AC-14331: Customer address attribute enhancement

Author: nishant04412

app/code/Magento/Customer/Controller/Address/FormPost.php

@@ -1,32 +1,34 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2014 Adobe
+ * All Rights Reserved.
  */
 
 namespace Magento\Customer\Controller\Address;
 
-use Magento\Framework\App\Action\HttpPostActionInterface as HttpPostActionInterface;
+use Magento\Customer\Api\AddressMetadataInterface;
 use Magento\Customer\Api\AddressRepositoryInterface;
 use Magento\Customer\Api\Data\AddressInterfaceFactory;
 use Magento\Customer\Api\Data\RegionInterface;
 use Magento\Customer\Api\Data\RegionInterfaceFactory;
 use Magento\Customer\Model\Address\Mapper;
 use Magento\Customer\Model\Metadata\FormFactory;
 use Magento\Customer\Model\Session;
+use Magento\Customer\Model\Validator\Address\File as FileNameValidator;
 use Magento\Directory\Helper\Data as HelperData;
 use Magento\Directory\Model\RegionFactory;
 use Magento\Framework\Api\DataObjectHelper;
 use Magento\Framework\App\Action\Context;
+use Magento\Framework\App\Action\HttpPostActionInterface as HttpPostActionInterface;
+use Magento\Framework\App\Filesystem\DirectoryList;
 use Magento\Framework\App\ObjectManager;
 use Magento\Framework\Controller\Result\ForwardFactory;
 use Magento\Framework\Data\Form\FormKey\Validator as FormKeyValidator;
 use Magento\Framework\Exception\InputException;
+use Magento\Framework\Exception\NotFoundException;
+use Magento\Framework\Filesystem;
 use Magento\Framework\Reflection\DataObjectProcessor;
 use Magento\Framework\View\Result\PageFactory;
-use Magento\Framework\Filesystem;
-use Magento\Framework\App\Filesystem\DirectoryList;
-use Magento\Framework\Exception\NotFoundException;
 
 /**
  * Customer Address Form Post Controller
@@ -55,6 +57,16 @@ class FormPost extends \Magento\Customer\Controller\Address implements HttpPostA
      */
     private $filesystem;
 
+    /**
+     * @var AddressMetadataInterface
+     */
+    private $addressMetadata;
+
+    /**
+     * @var FileNameValidator
+     */
+    private $fileNameValidator;
+
     /**
      * @param Context $context
      * @param Session $customerSession
@@ -69,7 +81,9 @@ class FormPost extends \Magento\Customer\Controller\Address implements HttpPostA
      * @param PageFactory $resultPageFactory
      * @param RegionFactory $regionFactory
      * @param HelperData $helperData
-     * @param Filesystem $filesystem
+     * @param Filesystem|null $filesystem
+     * @param AddressMetadataInterface|null $addressMetadata
+     * @param FileNameValidator|null $fileNameValidator
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -86,11 +100,17 @@ public function __construct(
         PageFactory $resultPageFactory,
         RegionFactory $regionFactory,
         HelperData $helperData,
-        ?Filesystem $filesystem = null
+        ?Filesystem $filesystem = null,
+        ?AddressMetadataInterface $addressMetadata = null,
+        ?FileNameValidator $fileNameValidator = null
     ) {
         $this->regionFactory = $regionFactory;
         $this->helperData = $helperData;
         $this->filesystem = $filesystem ?: ObjectManager::getInstance()->get(Filesystem::class);
+        $this->addressMetadata = $addressMetadata
+            ?: ObjectManager::getInstance()->get(AddressMetadataInterface::class);
+        $this->fileNameValidator = $fileNameValidator
+            ?: ObjectManager::getInstance()->get(FileNameValidator::class);
         parent::__construct(
             $context,
             $customerSession,
@@ -253,6 +273,7 @@ public function execute()
      * @return Mapper
      *
      * @deprecated 100.1.3
+     * @see Mapper
      */
     private function getCustomerAddressMapper()
     {
@@ -272,19 +293,33 @@ private function getCustomerAddressMapper()
      */
     private function deleteAddressFileAttribute($address)
     {
-        $attributeValue = $address->getCustomAttribute($this->_request->getParam('delete_attribute_value'));
-        if ($attributeValue!== null) {
-            if ($attributeValue->getValue() !== '') {
+        $attributeCode = $this->_request->getParam('delete_attribute_value');
+        $attributeValue = $address->getCustomAttribute($attributeCode);
+
+        if ($attributeValue !== null) {
+            $attributeMetadata = $this->addressMetadata->getAttributeMetadata($attributeCode);
+
+            if ($attributeMetadata &&
+                $attributeMetadata->getFrontendInput() === 'file' &&
+                $attributeValue->getValue() !== ''
+            ) {
                 $mediaDirectory = $this->filesystem->getDirectoryWrite(DirectoryList::MEDIA);
                 $fileName = $attributeValue->getValue();
-                $path = $mediaDirectory->getAbsolutePath('customer_address' . $fileName);
-                if ($fileName && $mediaDirectory->isFile($path)) {
-                    $mediaDirectory->delete($path);
+
+                $filePath = AddressMetadataInterface::ENTITY_TYPE_ADDRESS
+                    . DIRECTORY_SEPARATOR
+                    . ltrim($fileName, DIRECTORY_SEPARATOR);
+                $absolutePath = $mediaDirectory->getAbsolutePath($filePath);
+                $allowedAbsolutePath = $mediaDirectory->getAbsolutePath(AddressMetadataInterface::ENTITY_TYPE_ADDRESS);
+
+                // Validate the file path
+                $this->fileNameValidator->validate($fileName, $absolutePath, $allowedAbsolutePath);
+
+                if ($fileName && $mediaDirectory->isFile($filePath)) {
+                    $mediaDirectory->delete($filePath);
                 }
-                $address->setCustomAttribute(
-                    $this->_request->getParam('delete_attribute_value'),
-                    ''
-                );
+
+                $address->setCustomAttribute($attributeCode, '');
             }
         }
 

