Merge branch 'MAGETWO-75418' into 2.3-develop-pr2

OlgaVasyltsun · OlgaVasyltsun · commit b335fe7305bc · 2018-03-07T10:26:32.000+02:00
diff --git a/app/code/Magento/Cms/Helper/Wysiwyg/Images.php b/app/code/Magento/Cms/Helper/Wysiwyg/Images.php
@@ -8,7 +8,9 @@
 use Magento\Framework\App\Filesystem\DirectoryList;
 
 /**
- * Wysiwyg Images Helper
+ * Wysiwyg Images Helper.
+ *
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
 class Images extends \Magento\Framework\App\Helper\AbstractHelper
 {
@@ -156,17 +158,23 @@ public function convertPathToId($path)
     }
 
     /**
-     * Decode HTML element id
+     * Decode HTML element id.
      *
      * @param string $id
      * @return string
+     * @throws \InvalidArgumentException When path contains restricted symbols.
      */
     public function convertIdToPath($id)
     {
         if ($id === \Magento\Theme\Helper\Storage::NODE_ROOT) {
             return $this->getStorageRoot();
         } else {
-            return $this->getStorageRoot() . $this->idDecode($id);
+            $path = $this->getStorageRoot() . $this->idDecode($id);
+            if (preg_match('/\.\.(\\\|\/)/', $path)) {
+                throw new \InvalidArgumentException('Path is invalid');
+            }
+
+            return $path;
         }
     }
 
diff --git a/app/code/Magento/Cms/Test/Unit/Helper/Wysiwyg/ImagesTest.php b/app/code/Magento/Cms/Test/Unit/Helper/Wysiwyg/ImagesTest.php
@@ -110,7 +110,7 @@ protected function setUp()
             ->willReturnMap(
                 [
                     [WysiwygConfig::IMAGE_DIRECTORY, null, $this->getAbsolutePath(WysiwygConfig::IMAGE_DIRECTORY)],
-                    [null, null, $this->getAbsolutePath(null)]
+                    [null, null, $this->getAbsolutePath(null)],
                 ]
             );
 
@@ -124,7 +124,7 @@ protected function setUp()
                 [
                     'clearWebsiteCache', 'getDefaultStoreView', 'getGroup', 'getGroups',
                     'getStore', 'getStores', 'getWebsite', 'getWebsites', 'hasSingleStore',
-                    'isSingleStoreMode', 'reinitStores', 'setCurrentStore', 'setIsSingleStoreModeAllowed'
+                    'isSingleStoreMode', 'reinitStores', 'setCurrentStore', 'setIsSingleStoreModeAllowed',
                 ]
             )
             ->disableOriginalConstructor()
@@ -229,7 +229,7 @@ public function providerConvertIdToPath()
     {
         return [
             ['', ''],
-            ['/test_path', 'L3Rlc3RfcGF0aA--']
+            ['/test_path', 'L3Rlc3RfcGF0aA--'],
         ];
     }
 
@@ -239,6 +239,15 @@ public function testConvertIdToPathNodeRoot()
         $this->assertEquals($this->imagesHelper->getStorageRoot(), $this->imagesHelper->convertIdToPath($pathId));
     }
 
+    /**
+     * @expectedException \InvalidArgumentException
+     * @expectedExceptionMessage Path is invalid
+     */
+    public function testConvertIdToPathInvalid()
+    {
+        $this->imagesHelper->convertIdToPath('Ly4uLy4uLy4uLy4uLy4uL3dvcms-');
+    }
+
     /**
      * @param string $fileName
      * @param int $maxLength
@@ -258,7 +267,7 @@ public function providerShortFilename()
         return [
             ['test', 3, 'tes...'],
             ['test', 4, 'test'],
-            ['test', 20, 'test']
+            ['test', 20, 'test'],
         ];
     }
 
@@ -280,7 +289,7 @@ public function providerShortFilenameDefaultMaxLength()
         return [
             ['Mini text', 'Mini text'],
             ['20 symbols are here', '20 symbols are here'],
-            ['Some text for this unit test', 'Some text for this u...']
+            ['Some text for this unit test', 'Some text for this u...'],
         ];
     }
 
@@ -319,7 +328,7 @@ public function providerIsUsingStaticUrlsAllowed()
     {
         return [
             [true],
-            [false]
+            [false],
         ];
     }
 
@@ -346,7 +355,7 @@ public function testGetCurrentPath($pathId, $expectedPath, $isExist)
                 [
                     ['/../wysiwyg/test_path', true],
                     ['/../wysiwyg/my.jpg', false],
-                    ['/../wysiwyg', true]
+                    ['/../wysiwyg', true],
                 ]
             );
         $this->directoryWriteMock->expects($this->any())
@@ -397,7 +406,7 @@ public function providerGetCurrentPath()
             [null, 'PATH/wysiwyg', true],
             ['L3Rlc3RfcGF0aA--', 'PATH/wysiwyg/test_path', false],
             ['L215LmpwZw--', 'PATH/wysiwyg', false],
-            [null, 'PATH/wysiwyg', false]
+            [null, 'PATH/wysiwyg', false],
         ];
     }
 
