Merge branch 'MC-40902' of github.com:magento-tsg/magento2ce into cia-2.3.7-3112021

Author: admanesachin

lib/internal/Magento/Framework/App/StaticResource.php

@@ -9,6 +9,8 @@
 use Magento\Framework\ObjectManager\ConfigLoaderInterface;
 use Magento\Framework\Filesystem;
 use Magento\Framework\Config\ConfigOptionsListConstants;
+use Magento\Framework\Validator\Locale;
+use Magento\Framework\View\Design\Theme\ThemePackageList;
 use Psr\Log\LoggerInterface;
 use Magento\Framework\Debug;
 use Magento\Framework\Filesystem\Driver\File;
@@ -80,6 +82,16 @@ class StaticResource implements \Magento\Framework\AppInterface
      */
     private $driver;
 
+    /**
+     * @var ThemePackageList
+     */
+    private $themePackageList;
+
+    /**
+     * @var Locale
+     */
+    private $localeValidator;
+
     /**
      * @param State $state
      * @param Response\FileInterface $response
@@ -91,6 +103,8 @@ class StaticResource implements \Magento\Framework\AppInterface
      * @param ConfigLoaderInterface $configLoader
      * @param DeploymentConfig|null $deploymentConfig
      * @param File|null $driver
+     * @param ThemePackageList|null $themePackageList
+     * @param Locale|null $localeValidator
      *
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
@@ -104,7 +118,9 @@ public function __construct(
         \Magento\Framework\ObjectManagerInterface $objectManager,
         ConfigLoaderInterface $configLoader,
         DeploymentConfig $deploymentConfig = null,
-        File $driver = null
+        File $driver = null,
+        ThemePackageList $themePackageList = null,
+        Locale $localeValidator = null
     ) {
         $this->state = $state;
         $this->response = $response;
@@ -116,6 +132,8 @@ public function __construct(
         $this->configLoader = $configLoader;
         $this->deploymentConfig = $deploymentConfig ?: ObjectManager::getInstance()->get(DeploymentConfig::class);
         $this->driver = $driver ?: ObjectManager::getInstance()->get(File::class);
+        $this->themePackageList = $themePackageList ?? ObjectManager::getInstance()->get(ThemePackageList::class);
+        $this->localeValidator = $localeValidator ?? ObjectManager::getInstance()->get(Locale::class);
     }
 
     /**
@@ -138,6 +156,16 @@ public function launch()
         } else {
             $path = $this->request->get('resource');
             $params = $this->parsePath($path);
+            if (!($this->isThemeAllowed($params['area'] . DIRECTORY_SEPARATOR . $params['theme'])
+                && $this->localeValidator->isValid($params['locale']))
+            ) {
+                if ($appMode == \Magento\Framework\App\State::MODE_PRODUCTION) {
+                    $this->response->setHttpResponseCode(404);
+                    return $this->response;
+                }
+                throw new \InvalidArgumentException('Requested path ' . $path . ' is wrong.');
+            }
+
             $this->state->setAreaCode($params['area']);
             $this->objectManager->configure($this->configLoader->load($params['area']));
             $file = $params['file'];
@@ -236,4 +264,15 @@ private function getLogger()
 
         return $this->logger;
     }
+
+    /**
+     * Check that theme is available.
+     *
+     * @param string $theme
+     * @return bool
+     */
+    private function isThemeAllowed(string $theme): bool
+    {
+        return in_array($theme, array_keys($this->themePackageList->getThemes()));
+    }
 }

lib/internal/Magento/Framework/App/Test/Unit/StaticResourceTest.php

@@ -21,6 +21,8 @@
 use Psr\Log\LoggerInterface;
 use PHPUnit\Framework\MockObject\MockObject as MockObject;
 use Magento\Framework\Filesystem\Driver\File;
+use Magento\Framework\View\Design\Theme\ThemePackageList;
+use Magento\Framework\Validator\Locale;
 
 /**
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
@@ -77,6 +79,16 @@ class StaticResourceTest extends \PHPUnit\Framework\TestCase
      */
     private $deploymentConfigMock;
 
