Merge remote-tracking branch 'origin/ACP2E-4328' into PR_2025_11_20_flowers

thiaramus · thiaramus · commit a40ddc95ee77 · 2025-11-20T12:47:46.000-06:00
diff --git a/app/code/Magento/UrlRewrite/Model/Storage/DbStorage.php b/app/code/Magento/UrlRewrite/Model/Storage/DbStorage.php
@@ -112,6 +112,12 @@ protected function doFindOneByData(array $data)
             $result = null;
             $requestPath = $data[UrlRewrite::REQUEST_PATH];
             $decodedRequestPath = urldecode($requestPath);
+
+            // Validate UTF-8 encoding to prevent collation errors and reject malicious input
+            if (!$this->isValidRequestPath($decodedRequestPath)) {
+                return null;
+            }
+
             $data[UrlRewrite::REQUEST_PATH] = array_unique(
                 [
                 rtrim($requestPath, '/'),
@@ -130,6 +136,39 @@ protected function doFindOneByData(array $data)
         return $this->connection->fetchRow($this->prepareSelect($data));
     }
 
+    /**
+     * Validate request path for valid UTF-8 and prevent collation errors
+     *
+     * This method checks for:
+     * - Invalid UTF-8 sequences (e.g., overlong encodings like %c0%ae)
+     * - 4-byte UTF-8 characters (emojis) that may cause collation mismatches
+     * - Non-printable and control characters
+     *
+     * @param string $path
+     * @return bool
+     */
+    private function isValidRequestPath(string $path): bool
+    {
+        // Check for valid UTF-8 encoding
+        if (!mb_check_encoding($path, 'UTF-8')) {
+            return false;
+        }
+
+        // Check for 4-byte UTF-8 characters (emojis, etc.) that can cause collation issues
+        // 4-byte UTF-8 chars start with bytes 0xF0-0xF7 (11110xxx in binary)
+        if (preg_match('/[\x{10000}-\x{10FFFF}]/u', $path)) {
+            return false;
+        }
+
+        // Check for control characters and other problematic characters
+        // Allow: letters, numbers, hyphen, underscore, period, forward slash, and common URL-safe chars
+        if (preg_match('/[\x00-\x1F\x7F]/', $path)) {
+            return false;
+        }
+
+        return true;
+    }
+
     /**
      * Extract most relevant url rewrite from url rewrites list
      *
diff --git a/app/code/Magento/UrlRewrite/Test/Unit/Model/Storage/DbStorageTest.php b/app/code/Magento/UrlRewrite/Test/Unit/Model/Storage/DbStorageTest.php
@@ -618,4 +618,204 @@ public function testDeleteByData(): void
 
