Merge branch 'MC-41488' into cia-2.4.3-bugfixes-4272021

Author: admanesachin

app/code/Magento/Backup/Model/Fs/Collection.php

@@ -3,6 +3,8 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\Backup\Model\Fs;
 
 use Magento\Framework\App\Filesystem\DirectoryList;
@@ -88,12 +90,17 @@ public function __construct(
      * Create .htaccess file and deny backups directory access from web
      *
      * @return void
+     * @throws \Magento\Framework\Exception\FileSystemException
      */
     protected function _hideBackupsForApache()
     {
         $filename = '.htaccess';
-        if (!$this->_varDirectory->isFile($filename)) {
-            $this->_varDirectory->writeFile($filename, 'deny from all');
+        $driver = $this->_varDirectory->getDriver();
+        $absolutePath = $driver->getAbsolutePath($this->_varDirectory->getAbsolutePath(), $filename);
+        if (!$driver->isFile($absolutePath)) {
+            $resource = $driver->fileOpen($absolutePath, 'w+');
+            $driver->fileWrite($resource, 'deny from all');
+            $driver->fileClose($resource);
         }
     }
 

app/code/Magento/Backup/Test/Unit/Model/Fs/CollectionTest.php

@@ -34,10 +34,15 @@ public function testConstructor()
         )->disableOriginalConstructor()
             ->getMock();
         $backupData->expects($this->any())->method('getExtensions')->willReturn([]);
-
+        $driver = $this->getMockBuilder(
+            Filesystem\DriverInterface::class
+        )->disableOriginalConstructor()
+            ->getMock();
         $directoryWrite->expects($this->any())->method('create')->with('backups');
-        $directoryWrite->expects($this->any())->method('getAbsolutePath')->with('backups');
+        $directoryWrite->expects($this->any())->method('getAbsolutePath')->willReturn('');
+        $directoryWrite->expects($this->at(3))->method('getAbsolutePath')->with('backups');
         $directoryWrite->expects($this->any())->method('isDirectory')->willReturn(true);
+        $directoryWrite->expects($this->any())->method('getDriver')->willReturn($driver);
         $targetDirectory = $this->getMockBuilder(TargetDirectory::class)
             ->disableOriginalConstructor()
             ->getMock();

app/code/Magento/Catalog/Model/Product/Option/Type/File/ValidatorFile.php

@@ -3,15 +3,16 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
 
 namespace Magento\Catalog\Model\Product\Option\Type\File;
 
 use Magento\Catalog\Model\Product;
-use Magento\Framework\App\Filesystem\DirectoryList;
 use Magento\Catalog\Model\Product\Exception as ProductException;
+use Magento\Framework\App\Filesystem\DirectoryList;
+use Magento\Framework\App\ObjectManager;
 use Magento\Framework\Exception\LocalizedException;
 use Magento\Framework\Math\Random;
-use Magento\Framework\App\ObjectManager;
 use Magento\MediaStorage\Model\File\Uploader;
 
 /**
@@ -254,8 +255,12 @@ protected function initFilesystem()
 
         // Directory listing and hotlink secure
         $path = $this->path . '/.htaccess';
-        if (!$this->mediaDirectory->isFile($path)) {
-            $this->mediaDirectory->writeFile($path, "Order deny,allow\nDeny from all");
+        $driver = $this->mediaDirectory->getDriver();
+        $absolutePath = $driver->getAbsolutePath($this->mediaDirectory->getAbsolutePath(), $path);
+        if (!$driver->isFile($absolutePath)) {
+            $resource = $driver->fileOpen($absolutePath, 'w+');
+            $driver->fileWrite($resource, "Order deny,allow\nDeny from all");
+            $driver->fileClose($resource);
         }
     }
 

app/code/Magento/Cms/Model/Wysiwyg/Images/Storage.php

@@ -436,7 +436,7 @@ public function createDirectory($name, $path)
             );
         }
 
