From 21ad47519b018d237b70f5cf169dcf141b2e9db3 Mon Sep 17 00:00:00 2001
From: "matthieu.rolland" <matthieu.rolland@prestashop.com>
Date: Tue, 2 May 2023 11:31:49 +0200
Subject: [PATCH] check configuration keys and values before applying update

---
 blockreassurance.php                          |  5 +++
 .../admin/AdminBlockListingController.php     | 39 ++++++++++++++++---
 2 files changed, 38 insertions(+), 6 deletions(-)

diff --git a/blockreassurance.php b/blockreassurance.php
index c8633771..a329ebb7 100644
--- a/blockreassurance.php
+++ b/blockreassurance.php
@@ -41,6 +41,11 @@ class blockreassurance extends Module implements WidgetInterface
     const POSITION_BELOW_HEADER = 1;
     const POSITION_ABOVE_HEADER = 2;
 
+    const PSR_HOOK_HEADER = 'PSR_HOOK_HEADER';
+    const PSR_HOOK_FOOTER = 'PSR_HOOK_FOOTER';
+    const PSR_HOOK_PRODUCT = 'PSR_HOOK_PRODUCT';
+    const PSR_HOOK_CHECKOUT = 'PSR_HOOK_CHECKOUT';
+
     /** @var string */
     public $name;
     /** @var string */
diff --git a/controllers/admin/AdminBlockListingController.php b/controllers/admin/AdminBlockListingController.php
index 572eb0d2..3c46f60e 100644
--- a/controllers/admin/AdminBlockListingController.php
+++ b/controllers/admin/AdminBlockListingController.php
@@ -100,12 +100,7 @@ public function displayAjaxSavePositionByHook()
         $value = Tools::getValue('value');
         $result = false;
 
-        if (!empty($hook) && in_array($value, [
-                blockreassurance::POSITION_NONE,
-                blockreassurance::POSITION_BELOW_HEADER,
-                blockreassurance::POSITION_ABOVE_HEADER,
-            ])
-        ) {
+        if ($this->isAuthorizedHookConfigurationKey($hook) && $this->isAuthorizedPositionValue($value)) {
             $result = Configuration::updateValue($hook, $value);
         }
 
@@ -255,4 +250,36 @@ public function displayAjaxUpdatePosition()
         // Response
         $this->ajaxRenderJson($result ? 'success' : 'error');
     }
+
+    /**
+     * @param string $hook
+     *
+     * @return bool
+     */
+    private function isAuthorizedHookConfigurationKey($hook)
+    {
+        return
+            !empty($hook) &&
+            in_array($hook, [
+                blockreassurance::PSR_HOOK_HEADER,
+                blockreassurance::PSR_HOOK_FOOTER,
+                blockreassurance::PSR_HOOK_PRODUCT,
+                blockreassurance::PSR_HOOK_CHECKOUT,
+            ], true)
+        ;
+    }
+
+    /**
+     * @param string $value
+     *
+     * @return bool
+     */
+    private function isAuthorizedPositionValue($value)
+    {
+        return in_array((int) $value, [
+            blockreassurance::POSITION_NONE,
+            blockreassurance::POSITION_BELOW_HEADER,
+            blockreassurance::POSITION_ABOVE_HEADER,
+        ], true);
+    }
 }