Merge branch 'AC-9851' into cia-2.4.8-beta1-develop-bugfix-05292024

Author: pawan-adobe-security

app/code/Magento/Integration/Block/Adminhtml/Integration/Edit/Tab/Info.php

@@ -3,6 +3,9 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+
+declare(strict_types=1);
+
 namespace Magento\Integration\Block\Adminhtml\Integration\Edit\Tab;
 
 use Magento\Integration\Controller\Adminhtml\Integration;
@@ -19,23 +22,23 @@ class Info extends \Magento\Backend\Block\Widget\Form\Generic implements \Magent
     /**#@+
      * Form elements names.
      */
-    const HTML_ID_PREFIX = 'integration_properties_';
+    public const HTML_ID_PREFIX = 'integration_properties_';
 
-    const DATA_ID = 'integration_id';
+    public const DATA_ID = 'integration_id';
 
-    const DATA_NAME = 'name';
+    public const DATA_NAME = 'name';
 
-    const DATA_EMAIL = 'email';
+    public const DATA_EMAIL = 'email';
 
-    const DATA_ENDPOINT = 'endpoint';
+    public const DATA_ENDPOINT = 'endpoint';
 
-    const DATA_IDENTITY_LINK_URL = 'identity_link_url';
+    public const DATA_IDENTITY_LINK_URL = 'identity_link_url';
 
-    const DATA_SETUP_TYPE = 'setup_type';
+    public const DATA_SETUP_TYPE = 'setup_type';
 
-    const DATA_CONSUMER_ID = 'consumer_id';
+    public const DATA_CONSUMER_ID = 'consumer_id';
 
-    const DATA_CONSUMER_PASSWORD = 'current_password';
+    public const DATA_CONSUMER_PASSWORD = 'current_password';
 
     /**#@-*/
 
@@ -161,6 +164,7 @@ protected function _addGeneralFieldset($form, $integrationData)
                 'label' => __('Identity link URL'),
                 'name' => self::DATA_IDENTITY_LINK_URL,
                 'disabled' => $disabled,
+                'class' => 'validate-url',
                 'note' => __(
                     'URL to redirect user to link their 3rd party account with this Magento integration credentials.'
                 )

app/code/Magento/Integration/Controller/Adminhtml/Integration.php

@@ -3,10 +3,14 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+
+declare(strict_types=1);
+
 namespace Magento\Integration\Controller\Adminhtml;
 
 use Magento\Backend\App\Action;
-use Magento\Integration\Api\OauthServiceInterface as IntegrationOauthService;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Url\Validator;
 
 /**
  * Controller for integrations management.
@@ -20,18 +24,18 @@ abstract class Integration extends Action
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Integration::integrations';
+    public const ADMIN_RESOURCE = 'Magento_Integration::integrations';
 
     /** Param Key for extracting integration id from Request */
-    const PARAM_INTEGRATION_ID = 'id';
+    public const PARAM_INTEGRATION_ID = 'id';
 
     /** Reauthorize flag is used to distinguish activation from reauthorization */
-    const PARAM_REAUTHORIZE = 'reauthorize';
+    public const PARAM_REAUTHORIZE = 'reauthorize';
 
-    const REGISTRY_KEY_CURRENT_INTEGRATION = 'current_integration';
+    public const REGISTRY_KEY_CURRENT_INTEGRATION = 'current_integration';
 
     /** Saved API form data session key */
-    const REGISTRY_KEY_CURRENT_RESOURCE = 'current_resource';
+    public const REGISTRY_KEY_CURRENT_RESOURCE = 'current_resource';
 
     /**
      * @var \Magento\Framework\Registry
@@ -73,6 +77,11 @@ abstract class Integration extends Action
      */
     protected $escaper;
 
+    /**
+     * @var Validator
+     */
+    protected $urlValidator;
+
     /**
      * @param \Magento\Backend\App\Action\Context $context
      * @param \Magento\Framework\Registry $registry
@@ -83,6 +92,9 @@ abstract class Integration extends Action
      * @param \Magento\Integration\Helper\Data $integrationData
      * @param \Magento\Framework\Escaper $escaper
      * @param \Magento\Integration\Model\ResourceModel\Integration\Collection $integrationCollection
+     * @param Validator|null $urlValidator
+     *
+     * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
         \Magento\Backend\App\Action\Context $context,
@@ -93,7 +105,8 @@ public function __construct(
         \Magento\Framework\Json\Helper\Data $jsonHelper,
         \Magento\Integration\Helper\Data $integrationData,
         \Magento\Framework\Escaper $escaper,
-        \Magento\Integration\Model\ResourceModel\Integration\Collection $integrationCollection
+        \Magento\Integration\Model\ResourceModel\Integration\Collection $integrationCollection,
+        Validator $urlValidator = null
     ) {
         parent::__construct($context);
         $this->_registry = $registry;
@@ -104,6 +117,7 @@ public function __construct(
         $this->_integrationData = $integrationData;
         $this->escaper = $escaper;
         $this->_integrationCollection = $integrationCollection;
+        $this->urlValidator = $urlValidator ?: ObjectManager::getInstance()->get(Validator::class);
         parent::__construct($context);
     }
 

app/code/Magento/Integration/Controller/Adminhtml/Integration/Save.php

@@ -3,6 +3,9 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+
+declare(strict_types=1);
+
 namespace Magento\Integration\Controller\Adminhtml\Integration;
 
 use Magento\Framework\App\Action\HttpPostActionInterface as HttpPostActionInterface;
@@ -30,6 +33,7 @@ class Save extends \Magento\Integration\Controller\Adminhtml\Integration impleme
      *
      * @return SecurityCookie
      * @deprecated 100.1.0
+     * @see we don't recommend this approach anymore
      */
     private function getSecurityCookie()
     {
@@ -76,7 +80,7 @@ public function execute()
             $this->messageManager->addErrorMessage($this->escaper->escapeHtml($e->getMessage()));
             $this->_getSession()->setIntegrationData($this->getRequest()->getPostValue());
             $this->_redirectOnSaveError();
-        } catch (\Magento\Framework\Exception\LocalizedException $e) {
+        } catch (LocalizedException $e) {
             $this->messageManager->addErrorMessage($this->escaper->escapeHtml($e->getMessage()));
             $this->_redirectOnSaveError();
         } catch (\Exception $e) {
@@ -148,6 +152,8 @@ protected function _redirectOnSaveError()
      *
      * @param array $integrationData
      * @return void
+     * @throws IntegrationException
+     * @throws LocalizedException
      */
     private function processData($integrationData)
     {
@@ -157,7 +163,15 @@ private function processData($integrationData)
             if (!isset($data['resource'])) {
                 $integrationData['resource'] = [];
             }
+
             $integrationData = array_merge($integrationData, $data);
+
+            // Check if the Identity Link URL field is not empty and then validate it
+            $url = $integrationData[Info::DATA_IDENTITY_LINK_URL] ?? null;
+            if (!empty($url) && !$this->urlValidator->isValid($url)) {
+                throw new LocalizedException(__('Invalid Identity Link URL'));
+            }
+
             if (!isset($integrationData[Info::DATA_ID])) {
                 $integration = $this->_integrationService->create($integrationData);
             } else {

app/code/Magento/Integration/i18n/en_US.csv

@@ -125,3 +125,4 @@ OAuth,OAuth
 "Integrations API configuration file","Integrations API configuration file"
 "We couldn't find any records.","We couldn't find any records."
 Status,Status
+"Invalid Identity Link URL", "Invalid Identity Link URL"