From 6ed2be4ae09516c0dc39150c6087980db29394f7 Mon Sep 17 00:00:00 2001
From: Kevin Kozan <kkozan@adobe.com>
Date: Mon, 23 Sep 2019 15:17:12 -0500
Subject: [PATCH 1/4] MQE-1510

---
 etc/config/command.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/etc/config/command.php b/etc/config/command.php
index 047af324a..ab05068df 100644
--- a/etc/config/command.php
+++ b/etc/config/command.php
@@ -22,7 +22,8 @@
         $magentoBinary = $php . ' -f ../../../../bin/magento';
         $valid = validateCommand($magentoBinary, $command);
         if ($valid) {
-            $process = new Symfony\Component\Process\Process($magentoBinary . " $command" . " $arguments");
+            $fullCommand = escapeshellcmd($magentoBinary . " $command" . " $arguments");
+            $process = new Symfony\Component\Process\Process($fullCommand);
             $process->setIdleTimeout(60);
             $process->setTimeout(0);
             $idleTimeout = false;

From f895b71063ccf7eb96e02ce01648000c711556e2 Mon Sep 17 00:00:00 2001
From: Kevin Kozan <kkozan@adobe.com>
Date: Wed, 25 Sep 2019 15:50:09 -0500
Subject: [PATCH 2/4] MQE-1510

---
 etc/config/command.php | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/etc/config/command.php b/etc/config/command.php
index ab05068df..201bb5d47 100644
--- a/etc/config/command.php
+++ b/etc/config/command.php
@@ -41,6 +41,11 @@
                 $output = "CLI command timed out, no output available.";
                 $idleTimeout = true;
             }
+
+            if (checkForFilePath($output)) {
+                $output = "CLI output suppressed, filepath detected in output.";
+            }
+
             $exitCode = $process->getExitCode();
 
             if ($exitCode == 0 || $idleTimeout) {
@@ -104,3 +109,13 @@ function trimAfterWhitespace($string)
 {
     return strtok($string, ' ');
 }
+
+/**
+ * Detects file path in string.
+ * @param string $string
+ * @return boolean
+ */
+function checkForFilePath($string)
+{
+    return preg_match('/\/[\S]+\//', $string);
+}

From 4a59f293675047a4d539be3deab57ab119291239 Mon Sep 17 00:00:00 2001
From: Kevin Kozan <kkozan@adobe.com>
Date: Mon, 30 Sep 2019 09:12:01 -0500
Subject: [PATCH 3/4] MQE-1510

---
 etc/config/command.php | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/etc/config/command.php b/etc/config/command.php
index 201bb5d47..6158eebc3 100644
--- a/etc/config/command.php
+++ b/etc/config/command.php
@@ -11,9 +11,9 @@
     $magentoObjectManager = $magentoObjectManagerFactory->create($_SERVER);
     $tokenModel = $magentoObjectManager->get(\Magento\Integration\Model\Oauth\Token::class);
 
-    $tokenPassedIn = urldecode($_POST['token']);
-    $command = urldecode($_POST['command']);
-    $arguments = urldecode($_POST['arguments']);
+    $tokenPassedIn = urldecode($_POST['token'] ?? '');
+    $command = urldecode($_POST['command'] ?? '');
+    $arguments = urldecode($_POST['arguments'] ?? '');
 
     // Token returned will be null if the token we passed in is invalid
     $tokenFromMagento = $tokenModel->loadByToken($tokenPassedIn)->getToken();
@@ -22,8 +22,14 @@
         $magentoBinary = $php . ' -f ../../../../bin/magento';
         $valid = validateCommand($magentoBinary, $command);
         if ($valid) {
-            $fullCommand = escapeshellcmd($magentoBinary . " $command" . " $arguments");
-            $process = new Symfony\Component\Process\Process($fullCommand);
+            $fullCommand = $magentoBinary . " $command" . " $arguments";
+            $escapedCommand = escapeshellcmd($fullCommand);
+            if ($fullCommand !== $escapedCommand) {
+                http_response_code(403);
+                echo("Unsafe characters detected, command was not executed.");
+                return;
+            }
+            $process = new Symfony\Component\Process\Process($escapedCommand);
             $process->setIdleTimeout(60);
             $process->setTimeout(0);
             $idleTimeout = false;

From 5127e0a7558d0f7462968612df757bfbc2aaa33e Mon Sep 17 00:00:00 2001
From: Kevin Kozan <kkozan@adobe.com>
Date: Mon, 30 Sep 2019 13:50:33 -0500
Subject: [PATCH 4/4] MQE-1510
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

– Reverting command check
---
 etc/config/command.php | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/etc/config/command.php b/etc/config/command.php
index 6158eebc3..7b45a2595 100644
--- a/etc/config/command.php
+++ b/etc/config/command.php
@@ -22,14 +22,8 @@
         $magentoBinary = $php . ' -f ../../../../bin/magento';
         $valid = validateCommand($magentoBinary, $command);
         if ($valid) {
-            $fullCommand = $magentoBinary . " $command" . " $arguments";
-            $escapedCommand = escapeshellcmd($fullCommand);
-            if ($fullCommand !== $escapedCommand) {
-                http_response_code(403);
-                echo("Unsafe characters detected, command was not executed.");
-                return;
-            }
-            $process = new Symfony\Component\Process\Process($escapedCommand);
+            $fullCommand = escapeshellcmd($magentoBinary . " $command" . " $arguments");
+            $process = new Symfony\Component\Process\Process($fullCommand);
             $process->setIdleTimeout(60);
             $process->setTimeout(0);
             $idleTimeout = false;