         $this->storage->deleteByData($data);
     }
+
+    /**
+     * Test that invalid UTF-8 sequences are rejected to prevent collation errors
+     *
+     * @dataProvider invalidRequestPathDataProvider
+     * @param string $requestPath
+     * @param string $description
+     * @return void
+     */
+    public function testFindOneByDataRejectsInvalidUtf8Sequences(string $requestPath, string $description): void
+    {
+        $data = [
+            UrlRewrite::REQUEST_PATH => $requestPath,
+            UrlRewrite::STORE_ID => 1
+        ];
+
+        // Database should never be queried for invalid paths
+        $this->connectionMock->expects($this->never())
+            ->method('fetchAll');
+
+        $this->connectionMock->expects($this->never())
+            ->method('fetchRow');
+
+        $result = $this->storage->findOneByData($data);
+
+        $this->assertNull($result, "Failed for case: {$description}");
+    }
+
+    /**
+     * Test that valid UTF-8 paths with normal characters work correctly
+     *
+     * @dataProvider validRequestPathDataProvider
+     * @param string $requestPath
+     * @param string $description
+     * @return void
+     */
+    public function testFindOneByDataAcceptsValidUtf8Paths(string $requestPath, string $description): void
+    {
+        $data = [
+            UrlRewrite::REQUEST_PATH => $requestPath,
+            UrlRewrite::STORE_ID => 1
+        ];
+
+        $this->connectionMock->method('quoteIdentifier')
+            ->willReturnArgument(0);
+
+        $this->select->method('where')
+            ->willReturnSelf();
+
+        // Database should be queried normally
+        $this->connectionMock->expects($this->once())
+            ->method('fetchAll')
+            ->with($this->select)
+            ->willReturn([]);
+
+        $result = $this->storage->findOneByData($data);
+
+        // Result should be null (no matching URL found), but query should have executed
+        $this->assertNull($result, "Failed for case: {$description}");
+    }
+
+    /**
+     * Data provider for invalid request paths that should be rejected
+     *
+     * @return array
+     */
+    public function invalidRequestPathDataProvider(): array
+    {
+        return [
+            // Path traversal attempts with overlong UTF-8 encoding (invalid UTF-8)
+            [
+                '%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd',
+                'Path traversal with overlong encoding (%c0%ae) - invalid UTF-8'
+            ],
+            // Invalid single UTF-8 byte
+            [
+                '%C0',
+                'Invalid single UTF-8 byte'
+            ],
+            // Emojis (4-byte UTF-8 characters that cause collation issues)
+            [
+                '🔎',
+                'Magnifying glass emoji (U+1F50E) - 4-byte UTF-8'
+            ],
+            [
+                'search/🔎',
+                'Emoji in path segment - 4-byte UTF-8'
+            ],
+            [
+                '😀',
+                'Grinning face emoji (U+1F600) - 4-byte UTF-8'
+            ],
+            [
+                '🎉',
+                'Party popper emoji (U+1F389) - 4-byte UTF-8'
+            ],
+            // Control characters
+            [
+                "test\x00path",
+                'Null byte in path'
+            ],
+            [
+                "test\x1Fpath",
+                'Unit separator control character'
+            ],
+            [
+                "test\x7Fpath",
+                'DEL control character'
+            ],
+            // Mixed invalid sequences
+            [
+                '%c0%ae%c0%ae/🔎/test',
+                'Overlong encoding with emoji - invalid UTF-8'
+            ],
+            // More 4-byte UTF-8 characters
+            [
+                '𝕳𝖊𝖑𝖑𝖔',
+                'Mathematical alphanumeric symbols (U+1D573-U+1D586) - 4-byte UTF-8'
+            ],
+            [
+                '🏠',
+                'House emoji (U+1F3E0) - 4-byte UTF-8'
+            ],
+        ];
+    }
+
+    /**
+     * Data provider for valid request paths that should be accepted
+     *
+     * @return array
+     */
+    public function validRequestPathDataProvider(): array
+    {
+        return [
+            // Standard ASCII paths
+            [
+                'products/laptop',
+                'Simple product path'
+            ],
+            [
+                'category/electronics/computers',
+                'Multi-level category path'
+            ],
+            [
+                'about-us',
+                'Simple CMS page'
+            ],
+            // Valid 3-byte UTF-8 characters (should work)
+            [
+                'café-menu',
+                'French accented character (é)'
+            ],
+            [
+                'products/niño',
+                'Spanish ñ character'
+            ],
+            [
+                'münchen-store',
+                'German umlaut (ü)'
+            ],
+            [
+                'товар',
+                'Cyrillic characters'
+            ],
+            [
+                '产品',
+                'Chinese characters (3-byte UTF-8)'
+            ],
+            [
+                'المنتجات',
+                'Arabic characters'
+            ],
+            // Special URL-safe characters
+            [
+                'product-name-123',
+                'Hyphens and numbers'
+            ],
+            [
+                'product_name_test',
+                'Underscores'
+            ],
+            [
+                'category/sub.category',
+                'Dots in path'
+            ],
+            [
+                'path/to/page',
+                'Forward slashes'
+            ],
+            // URL-encoded valid characters
+            [
+                'product%20name',
+                'URL-encoded space'
+            ],
+            [
+                'category%2Fsubcategory',
+                'URL-encoded forward slash'
+            ],
+        ];
+    }
 }
