Merge pull request #8324 from magento-cloud/MCLOUD-10226

MCLOUD-10226: Fix regexp cache tag validation

Author: internal-magento-queue-manager[bot]

lib/internal/Magento/Framework/Cache/Core.php

@@ -5,6 +5,10 @@
  */
 namespace Magento\Framework\Cache;
 
+use Magento\Framework\Cache\Backend\Redis;
+use Zend_Cache;
+use Zend_Cache_Exception;
+
 class Core extends \Zend_Cache_Core
 {
     /**
@@ -116,6 +120,34 @@ public function getIdsNotMatchingTags($tags = [])
         return parent::getIdsNotMatchingTags($tags);
     }
 
+    /**
+     * Validate a cache id or a tag (security, reliable filenames, reserved prefixes...)
+     *
+     * Throw an exception if a problem is found
+     *
+     * @param  string $string Cache id or tag
+     * @throws Zend_Cache_Exception
+     * @return void
+     */
+    protected function _validateIdOrTag($string)
+    {
+        if ($this->_backend instanceof Redis) {
+            if (!is_string($string)) {
+                Zend_Cache::throwException('Invalid id or tag : must be a string');
+            }
+            if (substr($string, 0, 9) == 'internal-') {
+                Zend_Cache::throwException('"internal-*" ids or tags are reserved');
+            }
+            if (!preg_match('~^[a-zA-Z0-9_{}]+$~D', $string)) {
+                Zend_Cache::throwException("Invalid id or tag '$string' : must use only [a-zA-Z0-9_{}]");
+            }
+
+            return;
+        }
+
+        parent::_validateIdOrTag($string);
+    }
+
     /**
      * Set the backend
      *

lib/internal/Magento/Framework/Cache/Test/Unit/CoreTest.php

@@ -11,8 +11,13 @@
 namespace Magento\Framework\Cache\Test\Unit;
 
 use Magento\Framework\Cache\Backend\Decorator\AbstractDecorator;
+use Magento\Framework\Cache\Backend\Redis;
 use Magento\Framework\Cache\Core;
+use Magento\Framework\Cache\Frontend\Adapter\Zend;
+use Magento\Framework\Cache\Frontend\Decorator\Bare;
+use Magento\Framework\Cache\FrontendInterface;
 use PHPUnit\Framework\TestCase;
+use Zend_Cache_Exception;
 
 class CoreTest extends TestCase
 {
@@ -199,4 +204,33 @@ public function testGetIdsNotMatchingTags()
         $result = $frontend->getIdsNotMatchingTags($tags);
         $this->assertEquals($ids, $result);
     }
+
+    public function testLoadAllowsToUseCurlyBracketsInPrefixOnRedisBackend()
+    {
+        $id = 'abc';
+
+        $mockBackend = $this->createMock(Redis::class);
+        $core = new Core([
+            'cache_id_prefix' => '{prefix}_'
+        ]);
+        $core->setBackend($mockBackend);
+
+        $core->load($id);
+        $this->assertNull(null);
+    }
+
+    public function testLoadNotAllowsToUseCurlyBracketsInPrefixOnNonRedisBackend()
+    {
+        $id = 'abc';
+
+        $core = new Core([
+            'cache_id_prefix' => '{prefix}_'
+        ]);
+        $core->setBackend($this->_mockBackend);
+
+        $this->expectException(Zend_Cache_Exception::class);
+        $this->expectExceptionMessage("Invalid id or tag '{prefix}_abc' : must use only [a-zA-Z0-9_]");
+
+        $core->load($id);
+    }
 }