-        $relativePath = $this->_directory->getRelativePath($path);
+        $relativePath = (string) $this->_directory->getRelativePath($path);
         if (!$this->_directory->isDirectory($relativePath) || !$this->_directory->isWritable($relativePath)) {
             $path = $this->_cmsWysiwygImages->getStorageRoot();
         }

dev/tests/api-functional/testsuite/Magento/Customer/Api/AccountManagementCustomAttributesTest.php

@@ -3,17 +3,21 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+
+declare(strict_types=1);
+
 namespace Magento\Customer\Api;
 
 use Magento\Customer\Api\Data\CustomerInterface;
-use Magento\Customer\Model\AccountManagement;
 use Magento\Framework\Api\AttributeValue;
 use Magento\Framework\Api\CustomAttributesDataInterface;
 use Magento\Framework\App\Filesystem\DirectoryList;
+use Magento\Framework\Filesystem\Directory\DenyListPathValidator;
+use Magento\Framework\Filesystem\Directory\WriteFactory;
+use Magento\Framework\Webapi\Exception as HTTPExceptionCodes;
 use Magento\TestFramework\Helper\Bootstrap;
 use Magento\TestFramework\Helper\Customer as CustomerHelper;
 use Magento\TestFramework\TestCase\WebapiAbstract;
-use Magento\Framework\Webapi\Exception as HTTPExceptionCodes;
 
 /**
  * Test class for Customer's custom attributes
@@ -104,8 +108,16 @@ protected function tearDown(): void
             }
         }
         $this->accountManagement = null;
-        $mediaDirectory = $this->fileSystem->getDirectoryWrite(DirectoryList::MEDIA);
-        $mediaDirectory->delete(CustomerMetadataInterface::ENTITY_TYPE_CUSTOMER);
+        $writeFactory = Bootstrap::getObjectManager()
+            ->get(WriteFactory::class);
+        $mediaDirectory = $writeFactory->create(DirectoryList::MEDIA);
+        $denyListPathValidator = Bootstrap::getObjectManager()
+            ->create(DenyListPathValidator::class, ['driver' => $mediaDirectory->getDriver()]);
+        $denyListPathValidator->addException($mediaDirectory->getAbsolutePath() . ".htaccess");
+        $writeFactoryBypassDenyList = Bootstrap::getObjectManager()
+            ->create(WriteFactory::class, ['denyListPathValidator' => $denyListPathValidator]);
+        $mediaDirectoryBypassDenyList = $writeFactoryBypassDenyList->create(DirectoryList::MEDIA);
+        $mediaDirectoryBypassDenyList->delete(CustomerMetadataInterface::ENTITY_TYPE_CUSTOMER);
     }
 
     /**

dev/tests/integration/testsuite/Magento/Catalog/Model/Product/Gallery/CreateHandlerTest.php

@@ -107,9 +107,8 @@ public function testExecuteWithImageDuplicate(): void
      */
     public function testExecuteWithIllegalFilename(string $imageFileName): void
     {
-        $this->expectException(\Magento\Framework\Exception\FileSystemException::class);
-        $this->expectExceptionMessageMatches('".+ file doesn\'t exist."');
-        $this->expectExceptionMessageMatches('/^((?!\.\.\/).)*$/');
+        $this->expectException(\Magento\Framework\Exception\ValidatorException::class);
+        $this->expectExceptionMessageMatches('".+ is not a valid file path"');
 
         $data = [
             'media_gallery' => ['images' => ['image' => ['file' => $imageFileName, 'label' => 'New image']]],

dev/tests/integration/testsuite/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFilesTest.php

@@ -4,9 +4,15 @@
  * See COPYING.txt for license details.
  */
 
+declare(strict_types=1);
+
 namespace Magento\Cms\Controller\Adminhtml\Wysiwyg\Images;
 
 use Magento\Framework\App\Filesystem\DirectoryList;
+use Magento\Framework\Exception\FileSystemException;
+use Magento\Framework\Filesystem\Directory\DenyListPathValidator;
+use Magento\Framework\Filesystem\Directory\WriteFactory;
+use Magento\Framework\Filesystem\Directory\WriteInterface;
 
