ACSD-51846: Internal error as REST API payload levels aren’t validated

Last update: 2023-10-02
  • Topics:
  • REST
    View more on this topic
  • Created for:
  • Developer

The ACSD-51846 patch fixes the issue where an “Internal Error” occurs as all levels of REST API payload are not validated. This patch is available when the Quality Patches Tool (QPT) 1.1.36 is installed. The patch ID is ACSD-51846. Please note that the issue was fixed in Adobe Commerce 2.4.7.

Affected products and versions

The patch is created for Adobe Commerce version:

  • Adobe Commerce (all deployment methods) 2.4.5-p2

Compatible with Adobe Commerce versions:

  • Adobe Commerce (all deployment methods) 2.4.3-p2 - 2.4.5-p4
NOTE

The patch might become applicable to other versions with new Quality Patches Tool releases. To check if the patch is compatible with your Adobe Commerce version, update the magento/quality-patches package to the latest version and check the compatibility on the Quality Patches Tool: Search for patches page. Use the patch ID as a search keyword to locate the patch.

Issue

An “Internal Error” occurs as all levels of REST API payload are not validated.

Steps to reproduce:

  1. Add a product to the customer’s cart.
  2. Send the REST API request to rest/V1/carts/mine/estimate-shipping-methods using a wrong attribute “street.” with a dot in the end.
 {
    "address": {
         "street.": [
             "\uc11c\uc6b8 \uac15\ubd81\uad6c \ud55c\ucc9c\ub85c166\uae38 2 (-\uc11c\uc6b8 \uac15\ubd81\uad6c \uc218\uc720\ub3d9 269-36)"
         ],
         "city": "pune",
         "region": null,
         "country_id": "IN",
         "postcode": "411015",
         "customer_id": "2",
         "firstname": "test",
         "lastname": "test",
         "middlename": null,
         "prefix": null,
         "suffix": null,
         "vat_id": null,
         "company": null,
         "telephone": "00000000000",
         "fax": null,
         "custom_attributes": []
     }
 }

Expected results:

The endpoint should validate the parameter and return the 400 status code with a specific error message. Example:

report.CRITICAL: LogicException: Property "Street." does not have accessor method "getStreet." in class "Magento\Quote\Api\Data\AddressInterface". in vendor/magento/framework/Reflection/NameFinder.php:103

Actual results:

The endpoint does not validate the wrong parameter and returns the 500 status code error.

Apply the patch

To apply individual patches, use the following links depending on your deployment method:

To learn more about Quality Patches Tool, refer to:

For info about other patches available in QPT, refer to Quality Patches Tool: Search for patches in the Quality Patches Tool guide.

On this page