANITIZE_SPECIAL_CHARS), 'utf-8');
+
         $allowedUserAgents = $this->configInterface->getValue(
             self::BACKEND_RENDERING_ALLOWED_USER_AGENTS,
             ScopeInterface::SCOPE_STORE,

Model/Backend/QueueCron.php

@@ -7,7 +7,8 @@
 
 class QueueCron extends Value
 {
-    const CRON_REGEX = '/^(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)$/';
+    const CRON_FORMAT_REGEX = '/^(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)\s+(\*|[0-9,\-\/\*]+)$/';
+    const CRON_DISALLOW_REGEX = '/[^@a-z0-9\*\-,\/ ]/';
 
     protected array $mappings = [
         '@yearly' => '0 0 1 1 *',
@@ -27,8 +28,19 @@ public function beforeSave()
             $this->setValue($value);
         }
 
-        if (!preg_match(self::CRON_REGEX, $value)) {
-            throw new InvalidCronException("Cron expression \"$value\" is not valid.");
+        if (!preg_match(self::CRON_FORMAT_REGEX, $value)) {
+            // This use of preg_replace is safe — static regex without /e modifier.
+            // phpcs:ignore
+            $safeValue = preg_replace(self::CRON_DISALLOW_REGEX, '', (string) $value);
+            $msg = ($safeValue !== $value)
+                ? 'Cron expression is invalid.'
+                : sprintf(
+                    'Cron expression "%s" is not valid.',
+                    htmlspecialchars($safeValue, ENT_QUOTES, 'UTF-8')
+                );
+            // Content is already escaped at this point
+            // phpcs:ignore
+            throw new InvalidCronException($msg);
         }
 
         return parent::beforeSave();

Plugin/RenderingCacheContextPlugin.php

@@ -3,6 +3,7 @@
 namespace Algolia\AlgoliaSearch\Plugin;
 
 use Algolia\AlgoliaSearch\Helper\ConfigHelper;
+use Algolia\AlgoliaSearch\Helper\Configuration\InstantSearchHelper;
 use Magento\Framework\App\Http\Context as HttpContext;
 use Magento\Framework\App\Request\Http;
 use Magento\Framework\Exception\NoSuchEntityException;
@@ -25,7 +26,8 @@ class RenderingCacheContextPlugin
     public const CATEGORY_ROUTE = 'catalog/category/view';
 
     public function __construct(
-        protected ConfigHelper $configHelper,
+        protected ConfigHelper $baseConfig,
+        protected InstantSearchHelper $isConfig,
         protected StoreManagerInterface $storeManager,
         protected Http $request,
         protected UrlFinderInterface $urlFinder
@@ -50,7 +52,7 @@ public function afterGetData(HttpContext $subject, array $data): array {
             return $data;
         }
 
-        $context = $this->configHelper->preventBackendRendering() ?
+        $context = $this->baseConfig->preventBackendRendering() ?
             self::RENDERING_WITHOUT_BACKEND :
             self::RENDERING_WITH_BACKEND;
 
@@ -89,6 +91,7 @@ protected function isCategoryRoute(string $path): bool {
      *
      * @param int $storeId
      * @return bool
+     * @deprecated This method will be removed in a future version
      */
     protected function isCategoryPage(int $storeId): bool
     {
@@ -104,6 +107,6 @@ protected function isCategoryPage(int $storeId): bool
     protected function shouldApplyCacheContext(): bool
     {
         $storeId = $this->storeManager->getStore()->getId();
-        return $this->isCategoryPage($storeId) && $this->configHelper->replaceCategories($storeId);
+        return $this->isConfig->shouldReplaceCategories($storeId);
     }
 }

Setup/Patch/Schema/ConfigPatch.php

@@ -51,7 +51,6 @@ class ConfigPatch implements SchemaPatchInterface
         'algoliasearch_instant/instant/instant_selector' => '.columns',
         'algoliasearch_instant/instant/number_product_results' => '9',
         'algoliasearch_instant/instant/max_values_per_facet' => '10',
-        'algoliasearch_instant/instant/replace_categories' => '1',
         'algoliasearch_instant/instant/show_suggestions_on_no_result_page' => '1',
         'algoliasearch_instant/instant/add_to_cart_enable' => '1',
         'algoliasearch_instant/instant/infinite_scroll_enable' => '0',

Test/Unit/Model/Backend/QueueCronTest.php

@@ -31,7 +31,7 @@ protected function setUp(): void
     /**
      * @dataProvider valuesProvider
      */
-    public function testInput($value, $isValid): void
+    public function testInput($value, $isValid, $canReplay = true): void
     {
         $this->queueCronModel->setValue($value);
 
@@ -45,8 +45,11 @@ public function testInput($value, $isValid): void
                 "Cron expression \"$value\" is not valid but it should be."
             );
 
+            $msg = $canReplay
+                ? "Cron expression \"$value\" is not valid."
+                : "Cron expression is invalid.";
             $this->assertEquals(
-                "Cron expression \"$value\" is not valid.",
+                $msg,
                 $exception->getMessage()
             );
         }
@@ -94,6 +97,11 @@ public static function valuesProvider(): array
             [
                 'value' => '@foo', // Not working alias
                 'isValid' => false
+            ],
+            [
+                'value' => '"><script>alert(\'XSS\')</script>',
+                'isValid' => false,
+                'canReplay' => false
             ]
         ];
     }

