Add ImageContentPolyglotValidator to prevent polyglot file uploads

Plugin/ImageContentPolyglotValidator.php

@@ -0,0 +1,58 @@
+<?php
+
+declare(strict_types=1);
+
+namespace MarkShust\PolyshellPatch\Plugin;
+
+use Magento\Framework\Api\Data\ImageContentInterface;
+use Magento\Framework\Api\ImageContentValidator;
+use Magento\Framework\Exception\InputException;
+use Magento\Framework\Phrase;
+
+class ImageContentPolyglotValidator
+{
+    private const DANGEROUS_MARKERS = [
+        '<?php',
+        '<?=',
+        '<? ',
+        'eval(',
+        'base64_decode',
+        'shell_exec',
+        'system(',
+        'passthru(',
+        'assert(',
+        'phar://',
+        'GIF89a;<?',
+    ];
+
+    public function afterIsValid(
+        ImageContentValidator $subject,
+        bool $result,
+        ImageContentInterface $imageContent
+    ): bool {
+        if ($result === false) {
+            return false;
+        }
+
+        $base64 = (string) $imageContent->getBase64EncodedData();
+        if ($base64 === '') {
+            return $result;
+        }
+
+        $decoded = base64_decode($base64, true);
+        if ($decoded === false) {
+            throw new InputException(new Phrase('Invalid image payload encoding.'));
+        }
+
+        $haystack = strtolower($decoded);
+        foreach (self::DANGEROUS_MARKERS as $marker) {
+            if (strpos($haystack, strtolower($marker)) !== false) {
+                throw new InputException(
+                    new Phrase('The uploaded image content is not allowed.')
+                );
+            }
+        }
+
+        return $result;
+    }
+}

Test/Unit/Plugin/ImageContentPolyglotValidatorTest.php

@@ -0,0 +1,88 @@
+<?php
+
+declare(strict_types=1);
+
+namespace MarkShust\PolyshellPatch\Test\Unit\Plugin;
+
+use MarkShust\PolyshellPatch\Plugin\ImageContentPolyglotValidator;
+use Magento\Framework\Api\Data\ImageContentInterface;
+use Magento\Framework\Api\ImageContentValidator;
+use Magento\Framework\Exception\InputException;
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+
+class ImageContentPolyglotValidatorTest extends TestCase
+{
+    private ImageContentPolyglotValidator $model;
+
+    /** @var ImageContentValidator|MockObject */
+    private $subjectMock;
+
+    /** @var ImageContentInterface|MockObject */
+    private $imageContentMock;
+
+    protected function setUp(): void
+    {
+        $this->model = new ImageContentPolyglotValidator();
+        $this->subjectMock = $this->createMock(ImageContentValidator::class);
+        $this->imageContentMock = $this->createMock(ImageContentInterface::class);
+    }
+
+    public function testValidGifPasses(): void
+    {
+        $validGif = base64_encode('GIF89a' . str_repeat("\x00", 10));
+        $this->imageContentMock->method('getBase64EncodedData')->willReturn($validGif);
+
+        $result = $this->model->afterIsValid($this->subjectMock, true, $this->imageContentMock);
+        $this->assertTrue($result);
+    }
+
+    public function testPhpContentMarkerIsRejected(): void
+    {
+        $payload = '<?php echo "hello";';
+        $this->imageContentMock->method('getBase64EncodedData')->willReturn(base64_encode($payload));
+
+        $this->expectException(InputException::class);
+        $this->expectExceptionMessage('The uploaded image content is not allowed.');
+
+        $this->model->afterIsValid($this->subjectMock, true, $this->imageContentMock);
+    }
+
+    public function testGifPhpPolyglotIsRejected(): void
+    {
+        $payload = 'GIF89a;<?php eval(base64_decode("dGVzdA==")); ?>';
+        $this->imageContentMock->method('getBase64EncodedData')->willReturn(base64_encode($payload));
+
+        $this->expectException(InputException::class);
+        $this->expectExceptionMessage('The uploaded image content is not allowed.');
+
+        $this->model->afterIsValid($this->subjectMock, true, $this->imageContentMock);
+    }
+
+    public function testEmptyDataPasses(): void
+    {
+        $this->imageContentMock->method('getBase64EncodedData')->willReturn('');
+
+        $result = $this->model->afterIsValid($this->subjectMock, true, $this->imageContentMock);
+        $this->assertTrue($result);
+    }
+
+    public function testFalseCoreValidationResultIsPreserved(): void
+    {
+        $this->imageContentMock->expects($this->never())->method('getBase64EncodedData');
+
+        $result = $this->model->afterIsValid($this->subjectMock, false, $this->imageContentMock);
+        $this->assertFalse($result);
+    }
+
+    public function testInvalidEncodingThrowsException(): void
+    {
+        // "!!!" is not valid base64 with strict check
+        $this->imageContentMock->method('getBase64EncodedData')->willReturn('!!!');
+
+        $this->expectException(InputException::class);
+        $this->expectExceptionMessage('Invalid image payload encoding.');
+
+        $this->model->afterIsValid($this->subjectMock, true, $this->imageContentMock);
+    }
+}

