Skip to content

#39353 Added sanitization of address fields for the presence of template variables in the customer address #39673

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 13 commits into
base: 2.4-develop
Choose a base branch
from

Conversation

rostilos
Copy link
Contributor

@rostilos rostilos commented Feb 28, 2025

Description (*)

Added sanitize for address fields. Added for abstract address model class to avoid template processor handling variables specified directly in the address.
{{ template_var }} -> {{ template_var }}

Related Pull Requests

Fixed Issues (if relevant)

  1. Fixes [Address Book Bug] Template filter \Magento\Framework\Filter\Template cannot deal with improper input #39353

Manual testing scenarios (*)

  1. When creating or editing an address ( storefront/adminhtml ), enter into any of the address fields a template variable of the following form : {{if city}}{{var city}}, {{/if}}
  2. Check if there is a validation error

Questions or comments

Contribution checklist (*)

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages
  • All new or changed code is covered with unit/integration tests (if applicable)
  • README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
  • All automated tests passed successfully (all builds are green)

Copy link

m2-assistant bot commented Feb 28, 2025

Hi @rostilos. Thank you for your contribution!
Here are some useful tips on how you can test your changes using Magento test environment.
❗ Automated tests can be triggered manually with an appropriate comment:

  • @magento run all tests - run or re-run all required tests against the PR changes
  • @magento run <test-build(s)> - run or re-run specific test build(s)
    For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names.

Allowed build names are:
  1. Database Compare
  2. Functional Tests CE
  3. Functional Tests EE
  4. Functional Tests B2B
  5. Integration Tests
  6. Magento Health Index
  7. Sample Data Tests CE
  8. Sample Data Tests EE
  9. Sample Data Tests B2B
  10. Static Tests
  11. Unit Tests
  12. WebAPI Tests
  13. Semantic Version Checker

You can find more information about the builds here
ℹ️ Run only required test builds during development. Run all test builds before sending your pull request for review.


For more details, review the Code Contributions documentation.
Join Magento Community Engineering Slack and ask your questions in #github channel.

@m2-github-services m2-github-services added Partner: Perspective partners-contribution Pull Request is created by Magento Partner labels Feb 28, 2025
@rostilos
Copy link
Contributor Author

@magento run all tests

@engcom-Bravo engcom-Bravo added the Priority: P3 May be fixed according to the position in the backlog. label Feb 28, 2025
…plate-vars-in-customer-addr' into fix-for-issue-39353-validate-template-vars-in-customer-addr
@rostilos
Copy link
Contributor Author

@magento run all tests

@rostilos rostilos marked this pull request as draft March 2, 2025 12:33
rostilos added 2 commits March 2, 2025 16:04
…plate-vars-in-customer-addr' into fix-for-issue-39353-validate-template-vars-in-customer-addr
@rostilos rostilos marked this pull request as ready for review March 2, 2025 14:07
@rostilos
Copy link
Contributor Author

rostilos commented Mar 2, 2025

@magento run all tests

@rostilos
Copy link
Contributor Author

rostilos commented Mar 2, 2025

@magento run all tests

@rostilos rostilos changed the title #39353 Added validation for the presence of template variables in the… #39353 Added sanitization of address fields for the presence of template variables in the customer address Mar 2, 2025
@Priyakshic Priyakshic added the Project: Community Picked PRs upvoted by the community label Mar 13, 2025
@Priyakshic Priyakshic moved this to Pending Review in Community Dashboard Mar 13, 2025
@rostilos
Copy link
Contributor Author

@magento run all tests

Copy link

Pull Requests are not mergeable to the mainline. Please merge the latest mainlines to your Pull Requests and restart the builds.

…te-template-vars-in-customer-addr

# Conflicts:
#	app/code/Magento/Customer/etc/di.xml
@rostilos
Copy link
Contributor Author

@magento run all tests

@rostilos
Copy link
Contributor Author

@magento run Functional Tests EE, Functional Tests B2B, Functional Tests CE

@rostilos
Copy link
Contributor Author

I don't see a direct correlation between my edits and errors on most tests.
But I would like to clarify : what should I do to eliminate this error in the tests (which is obviously caused by my edits) ?
Screenshot_20250321_105116

@engcom-Hotel
Copy link
Contributor

@magento run all tests

@engcom-Hotel engcom-Hotel moved this from Pending Review to Review in Progress in Community Dashboard Apr 2, 2025
@engcom-Hotel
Copy link
Contributor

@magento run Functional Tests B2B, Functional Tests EE, Functional Tests CE, Integration Tests, Unit Tests

Copy link
Contributor

@engcom-Hotel engcom-Hotel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @rostilos,

Thanks for the contribution!