@@ -450,15 +459,15 @@ public function providerGetImageHtmlDeclarationRenderingAsTag()
                 'test.png',
                 true,
                 null,
-                '<img src="http://localhost/test.png" alt="" />'
+                '<img src="http://localhost/test.png" alt="" />',
             ],
             [
                 'http://localhost',
                 'test.png',
                 false,
                 '{{media url=&quot;/test.png&quot;}}',
-                '<img src="{{media url=&quot;/test.png&quot;}}" alt="" />'
-            ]
+                '<img src="{{media url=&quot;/test.png&quot;}}" alt="" />',
+            ],
         ];
     }
 
@@ -492,7 +501,7 @@ public function providerGetImageHtmlDeclaration()
     {
         return [
             ['http://localhost', 'test.png', true, 'http://localhost/test.png'],
-            ['http://localhost', 'test.png', false, '{{media url="/test.png"}}']
+            ['http://localhost', 'test.png', false, '{{media url="/test.png"}}'],
         ];
     }
 

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,9 @@`
`8`	`8`	`use Magento\Framework\App\Filesystem\DirectoryList;`
`9`	`9`
`10`	`10`	`/**`
`11`		`- * Wysiwyg Images Helper`
	`11`	`+ * Wysiwyg Images Helper.`
	`12`	`+ *`
	`13`	`+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)`
`12`	`14`	`*/`
`13`	`15`	`class Images extends \Magento\Framework\App\Helper\AbstractHelper`
`14`	`16`	`{`
`@@ -156,17 +158,23 @@ public function convertPathToId($path)`
`156`	`158`	`}`
`157`	`159`
`158`	`160`	`/**`
`159`		`- * Decode HTML element id`
	`161`	`+ * Decode HTML element id.`
`160`	`162`	`*`
`161`	`163`	`* @param string $id`
`162`	`164`	`* @return string`
	`165`	`+ * @throws \InvalidArgumentException When path contains restricted symbols.`
`163`	`166`	`*/`
`164`	`167`	`public function convertIdToPath($id)`
`165`	`168`	`{`
`166`	`169`	`if ($id === \Magento\Theme\Helper\Storage::NODE_ROOT) {`
`167`	`170`	`return $this->getStorageRoot();`
`168`	`171`	`} else {`
`169`		`- return $this->getStorageRoot() . $this->idDecode($id);`
	`172`	`+ $path = $this->getStorageRoot() . $this->idDecode($id);`
	`173`	`+ if (preg_match('/\.\.(\\\\|\/)/', $path)) {`
	`174`	`+ throw new \InvalidArgumentException('Path is invalid');`
	`175`	`+ }`
	`176`	`+`
	`177`	`+ return $path;`
`170`	`178`	`}`
`171`	`179`	`}`
`172`	`180`
Original file line number	Diff line number	Diff line change
`@@ -110,7 +110,7 @@ protected function setUp()`
`110`	`110`	`->willReturnMap(`
`111`	`111`	`[`
`112`	`112`	`[WysiwygConfig::IMAGE_DIRECTORY, null, $this->getAbsolutePath(WysiwygConfig::IMAGE_DIRECTORY)],`
`113`		`- [null, null, $this->getAbsolutePath(null)]`
	`113`	`+ [null, null, $this->getAbsolutePath(null)],`
`114`	`114`	`]`
`115`	`115`	`);`
`116`	`116`
`@@ -124,7 +124,7 @@ protected function setUp()`
`124`	`124`	`[`
`125`	`125`	`'clearWebsiteCache', 'getDefaultStoreView', 'getGroup', 'getGroups',`
`126`	`126`	`'getStore', 'getStores', 'getWebsite', 'getWebsites', 'hasSingleStore',`
`127`		`- 'isSingleStoreMode', 'reinitStores', 'setCurrentStore', 'setIsSingleStoreModeAllowed'`
	`127`	`+ 'isSingleStoreMode', 'reinitStores', 'setCurrentStore', 'setIsSingleStoreModeAllowed',`
`128`	`128`	`]`
`129`	`129`	`)`
`130`	`130`	`->disableOriginalConstructor()`
`@@ -229,7 +229,7 @@ public function providerConvertIdToPath()`
`229`	`229`	`{`
`230`	`230`	`return [`
`231`	`231`	`['', ''],`