 /**
  * Test for \Magento\Cms\Controller\Adminhtml\Wysiwyg\Images\DeleteFiles class.
@@ -26,7 +32,7 @@ class DeleteFilesTest extends \PHPUnit\Framework\TestCase
     private $imagesHelper;
 
     /**
-     * @var \Magento\Framework\Filesystem\Directory\WriteInterface
+     * @var WriteInterface
      */
     private $mediaDirectory;
 
@@ -50,25 +56,45 @@ class DeleteFilesTest extends \PHPUnit\Framework\TestCase
      */
     private $objectManager;
 
+    /**
+     * @var DirectoryList
+     */
+    private $directoryList;
+
+    /**
+     * @var WriteInterface
+     */
+    private $bypassDenyListWrite;
+
     /**
      * @inheritdoc
+     * @throws FileSystemException
      */
     protected function setUp(): void
     {
         $this->objectManager = \Magento\TestFramework\Helper\Bootstrap::getObjectManager();
         $directoryName = 'directory1';
+        $this->directoryList = $this->objectManager->get(DirectoryList::class);
         $this->filesystem = $this->objectManager->get(\Magento\Framework\Filesystem::class);
         /** @var \Magento\Cms\Helper\Wysiwyg\Images $imagesHelper */
         $this->imagesHelper = $this->objectManager->get(\Magento\Cms\Helper\Wysiwyg\Images::class);
         $this->mediaDirectory = $this->filesystem->getDirectoryWrite(DirectoryList::MEDIA);
-        $this->fullDirectoryPath = $this->imagesHelper->getStorageRoot() . '/' . $directoryName;
+        $this->fullDirectoryPath = $this->imagesHelper->getStorageRoot() . $directoryName;
         $this->mediaDirectory->create($this->mediaDirectory->getRelativePath($this->fullDirectoryPath));
         $filePath =  $this->fullDirectoryPath . DIRECTORY_SEPARATOR . $this->fileName;
         $fixtureDir = realpath(__DIR__ . '/../../../../../Catalog/_files');
         copy($fixtureDir . '/' . $this->fileName, $filePath);
         $path = $this->fullDirectoryPath . '/.htaccess';
-        if (!$this->mediaDirectory->isFile($path)) {
-            $this->mediaDirectory->writeFile($path, "Order deny,allow\nDeny from all");
+        $denyListPathValidator = $this->objectManager
+            ->create(DenyListPathValidator::class, ['driver' => $this->mediaDirectory->getDriver()]);
+        $denyListPathValidator->addException($path);
+        $bypassDenyListWriteFactory = $this->objectManager->create(WriteFactory::class, [
+            'denyListPathValidator' => $denyListPathValidator
+        ]);
+        $this->bypassDenyListWrite = $bypassDenyListWriteFactory
+            ->create($this->directoryList->getPath(DirectoryList::MEDIA));
+        if (!$this->bypassDenyListWrite->isFile($path)) {
+            $this->bypassDenyListWrite->writeFile($path, "Order deny,allow\nDeny from all");
         }
         $this->model = $this->objectManager->get(\Magento\Cms\Controller\Adminhtml\Wysiwyg\Images\DeleteFiles::class);
     }
@@ -132,8 +158,8 @@ public function testDeleteHtaccess()
         $this->model->execute();
 