Test/Unit/Plugin/RenderingCacheContextPluginTest.php

@@ -3,31 +3,34 @@
 namespace Algolia\AlgoliaSearch\Test\Unit\Plugin;
 
 use Algolia\AlgoliaSearch\Helper\ConfigHelper;
+use Algolia\AlgoliaSearch\Helper\Configuration\InstantSearchHelper;
 use Algolia\AlgoliaSearch\Plugin\RenderingCacheContextPlugin;
 use Magento\Framework\App\Http\Context as HttpContext;
 use Magento\Framework\App\Request\Http;
 use Magento\Store\Api\Data\StoreInterface;
 use Magento\Store\Model\StoreManagerInterface;
 use Magento\UrlRewrite\Model\UrlFinderInterface;
 use PHPUnit\Framework\TestCase;
-
 class RenderingCacheContextPluginTest extends TestCase
 {
     protected ?RenderingCacheContextPlugin $plugin;
     protected ?ConfigHelper $configHelper;
+
+    protected ?InstantSearchHelper $instantSearchHelper;
     protected ?StoreManagerInterface $storeManager;
     protected ?Http $request;
     protected ?UrlFinderInterface $urlFinder;
-
     protected function setUp(): void
     {
         $this->configHelper = $this->createMock(ConfigHelper::class);
+        $this->instantSearchHelper = $this->createMock(InstantSearchHelper::class);
         $this->storeManager = $this->createMock(StoreManagerInterface::class);
         $this->request = $this->createMock(Http::class);
         $this->urlFinder = $this->createMock(UrlFinderInterface::class);
 
         $this->plugin = new RenderingCacheContextPluginTestable(
             $this->configHelper,
+            $this->instantSearchHelper,
             $this->storeManager,
             $this->request,
             $this->urlFinder
@@ -47,7 +50,7 @@ public function testAfterGetDataAddsRenderingContextNoBackendRender(): void
         $this->storeManager->method('getStore')->willReturn($this->getStoreMock());
 
         $this->request->method('getControllerName')->willReturn('category');
-        $this->configHelper->method('replaceCategories')->willReturn(true);
+        $this->instantSearchHelper->method('shouldReplaceCategories')->willReturn(true);
 
         $result = $this->plugin->afterGetData(
             $this->createMock(HttpContext::class),
@@ -66,7 +69,7 @@ public function testAfterGetDataAddsRenderingContextWithBackendRender(): void
         $this->storeManager->method('getStore')->willReturn($this->getStoreMock());
 
         $this->request->method('getControllerName')->willReturn('category');
-        $this->configHelper->method('replaceCategories')->willReturn(true);
+        $this->instantSearchHelper->method('shouldReplaceCategories')->willReturn(true);
 
         $result = $this->plugin->afterGetData(
             $this->createMock(HttpContext::class),
@@ -86,7 +89,7 @@ public function testAfterGetDataDoesNotModifyDataIfNotApplicable(): void
 
         $this->request->method('getControllerName')->willReturn('product');
         $this->request->method('getRequestUri')->willReturn('some-product.html');
-        $this->configHelper->method('replaceCategories')->willReturn(false);
+        $this->instantSearchHelper->method('shouldReplaceCategories')->willReturn(false);
 
         $data = ['existing_key' => 'existing_value'];
         $result = $this->plugin->afterGetData($subject, $data);
@@ -121,7 +124,7 @@ public function testShouldApplyCacheContext(): void
         $this->storeManager->method('getStore')->willReturn($this->getStoreMock());
 
         $this->request->method('getControllerName')->willReturn('category');
-        $this->configHelper->method('replaceCategories')->willReturn(true);
+        $this->instantSearchHelper->method('shouldReplaceCategories')->willReturn(true);
 
         $this->assertTrue($this->plugin->shouldApplyCacheContext());
     }

composer.json

@@ -5,7 +5,7 @@
   "license": ["MIT"],
   "version": "3.17.0-dev",
   "require": {
-    "php": "~8.1|~8.2|~8.3",
+    "php": "~8.2|~8.3|~8.4",
     "magento/framework": "~103.0",
     "algolia/algoliasearch-client-php": "4.18.3",
     "guzzlehttp/guzzle": "^6.3.3|^7.3.0",

etc/config.xml

@@ -29,6 +29,9 @@
             </redirects>
         </algoliasearch_autocomplete>
         <algoliasearch_instant>
+            <instant>
+                <replace_categories>0</replace_categories>
+            </instant>
             <instant_facets>
                 <facets><![CDATA[{"_1458145454535_587":{"attribute":"price","type":"slider","label":"Price","searchable":"2","create_rule":"2"},"_2541608784525_123":{"attribute":"categories","type":"conjunctive","label":"Categories","searchable":"2","create_rule":"2"},"_3211608784535_456":{"attribute":"color","type":"disjunctive","label":"Colors","searchable":"1","create_rule":"2"}}]]></facets>
                 <max_values_per_facet>10</max_values_per_facet>