app/code/Magento/Customer/Model/Validator/Address/File.php

@@ -0,0 +1,81 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\Customer\Model\Validator\Address;
+
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\Filesystem\Driver\File as FileDriver;
+
+/**
+ * Validator for file uploads.
+ */
+class File
+{
+    /**
+     * Regular expression pattern for validating file paths.
+     */
+    private const PATTERN_NAME = '/(?:^|\/|\\\\)('
+        . '(?:\.{2}[\/\\\\]|%2e%2e%2f|%2e%2e\/|\.\.%2f|%2e%2e%5c|%2e%2e\\|\.\.%5c|'
+        . '%252e%252e%255c|\.\.%255c|%2e%2e\\\\|\.\.\\\\|\.\.%5c|%c0%2e%2e%2f|%c0%2e%2e%5c|'
+        . '%c0%ae%c0%ae%2f|%c0%ae%c0%ae%5c|%e0%40%ae%2e%2f|%e0%40%ae%2e%5c|%c0%2e%c0%2e%2f|'
+        . '%c0%2e%c0%2e%5c)'
+        . ')/';
+
+    /**
+     * @var FileDriver
+     */
+    private $fileDriver;
+
+    /**
+     * @param FileDriver $fileDriver
+     */
+    public function __construct(FileDriver $fileDriver)
+    {
+        $this->fileDriver = $fileDriver;
+    }
+
+    /**
+     * Validate the filename and path
+     *
+     * @param string $fileName
+     * @param string $absolutePath
+     * @param string $allowedAbsolutePath
+     * @return void
+     * @throws LocalizedException
+     */
+    public function validate(string $fileName, string $absolutePath, string $allowedAbsolutePath): void
+    {
+        if (!$this->isValid($fileName) || !$this->isWithinAllowedDirectory($absolutePath, $allowedAbsolutePath)) {
+            throw new LocalizedException(__('Invalid file path.'));
+        }
+    }
+
+    /**
+     * Check if the filename is valid
+     *
+     * @param string $fileName
+     * @return bool
+     */
+    private function isValid(string $fileName): bool
+    {
+        return !preg_match(self::PATTERN_NAME, $fileName);
+    }
+
+    /**
+     * Check if the path is within the allowed directory
+     *
+     * @param string $absolutePath
+     * @param string $allowedAbsolutePath
+     * @return bool
+     */
+    private function isWithinAllowedDirectory(string $absolutePath, string $allowedAbsolutePath): bool
+    {
+        $absolutePath = $this->fileDriver->getRealPath($absolutePath);
+        $allowedAbsolutePath = $this->fileDriver->getRealPath($allowedAbsolutePath);
+        return strpos($absolutePath, $allowedAbsolutePath) === 0;
+    }
+}