`232`		`- ['/test_path', 'L3Rlc3RfcGF0aA--']`
	`232`	`+ ['/test_path', 'L3Rlc3RfcGF0aA--'],`
`233`	`233`	`];`
`234`	`234`	`}`
`235`	`235`
`@@ -239,6 +239,15 @@ public function testConvertIdToPathNodeRoot()`
`239`	`239`	`$this->assertEquals($this->imagesHelper->getStorageRoot(), $this->imagesHelper->convertIdToPath($pathId));`
`240`	`240`	`}`
`241`	`241`
	`242`	`+ /**`
	`243`	`+ * @expectedException \InvalidArgumentException`
	`244`	`+ * @expectedExceptionMessage Path is invalid`
	`245`	`+ */`
	`246`	`+ public function testConvertIdToPathInvalid()`
	`247`	`+ {`
	`248`	`+ $this->imagesHelper->convertIdToPath('Ly4uLy4uLy4uLy4uLy4uL3dvcms-');`
	`249`	`+ }`
	`250`	`+`
`242`	`251`	`/**`
`243`	`252`	`* @param string $fileName`
`244`	`253`	`* @param int $maxLength`
`@@ -258,7 +267,7 @@ public function providerShortFilename()`
`258`	`267`	`return [`
`259`	`268`	`['test', 3, 'tes...'],`
`260`	`269`	`['test', 4, 'test'],`
`261`		`- ['test', 20, 'test']`
	`270`	`+ ['test', 20, 'test'],`
`262`	`271`	`];`
`263`	`272`	`}`
`264`	`273`
`@@ -280,7 +289,7 @@ public function providerShortFilenameDefaultMaxLength()`
`280`	`289`	`return [`
`281`	`290`	`['Mini text', 'Mini text'],`
`282`	`291`	`['20 symbols are here', '20 symbols are here'],`
`283`		`- ['Some text for this unit test', 'Some text for this u...']`
	`292`	`+ ['Some text for this unit test', 'Some text for this u...'],`
`284`	`293`	`];`
`285`	`294`	`}`
`286`	`295`
`@@ -319,7 +328,7 @@ public function providerIsUsingStaticUrlsAllowed()`
`319`	`328`	`{`
`320`	`329`	`return [`
`321`	`330`	`[true],`
`322`		`- [false]`
	`331`	`+ [false],`
`323`	`332`	`];`
`324`	`333`	`}`
`325`	`334`
`@@ -346,7 +355,7 @@ public function testGetCurrentPath($pathId, $expectedPath, $isExist)`
`346`	`355`	`[`
`347`	`356`	`['/../wysiwyg/test_path', true],`
`348`	`357`	`['/../wysiwyg/my.jpg', false],`
`349`		`- ['/../wysiwyg', true]`
	`358`	`+ ['/../wysiwyg', true],`
`350`	`359`	`]`
`351`	`360`	`);`
`352`	`361`	`$this->directoryWriteMock->expects($this->any())`
`@@ -397,7 +406,7 @@ public function providerGetCurrentPath()`
`397`	`406`	`[null, 'PATH/wysiwyg', true],`
`398`	`407`	`['L3Rlc3RfcGF0aA--', 'PATH/wysiwyg/test_path', false],`
`399`	`408`	`['L215LmpwZw--', 'PATH/wysiwyg', false],`
`400`		`- [null, 'PATH/wysiwyg', false]`
	`409`	`+ [null, 'PATH/wysiwyg', false],`
`401`	`410`	`];`
`402`	`411`	`}`
`403`	`412`
`@@ -450,15 +459,15 @@ public function providerGetImageHtmlDeclarationRenderingAsTag()`
`450`	`459`	`'test.png',`
`451`	`460`	`true,`
`452`	`461`	`null,`
`453`		`- '<img src="http://localhost/test.png" alt="" />'`
	`462`	`+ '<img src="http://localhost/test.png" alt="" />',`
`454`	`463`	`],`
`455`	`464`	`[`
`456`	`465`	`'http://localhost',`
`457`	`466`	`'test.png',`
`458`	`467`	`false,`
`459`	`468`	`'{{media url="/test.png"}}',`
`460`		`- '<img src="{{media url="/test.png"}}" alt="" />'`
`461`		`- ]`
	`469`	`+ '<img src="{{media url="/test.png"}}" alt="" />',`
	`470`	`+ ],`
`462`	`471`	`];`
`463`	`472`	`}`
`464`	`473`
`@@ -492,7 +501,7 @@ public function providerGetImageHtmlDeclaration()`
`492`	`501`	`{`
`493`	`502`	`return [`
`494`	`503`	`['http://localhost', 'test.png', true, 'http://localhost/test.png'],`
`495`		`- ['http://localhost', 'test.png', false, '{{media url="/test.png"}}']`
	`504`	`+ ['http://localhost', 'test.png', false, '{{media url="/test.png"}}'],`
`496`	`505`	`];`
`497`	`506`	`}`
`498`	`507`