[TEST] Enhanced Customer Data Validation to Mitigate Code Injection Risks

app/code/Magento/Contact/Model/Mail.php

@@ -1,7 +1,7 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2024 Adobe
+ * All Rights Reserved.
  */
 namespace Magento\Contact\Model;
 
@@ -10,6 +10,9 @@
 use Magento\Store\Model\StoreManagerInterface;
 use Magento\Framework\App\ObjectManager;
 use Magento\Framework\App\Area;
+use Magento\Framework\Validator\Factory as ValidatorFactory;
+use Magento\Framework\Validator\Exception as ValidatorException;
+use Magento\Framework\DataObject;
 
 class Mail implements MailInterface
 {
@@ -33,24 +36,32 @@ class Mail implements MailInterface
      */
     private $storeManager;
 
+    /**
+     * @var ValidatorFactory
+     */
+    private $validatorFactory;
+
     /**
      * Initialize dependencies.
      *
      * @param ConfigInterface $contactsConfig
      * @param TransportBuilder $transportBuilder
      * @param StateInterface $inlineTranslation
      * @param StoreManagerInterface|null $storeManager
+     * @param ValidatorFactory $validatorFactory
      */
     public function __construct(
         ConfigInterface $contactsConfig,
         TransportBuilder $transportBuilder,
         StateInterface $inlineTranslation,
-        StoreManagerInterface $storeManager = null
+        StoreManagerInterface $storeManager = null,
+        ValidatorFactory $validatorFactory
     ) {
         $this->contactsConfig = $contactsConfig;
         $this->transportBuilder = $transportBuilder;
         $this->inlineTranslation = $inlineTranslation;
         $this->storeManager = $storeManager ?: ObjectManager::getInstance()->get(StoreManagerInterface::class);
+        $this->validatorFactory = $validatorFactory;
     }
 
     /**
@@ -59,9 +70,13 @@ public function __construct(
      * @param string $replyTo
      * @param array $variables
      * @return void
+     * @throws ValidatorException
      */
     public function send($replyTo, array $variables)
     {
+        // Perform validation before sending email
+        $this->_validate($variables['data']);
+
         /** @see \Magento\Contact\Controller\Index\Post::validatedParams() */
         $replyToName = !empty($variables['data']['name']) ? $variables['data']['name'] : null;
 
@@ -86,4 +101,23 @@ public function send($replyTo, array $variables)
             $this->inlineTranslation->resume();
         }
     }
+
+    /**
+     * Validate the contact form data.
+     *
+     * @param DataObject $data
+     * @throws ValidatorException
+     */
+    protected function _validate(DataObject $data)
+    {
+        $validator = $this->validatorFactory->createValidator('contact', 'save');
+
+        if (!$validator->isValid($data)) {
+            throw new ValidatorException(
+                null,
+                null,
+                $validator->getMessages()
+            );
+        }
+    }
 }

app/code/Magento/Contact/Model/Validator/Email.php

@@ -0,0 +1,98 @@
+<?php
+/**
+ * Copyright 2024 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\Contact\Model\Validator;
+
+use Magento\Framework\Validator\AbstractValidator;
+use Magento\Customer\Model\Validator\Pattern\EmailAddressValidator;
+use Magento\Framework\DataObject;
+
+/**
+ * Validator for email fields in contact form.
+ */
+class Email extends AbstractValidator
+{
+    /**
+     * @var EmailAddressValidator
+     */
+    protected $emailValidator;
+
+    /**
+     * Constructor.
+     *
+     * @param EmailAddressValidator $emailValidator
+     */
+    public function __construct(EmailAddressValidator $emailValidator)
+    {
+        $this->emailValidator = $emailValidator;
+    }
+
+    /**
+     * Validate email fields.
+     *
+     * @param DataObject $data
+     * @return bool
+     */
+    public function isValid($data): bool
+    {
+        if (!$this->emailValidator->isValidationEnabled()) {
+            return true;
+        }
+
+        $email = $data->getData('email');
+        if (empty($email)) {
+            return true;
+        }
+
+        if (!$this->validateEmailField($email)) {
+            return false;
+        }
+
+        return count($this->_messages) == 0;
+    }
+
+    /**
+     * Validate the email field.
+     *
+     * @param string|null $emailValue
+     * @return bool
+     */
+    protected function validateEmailField(?string $emailValue): bool
+    {
+        if (!$this->emailValidator->isValid($emailValue)) {
+            parent::_addMessages(
+                [
+                    __(
+                        'Email address is not valid! Allowed characters: %1',
+                        $this->emailValidator->allowedCharsDescription
+                    ),
+                ]
+            );
+            return false;
+        }
+
+        if ($this->isBlacklistEmail($emailValue)) {
+            parent::_addMessages([
+                __('The email address or domain is blacklisted.')
+            ]);
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * Check if email field is blacklisted using the EmailAddressValidator.
+     *
+     * @param string|null $emailValue
+     * @return bool
+     */
+    protected function isBlacklistEmail(?string $emailValue): bool
+    {
+        return $this->emailValidator->isBlacklist($emailValue);
+    }
+}