+    /**
+     * @var ThemePackageList|MockObject
+     */
+    private $themePackageListMock;
+
+    /**
+     * @var Locale|MockObject
+     */
+    private $localeValidatorMock;
+
     /**
      * @var StaticResource
      */
@@ -100,6 +112,8 @@ protected function setUp(): void
         $this->configLoaderMock = $this->createMock(ConfigLoader::class);
         $this->deploymentConfigMock = $this->createMock(DeploymentConfig::class);
         $this->driverMock = $this->createMock(File::class);
+        $this->themePackageListMock = $this->createMock(ThemePackageList::class);
+        $this->localeValidatorMock = $this->createMock(Locale::class);
         $this->object = new StaticResource(
             $this->stateMock,
             $this->responseMock,
@@ -110,7 +124,9 @@ protected function setUp(): void
             $this->objectManagerMock,
             $this->configLoaderMock,
             $this->deploymentConfigMock,
-            $this->driverMock
+            $this->driverMock,
+            $this->themePackageListMock,
+            $this->localeValidatorMock
         );
     }
 
@@ -201,6 +217,17 @@ public function testLaunch(
         $this->driverMock->expects($this->once())
             ->method('getRealPathSafety')
             ->willReturnArgument(0);
+        $this->themePackageListMock->expects($this->atLeastOnce())->method('getThemes')->willReturn(
+            [
+                'area/Magento/theme' => [
+                    'area' => 'area',
+                    'vendor' => 'Magento',
+                    'name' => 'theme',
+                ],
+            ]
+        );
+        $this->localeValidatorMock->expects($this->once())->method('isValid')->willReturn(true);
+
         $this->object->launch();
     }
 
@@ -322,4 +349,86 @@ public function testLaunchPathAbove()
 
         $this->object->launch();
     }
+
+    /**
+     * @param array $themes
+     * @dataProvider themesDataProvider
+     */
+    public function testLaunchWithInvalidTheme(array $themes): void
+    {
+        $this->expectException('InvalidArgumentException');
+        $path = 'frontend/Test/luma/en_US/calendar.css';
+
+        $this->stateMock->expects($this->once())
+            ->method('getMode')
+            ->willReturn(State::MODE_DEVELOPER);
+        $this->requestMock->expects($this->once())
+            ->method('get')
+            ->with('resource')
+            ->willReturn($path);
+        $this->driverMock->expects($this->once())
+            ->method('getRealPathSafety')
+            ->with($path)
+            ->willReturn($path);
+        $this->themePackageListMock->expects($this->once())->method('getThemes')->willReturn($themes);
+        $this->localeValidatorMock->expects($this->never())->method('isValid');
+        $this->expectExceptionMessage('Requested path ' . $path . ' is wrong.');
+
+        $this->object->launch();
+    }
+
+    /**
+     * @param array $themes
+     * @dataProvider themesDataProvider
+     */
+    public function testLaunchWithInvalidLocale(array $themes): void
+    {
+        $this->expectException('InvalidArgumentException');
+        $path = 'frontend/Magento/luma/test/calendar.css';
+
+        $this->stateMock->expects($this->once())
+            ->method('getMode')
+            ->willReturn(State::MODE_DEVELOPER);
+        $this->requestMock->expects($this->once())
+            ->method('get')
+            ->with('resource')
+            ->willReturn($path);
+        $this->driverMock->expects($this->once())
+            ->method('getRealPathSafety')
+            ->with($path)
+            ->willReturn($path);
+        $this->themePackageListMock->expects($this->once())->method('getThemes')->willReturn($themes);
+        $this->localeValidatorMock->expects($this->once())->method('isValid')->willReturn(false);
+        $this->expectExceptionMessage('Requested path ' . $path . ' is wrong.');
+
+        $this->object->launch();
+    }
+
+    /**
+     * @return array
+     */
+    public function themesDataProvider(): array
+    {
+        return  [
+            [
+                [
+                    'adminhtml/Magento/backend' => [
+                        'area' => 'adminhtml',
+                        'vendor' => 'Magento',
+                        'name' => 'backend',
+                    ],
+                    'frontend/Magento/blank' => [
+                        'area' => 'frontend',
+                        'vendor' => 'Magento',
+                        'name' => 'blank',
+                    ],
+                    'frontend/Magento/luma' => [
+                        'area' => 'frontend',
+                        'vendor' => 'Magento',
+                        'name' => 'luma',
+                    ],
+                ],
+            ],
+        ];
+    }
 }