From 0a74bf1ebb907eef39e235a3a6dca0c28ed3ad23 Mon Sep 17 00:00:00 2001
From: "matthieu.rolland" <matthieu.rolland@prestashop.com>
Date: Tue, 2 May 2023 11:31:49 +0200
Subject: [PATCH 1/2] check configuration keys and values before applying
 update

---
 blockreassurance.php                          |  5 +++
 .../admin/AdminBlockListingController.php     | 37 ++++++++++++++++---
 2 files changed, 36 insertions(+), 6 deletions(-)

diff --git a/blockreassurance.php b/blockreassurance.php
index c8633771..a329ebb7 100644
--- a/blockreassurance.php
+++ b/blockreassurance.php
@@ -41,6 +41,11 @@ class blockreassurance extends Module implements WidgetInterface
     const POSITION_BELOW_HEADER = 1;
     const POSITION_ABOVE_HEADER = 2;
 
+    const PSR_HOOK_HEADER = 'PSR_HOOK_HEADER';
+    const PSR_HOOK_FOOTER = 'PSR_HOOK_FOOTER';
+    const PSR_HOOK_PRODUCT = 'PSR_HOOK_PRODUCT';
+    const PSR_HOOK_CHECKOUT = 'PSR_HOOK_CHECKOUT';
+
     /** @var string */
     public $name;
     /** @var string */
diff --git a/controllers/admin/AdminBlockListingController.php b/controllers/admin/AdminBlockListingController.php
index 787a3fa3..930ae2a3 100644
--- a/controllers/admin/AdminBlockListingController.php
+++ b/controllers/admin/AdminBlockListingController.php
@@ -100,12 +100,7 @@ public function displayAjaxSavePositionByHook()
         $value = Tools::getValue('value');
         $result = false;
 
-        if (!empty($hook) && in_array($value, [
-                blockreassurance::POSITION_NONE,
-                blockreassurance::POSITION_BELOW_HEADER,
-                blockreassurance::POSITION_ABOVE_HEADER,
-            ])
-        ) {
+        if ($this->isAuthorizedHookConfigurationKey($hook) && $this->isAuthorizedPositionValue($value)) {
             $result = Configuration::updateValue($hook, $value);
         }
 
@@ -249,4 +244,34 @@ public function displayAjaxUpdatePosition()
         // Response
         $this->ajaxRenderJson($result ? 'success' : 'error');
     }
+
+    /**
+     * @param $hook
+     * @return bool
+     */
+    private function isAuthorizedHookConfigurationKey($hook)
+    {
+        return (
+            !empty($hook) &&
+            in_array($hook, [
+                blockreassurance::PSR_HOOK_HEADER,
+                blockreassurance::PSR_HOOK_FOOTER,
+                blockreassurance::PSR_HOOK_PRODUCT,
+                blockreassurance::PSR_HOOK_CHECKOUT,
+            ], true)
+        );
+    }
+
+    /**
+     * @param $value
+     * @return bool
+     */
+    private function isAuthorizedPositionValue($value)
+    {
+        return in_array((int) $value, [
+            blockreassurance::POSITION_NONE,
+            blockreassurance::POSITION_BELOW_HEADER,
+            blockreassurance::POSITION_ABOVE_HEADER,
+        ], true);
+    }
 }

From 6327811e6782c837440749aa6b55941d68e1c0bd Mon Sep 17 00:00:00 2001
From: "matthieu.rolland" <matthieu.rolland@prestashop.com>
Date: Tue, 9 May 2023 18:40:53 +0200
Subject: [PATCH 2/2] remove images only from dedicated folder and forbid non
 image extensions in image path

---
 .../admin/AdminBlockListingController.php     | 22 +++++++++++++------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/controllers/admin/AdminBlockListingController.php b/controllers/admin/AdminBlockListingController.php
index 930ae2a3..3c46f60e 100644
--- a/controllers/admin/AdminBlockListingController.php
+++ b/controllers/admin/AdminBlockListingController.php
@@ -70,7 +70,7 @@ public function displayAjaxDeleteBlock()
             $result = true;
             // Remove Custom icon
             if (!empty($blockPSR['custom_icon'])) {
-                $filePath = _PS_ROOT_DIR_ . $blockPSR['custom_icon'];
+                $filePath = _PS_ROOT_DIR_ . $this->module->img_path_perso . '/' . basename($blockPSR['custom_icon']);
                 if (file_exists($filePath)) {
                     $result = unlink($filePath);
                 }
@@ -143,6 +143,14 @@ public function displayAjaxSaveBlockContent()
         $type_link = (int) Tools::getValue('typelink');
         $id_cms = Tools::getValue('id_cms');
         $psr_languages = (array) json_decode(Tools::getValue('lang_values'));
+        $authExtensions = ['gif', 'jpg', 'jpeg', 'jpe', 'png', 'svg'];
+        $authMimeType = ['image/gif', 'image/jpg', 'image/jpeg', 'image/pjpeg', 'image/png', 'image/x-png', 'image/svg', 'image/svg+xml'];
+
+        if (!empty($picto) && !in_array(pathinfo($picto, PATHINFO_EXTENSION), $authExtensions)) {
+            $errors[] = Context::getContext()->getTranslator()->trans('Image format not recognized, allowed formats are: .gif, .jpg, .png', [], 'Admin.Notifications.Error');
+
+            return $this->ajaxRenderJson(empty($errors) ? 'success' : 'error');
+        }
 
         $blockPsr = new ReassuranceActivity($id_block);
         if (!$id_block) {
@@ -168,8 +176,6 @@ public function displayAjaxSaveBlockContent()
             $filename = $customImage['name'];
 
             // validateUpload return false if no error (false -> OK)
-            $authExtensions = ['gif', 'jpg', 'jpeg', 'jpe', 'png', 'svg'];
-            $authMimeType = ['image/gif', 'image/jpg', 'image/jpeg', 'image/pjpeg', 'image/png', 'image/x-png', 'image/svg', 'image/svg+xml'];
             if (version_compare(_PS_VERSION_, '1.7.7.0', '>=')) {
                 // PrestaShop 1.7.7.0+
                 $validUpload = ImageManager::validateUpload(
@@ -246,12 +252,13 @@ public function displayAjaxUpdatePosition()
     }
 
     /**
-     * @param $hook
+     * @param string $hook
+     *
      * @return bool
      */
     private function isAuthorizedHookConfigurationKey($hook)
     {
-        return (
+        return
             !empty($hook) &&
             in_array($hook, [
                 blockreassurance::PSR_HOOK_HEADER,
@@ -259,11 +266,12 @@ private function isAuthorizedHookConfigurationKey($hook)
                 blockreassurance::PSR_HOOK_PRODUCT,
                 blockreassurance::PSR_HOOK_CHECKOUT,
             ], true)
-        );
+        ;
     }
 
     /**
-     * @param $value
+     * @param string $value
+     *
      * @return bool
      */
     private function isAuthorizedPositionValue($value)