app/code/Magento/Contact/Model/Validator/ForbiddenPattern.php

@@ -0,0 +1,62 @@
+<?php
+/**
+ * Copyright 2024 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\Contact\Model\Validator;
+
+use Magento\Framework\Validator\AbstractValidator;
+use Magento\Customer\Model\Validator\Pattern\ForbiddenValidator;
+use Magento\Framework\DataObject;
+
+/**
+ * Validator for forbidden patterns in contact form fields.
+ */
+class ForbiddenPattern extends AbstractValidator
+{
+    /**
+     * @var ForbiddenValidator
+     */
+    protected $forbiddenValidator;
+
+    /**
+     * Constructor.
+     *
+     * @param ForbiddenValidator $forbiddenValidator
+     */
+    public function __construct(ForbiddenValidator $forbiddenValidator)
+    {
+        $this->forbiddenValidator = $forbiddenValidator;
+    }
+
+    /**
+     * Validate contact form data fields against forbidden patterns.
+     *
+     * @param DataObject $data
+     * @return bool
+     * @throws LocalizedException
+     */
+    public function isValid($data): bool
+    {
+        if (!$this->forbiddenValidator->isValidationEnabled()) {
+            return true;
+        }
+
+        $dataFields = $data->getData();
+        if (empty($dataFields)) {
+            return true;
+        }
+
+        $isValid = $this->forbiddenValidator->validateDataRecursively($dataFields);
+
+        if (!$isValid) {
+            parent::_addMessages([
+                __('Fraud Protection: Forbidden pattern detected in contact form data')
+            ]);
+        }
+
+        return count($this->_messages) == 0;
+    }
+}

app/code/Magento/Contact/etc/validation.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+/**
+ * Copyright 2024 Adobe
+ * All Rights Reserved.
+ */
+-->
+<validation xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Validator/etc/validation.xsd">
+    <entity name="contact">
+        <rules>
+            <rule name="check_email">
+                <entity_constraints>
+                    <constraint alias="email_validator" class="Magento\Contact\Model\Validator\Email" />
+                </entity_constraints>
+            </rule>
+            <rule name="check_pattern">
+                <entity_constraints>
+                    <constraint alias="pattern_validator" class="Magento\Contact\Model\Validator\ForbiddenPattern" />
+                </entity_constraints>
+            </rule>
+        </rules>
+        <groups>
+            <group name="save">
+                <uses>
+                    <use rule="check_email"/>
+                    <use rule="check_pattern"/>
+                </uses>
+            </group>
+        </groups>
+    </entity>
+</validation>

app/code/Magento/Customer/Model/Validator/City.php

@@ -1,61 +1,76 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2024 Adobe
+ * All Rights Reserved.
  */
 declare(strict_types=1);
 
 namespace Magento\Customer\Model\Validator;
 
 use Magento\Customer\Model\Customer;
 use Magento\Framework\Validator\AbstractValidator;
+use Magento\Customer\Model\Validator\Pattern\CityValidator;
 
 /**
  * Customer city fields validator.
  */
 class City extends AbstractValidator
 {
     /**
-     * Allowed characters:
+     * @var CityValidator
+     */
+    private CityValidator $cityValidator;
+
+    /**
+     * Constructor.
      *
-     * \p{L}: Unicode letters.
-     * \p{M}: Unicode marks (diacritic marks, accents, etc.).
-     * ': Apostrophe mark.
-     * \s: Whitespace characters (spaces, tabs, newlines, etc.).
+     * @param CityValidator $cityValidator
      */
-    private const PATTERN_CITY = '/(?:[\p{L}\p{M}\s\-\']{1,100})/u';
+    public function __construct(CityValidator $cityValidator)
+    {
+        $this->cityValidator = $cityValidator;
+    }
 
     /**
-     * Validate city fields.
+     * Validate city field.
      *
-     * @param Customer $customer
+     * @param Customer $entity
      * @return bool
      */
-    public function isValid($customer)
+    public function isValid($entity): bool
     {
-        if (!$this->isValidCity($customer->getCity())) {
-            parent::_addMessages([[
-                'city' => "Invalid City. Please use A-Z, a-z, 0-9, -, ', spaces"
-            ]]);
+        if (!$this->cityValidator->isValidationEnabled()) {
+            return true;
+        }
+
+        $cityField = $entity->getCity();
+        if (empty($cityField)) {
+            return true;
+        }
+
+        if (!$this->validateCityField($cityField)) {
+            parent::_addMessages(
+                [
+                    __(
+                        '%1 is not valid! Allowed characters: %2',
+                        'City',
+                        $this->cityValidator->allowedCharsDescription
+                    ),
+                ]
+            );
         }
 
         return count($this->_messages) == 0;
     }
 
     /**
-     * Check if city field is valid.
+     * Validate the city field.
      *
      * @param string|null $cityValue
      * @return bool
      */
-    private function isValidCity($cityValue)
+    private function validateCityField(?string $cityValue): bool
     {
-        if ($cityValue != null) {
-            if (preg_match(self::PATTERN_CITY, $cityValue, $matches)) {
-                return $matches[0] == $cityValue;
-            }
-        }
-
-        return true;
+        return $this->cityValidator->isValid($cityValue);
     }
 }