The changes seems good to us, but please address the below review suggestions.

Thanks

@engcom-Hotel engcom-Hotel moved this from Review in Progress to Changes Requested in Community Dashboard Apr 2, 2025
rostilos and others added 2 commits April 3, 2025 13:30
Co-authored-by: Abhinav Pathak <51681618+engcom-Hotel@users.noreply.github.com>
@rostilos
Copy link
Contributor Author

rostilos commented Apr 3, 2025

@engcom-Hotel added requested edits

@rostilos
Copy link
Contributor Author

rostilos commented Apr 3, 2025

@magento run all tests

@engcom-Hotel engcom-Hotel moved this from Changes Requested to Ready for Testing in Community Dashboard Apr 3, 2025
@engcom-Bravo engcom-Bravo moved this from Ready for Testing to Testing in Progress in Community Dashboard Apr 8, 2025
@engcom-Bravo
Copy link
Contributor

@magento run all tests

@engcom-Bravo
Copy link
Contributor

Hi @rostilos,

Thanks for the collaboration & contribution!

✔️ QA Passed

Preconditions:

  • Install fresh Magento 2.4-develop

Steps to reproduce

  • When creating or editing an address ( storefront/adminhtml ), enter into any of the address fields a template variable of the following form : {{if city}}{{var city}}, {{/if}}
  • Check if there is a validation error

Before: ✖️ 

Screenshot 2025-04-09 at 1 25 09 pm

After: ✔️

Screenshot 2025-04-09 at 5 02 43 pm

Builds are failed. Hence, moving this PR to Extended Testing.

Thanks.

@engcom-Bravo engcom-Bravo moved this from Testing in Progress to Extended testing (optional) in Community Dashboard Apr 9, 2025
@engcom-Dash engcom-Dash self-assigned this Apr 9, 2025
@engcom-Dash
Copy link
Contributor

@magento run all tests

@engcom-Dash
Copy link
Contributor

@magento run Functional Tests B2B, Functional Tests CE, Unit Tests, Semantic Version Checker

@engcom-Dash
Copy link
Contributor

The Functional B2B Test Failures are inconsistent and seems to be flaky. The failures neither related to PR nor part of the PR.

Build 1: Allure Report - B2B

image

Build 2 : Allure Report - B2B

image

The Functional CE Test Failures are inconsistent and seems to be flaky. The failures neither related to PR nor part of the PR.

Build 1: Allure Report - CE

image

Build 2: Allure Report - CE

image

@engcom-Dash engcom-Dash moved this from Extended testing (optional) to To Approve in Community Dashboard Apr 11, 2025
@engcom-Dash
Copy link
Contributor

@magento run Semantic Version Checker

@engcom-Dash
Copy link
Contributor

Raised internal approval JIRA for the SVC failure. Moving this PR to Pending Approval now. We will proceed ahead on this once will get all the required approvals.

SVC: https://public-results-storage-prod.magento-testing-service.engineering/reports/magento/magento2/pull/39673/fe91115df9ac4816d7ed35f3ac9ac6f7/SemanticVersionChecker/report-magento2.html

Screenshot 2025-05-02 at 11 20 51 AM

@hostep
Copy link
Contributor

hostep commented May 2, 2025

Doesn't this try to fix the same problem as #38345 fixed? That last one already got included in Magento 2.4.8.

Correct me if I'm wrong. Just trying to prevent us fixing the same problem in 2 different ways.

@rostilos
Copy link
Contributor Author

rostilos commented May 2, 2025

@hostep @engcom-Hotel
I agree that some of the edits in this PR will override the validation from the PR you mentioned (since sanitize happens before validation).
But the specified PR does not cover all fields available for user input, sanitize covers other fields ( company, postcode, etc. ). Sanitizing only fields not covered by validation I think is not a very correct solution
I agree that edits solve approximately the same security problem (e.g. CVE-2022-24086)., but it is also possible that one is partially just an addition to the other.
I would also like to hear the opinion of maintainers on this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Partner: Perspective partners-contribution Pull Request is created by Magento Partner Priority: P3 May be fixed according to the position in the backlog. Progress: pending approval Progress: ready for testing Project: Community Picked PRs upvoted by the community
Projects
Status: Pending Approval
Development

Successfully merging this pull request may close these issues.

[Address Book Bug] Template filter \Magento\Framework\Filter\Template cannot deal with improper input
7 participants