Test/bootstrap.php

@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+
+$autoloadCandidates = array_filter([
+    __DIR__ . '/../vendor/autoload.php',
+    getenv('MAGENTO_AUTOLOAD') ?: null,
+]);
+
+$autoloadLoaded = false;
+foreach ($autoloadCandidates as $autoloadFile) {
+    if (is_string($autoloadFile) && is_file($autoloadFile)) {
+        require_once $autoloadFile;
+        $autoloadLoaded = true;
+        break;
+    }
+}
+
+if (!$autoloadLoaded) {
+    fwrite(STDERR, "Unable to locate Composer autoload.php for Magento dependencies.\n");
+    fwrite(STDERR, "Set MAGENTO_AUTOLOAD=/path/to/vendor/autoload.php or install local dependencies.\n");
+    exit(1);
+}
+
+spl_autoload_register(static function (string $class): void {
+    $prefix = 'MarkShust\\PolyshellPatch\\';
+    if (strpos($class, $prefix) !== 0) {
+        return;
+    }
+
+    $relativeClass = substr($class, strlen($prefix));
+    $path = dirname(__DIR__) . '/' . str_replace('\\', '/', $relativeClass) . '.php';
+    if (is_file($path)) {
+        require_once $path;
+    }
+});

composer.json

@@ -6,6 +6,7 @@
         "magento/framework": "^103"
     },
     "require-dev": {
+        "phpunit/phpunit": "^10.5",
         "roave/security-advisories": "dev-latest"
     },
     "type": "magento2-module",
@@ -19,5 +20,13 @@
         "psr-4": {
             "MarkShust\\PolyshellPatch\\": ""
         }
+    },
+    "autoload-dev": {
+        "psr-4": {
+            "MarkShust\\PolyshellPatch\\Test\\": "Test/"
+        }
+    },
+    "scripts": {
+        "test": "phpunit --configuration phpunit.xml.dist"
     }
 }

etc/di.xml

@@ -2,11 +2,17 @@
 <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
     <type name="Magento\Framework\Api\ImageProcessor">
-        <plugin name="markshust_polyshell_restrict_upload_extensions"
-                type="MarkShust\PolyshellPatch\Plugin\ImageProcessorRestrictExtensions"/>
+        <plugin name="markshust_polyshellpatch_restrict_extensions"
+                type="MarkShust\PolyshellPatch\Plugin\ImageProcessorRestrictExtensions"
+                sortOrder="10"/>
     </type>
+
     <type name="Magento\Framework\Api\ImageContentValidator">
-        <plugin name="markshust_polyshell_validate_file_extension"
-                type="MarkShust\PolyshellPatch\Plugin\ImageContentValidatorExtension"/>
+        <plugin name="markshust_polyshellpatch_extension_validator"
+                type="MarkShust\PolyshellPatch\Plugin\ImageContentValidatorExtension"
+                sortOrder="10"/>
+        <plugin name="markshust_polyshellpatch_polyglot_validator"
+                type="MarkShust\PolyshellPatch\Plugin\ImageContentPolyglotValidator"
+                sortOrder="20"/>
     </type>
 </config>

phpunit.xml.dist

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/10.5/phpunit.xsd"
+         bootstrap="Test/bootstrap.php"
+         colors="true"
+         cacheDirectory=".phpunit.cache">
+    <testsuites>
+        <testsuite name="unit">
+            <directory>Test/Unit</directory>
+        </testsuite>
+    </testsuites>
+</phpunit>