#39353 Added sanitization of address fields for the presence of template variables in the customer address

[rostilos]

Description (*)

Added sanitize for address fields. Added for abstract address model class to avoid template processor handling variables specified directly in the address.
{{ template_var }} -> {{ template_var }}

Related Pull Requests

Fixed Issues (if relevant)

1. Fixes [Address Book Bug] Template filter \Magento\Framework\Filter\Template cannot deal with improper input #39353

Manual testing scenarios (*)

1. When creating or editing an address ( storefront/adminhtml ), enter into any of the address fields a template variable of the following form : {{if city}}{{var city}}, {{/if}}
2. Check if there is a validation error

Questions or comments

Contribution checklist (*)

• Pull request has a meaningful description of its purpose
• All commits are accompanied by meaningful commit messages
• All new or changed code is covered with unit/integration tests (if applicable)
• README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
• All automated tests passed successfully (all builds are green)

[m2-assistant]

Hi @rostilos. Thank you for your contribution!
Here are some useful tips on how you can test your changes using Magento test environment.
❗ Automated tests can be triggered manually with an appropriate comment:

• @magento run all tests - run or re-run all required tests against the PR changes
• @magento run <test-build(s)> - run or re-run specific test build(s)
  For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names.

Allowed build names are:

1. Database Compare
2. Functional Tests CE
3. Functional Tests EE
4. Functional Tests B2B
5. Integration Tests
6. Magento Health Index
7. Sample Data Tests CE
8. Sample Data Tests EE
9. Sample Data Tests B2B
10. Static Tests
11. Unit Tests
12. WebAPI Tests
13. Semantic Version Checker

You can find more information about the builds here
ℹ️ Run only required test builds during development. Run all test builds before sending your pull request for review.

---

For more details, review the Code Contributions documentation.
Join Magento Community Engineering Slack and ask your questions in #github channel.

[rostilos]

@magento run all tests

[rostilos]

@magento run all tests

[rostilos]

@magento run all tests

[rostilos]

@magento run all tests

[rostilos]

@magento run all tests

[magento-automated-testing]

Pull Requests are not mergeable to the mainline. Please merge the latest mainlines to your Pull Requests and restart the builds.

[rostilos]

@magento run all tests

[rostilos]

@magento run Functional Tests EE, Functional Tests B2B, Functional Tests CE

[rostilos]

I don't see a direct correlation between my edits and errors on most tests.
But I would like to clarify : what should I do to eliminate this error in the tests (which is obviously caused by my edits) ?

[engcom-Hotel]

@magento run all tests

[engcom-Hotel]

@magento run Functional Tests B2B, Functional Tests EE, Functional Tests CE, Integration Tests, Unit Tests

[engcom-Hotel]

Hello @rostilos,

Thanks for the contribution!

The changes seems good to us, but please address the below review suggestions.

Thanks

[rostilos]

@engcom-Hotel added requested edits

[rostilos]

@magento run all tests

[engcom-Bravo]

@magento run all tests

[engcom-Bravo]

Hi @rostilos,

Thanks for the collaboration & contribution!

✔️ QA Passed

Preconditions:

• Install fresh Magento 2.4-develop

Steps to reproduce

• When creating or editing an address ( storefront/adminhtml ), enter into any of the address fields a template variable of the following form : {{if city}}{{var city}}, {{/if}}
• Check if there is a validation error

Before: ✖️ 

After: ✔️

Builds are failed. Hence, moving this PR to Extended Testing.

Thanks.

[engcom-Dash]

@magento run all tests

[engcom-Dash]

@magento run Functional Tests B2B, Functional Tests CE, Unit Tests, Semantic Version Checker

[engcom-Dash]

The Functional B2B Test Failures are inconsistent and seems to be flaky. The failures neither related to PR nor part of the PR.

Build 1: Allure Report - B2B

Build 2 : Allure Report - B2B

The Functional CE Test Failures are inconsistent and seems to be flaky. The failures neither related to PR nor part of the PR.

Build 1: Allure Report - CE

Build 2: Allure Report - CE

[engcom-Dash]

@magento run Semantic Version Checker

[engcom-Dash]

Raised internal approval JIRA for the SVC failure. Moving this PR to Pending Approval now. We will proceed ahead on this once will get all the required approvals.

SVC: https://public-results-storage-prod.magento-testing-service.engineering/reports/magento/magento2/pull/39673/fe91115df9ac4816d7ed35f3ac9ac6f7/SemanticVersionChecker/report-magento2.html

[hostep]

Doesn't this try to fix the same problem as #38345 fixed? That last one already got included in Magento 2.4.8.

Correct me if I'm wrong. Just trying to prevent us fixing the same problem in 2 different ways.

[rostilos]

@hostep @engcom-Hotel
I agree that some of the edits in this PR will override the validation from the PR you mentioned (since sanitize happens before validation).
But the specified PR does not cover all fields available for user input, sanitize covers other fields ( company, postcode, etc. ). Sanitizing only fields not covered by validation I think is not a very correct solution
I agree that edits solve approximately the same security problem (e.g. CVE-2022-24086)., but it is also possible that one is partially just an addition to the other.
I would also like to hear the opinion of maintainers on this issue.