         $this->assertTrue(
-            $this->mediaDirectory->isExist(
-                $this->mediaDirectory->getRelativePath($this->fullDirectoryPath . '/' . '.htaccess')
+            $this->bypassDenyListWrite->isExist(
+                $this->bypassDenyListWrite->getRelativePath($this->fullDirectoryPath . '/' . '.htaccess')
             )
         );
     }
@@ -186,7 +212,7 @@ public static function tearDownAfterClass(): void
     {
         $filesystem = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()
             ->get(\Magento\Framework\Filesystem::class);
-        /** @var \Magento\Framework\Filesystem\Directory\WriteInterface $directory */
+        /** @var WriteInterface $directory */
         $directory = $filesystem->getDirectoryWrite(DirectoryList::MEDIA);
         if ($directory->isExist('wysiwyg')) {
             $directory->delete('wysiwyg');

lib/internal/Magento/Framework/Filesystem/Directory/CompositePathValidator.php

@@ -0,0 +1,42 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Framework\Filesystem\Directory;
+
+/**
+ * Validates paths using driver.
+ */
+class CompositePathValidator implements PathValidatorInterface
+{
+    /**
+     * @var PathValidatorInterface[]
+     */
+    private $validators;
+
+    /**
+     * @param PathValidatorInterface[] $validators
+     */
+    public function __construct(array $validators)
+    {
+        $this->validators = $validators;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function validate(
+        string $directoryPath,
+        string $path,
+        ?string $scheme = null,
+        bool $absolutePath = false
+    ): void {
+        foreach ($this->validators as $validator) {
+            $validator->validate($directoryPath, $path, $scheme, $absolutePath);
+        }
+    }
+}

lib/internal/Magento/Framework/Filesystem/Directory/DenyListPathValidator.php

@@ -0,0 +1,105 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Framework\Filesystem\Directory;
+
+use Magento\Framework\Exception\ValidatorException;
+use Magento\Framework\Filesystem\DriverInterface;
+use Magento\Framework\Phrase;
+
+/**
+ * Validates paths using driver.
+ */
+class DenyListPathValidator implements PathValidatorInterface
+{
+    /**
+     * File deny list using regular expressions
+     *
+     * @var string[]
+     */
+    private $fileDenyList = ["htaccess"];
+
+    /**
+     * Deny list exception list
+     *
+     * @var string[]
+     */
+    private $exceptionList = [];
+
+    /**
+     * @var DriverInterface
+     */
+    private $driver;
+
+    /**
+     * @param DriverInterface $driver
+     */
+    public function __construct(DriverInterface $driver)
+    {
+        $this->driver = $driver;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function validate(
+        string $directoryPath,
+        string $path,
+        ?string $scheme = null,
+        bool $absolutePath = false
+    ): void {
+        $realDirectoryPath = $this->driver->getRealPathSafety($directoryPath);
+        $fullPath = $this->driver->getAbsolutePath(
+            $realDirectoryPath . DIRECTORY_SEPARATOR,
+            $path,
+            $scheme
+        );
+        if (!$absolutePath) {
+            $actualPath = $this->driver->getRealPathSafety($fullPath);
+        } else {
+            $actualPath = $this->driver->getRealPathSafety($path);
+        }
+
+        if (in_array($fullPath, $this->exceptionList, true)) {
+            return;
+        }
+
+        foreach ($this->fileDenyList as $file) {
+            $baseName = pathinfo($actualPath, PATHINFO_BASENAME);
+            if (str_contains($baseName, $file) || preg_match('#' . "\." . $file . '#', $fullPath)) {
+                throw new ValidatorException(
+                    new Phrase('"%1" is not a valid file path', [$path])
+                );
+            }
+        }
+    }
+
+    /**
+     * Allow addition of new exceptions given full path
+     *
+     * @param string $fullPath
+     */
+    public function addException(string $fullPath)
+    {
+        if (!in_array($fullPath, $this->exceptionList)) {
+            array_push($this->exceptionList, $fullPath);
+        }
+    }
+
+    /**
+     * Allow addition of new exceptions given full path
+     *
+     * @param string $fullPath
+     */
+    public function removeException(string $fullPath)
+    {
+        if (($key = array_search($fullPath, $this->exceptionList)) !== false) {
+            unset($this->exceptionList[$key]);
+        }
+    }
+}