Merge pull request #739 from marklogic/feature/21542-more-polaris

MLE-21542 More Polaris fixes

Author: rjrudin

ml-app-deployer/src/main/java/com/marklogic/appdeployer/command/forests/ForestBuilder.java

@@ -55,7 +55,7 @@ public ForestBuilder(ForestNamingStrategy forestNamingStrategy) {
 	 * @param appConfig
 	 * @return
 	 */
-	public List<Forest> buildForests(ForestPlan forestPlan, AppConfig appConfig) {
+	public List<Forest> buildForests(ForestPlan forestPlan, final AppConfig appConfig) {
 		final String databaseName = forestPlan.getDatabaseName();
 		Objects.requireNonNull(databaseName);
 		Objects.requireNonNull(appConfig);
@@ -85,6 +85,7 @@ public List<Forest> buildForests(ForestPlan forestPlan, AppConfig appConfig) {
 				for (int i = 0; i < forestsToCreate; i++) {
 					forestCounter++;
 					Forest forest = newForest(forestPlan);
+					Objects.requireNonNull(forest);
 					forest.setForestName(getForestName(databaseName, forestCounter, appConfig));
 					forest.setHost(hostName);
 					forest.setDatabase(databaseName);

ml-app-deployer/src/main/java/com/marklogic/mgmt/resource/forests/ForestManager.java

@@ -26,8 +26,6 @@
 import com.marklogic.mgmt.resource.AbstractResourceManager;
 import com.marklogic.rest.util.Fragment;
 import com.marklogic.rest.util.XPathUtil;
-import org.springframework.http.HttpMethod;
-import org.springframework.web.util.UriComponentsBuilder;
 
 import java.util.ArrayList;
 import java.util.HashMap;

ml-app-deployer/src/main/java/com/marklogic/mgmt/resource/security/AmpManager.java

@@ -24,7 +24,6 @@
 import com.marklogic.rest.util.XPathUtil;
 import org.springframework.http.ResponseEntity;
 
-import javax.xml.xpath.XPath;
 import java.util.ArrayList;
 import java.util.List;
 

ml-app-deployer/src/main/java/com/marklogic/rest/util/Fragment.java

@@ -15,17 +15,15 @@
  */
 package com.marklogic.rest.util;
 
+import com.marklogic.client.ext.util.XmlUtil;
 import org.jdom2.Document;
 import org.jdom2.Element;
 import org.jdom2.Namespace;
 import org.jdom2.filter.Filters;
-import org.jdom2.input.SAXBuilder;
-import org.jdom2.input.sax.XMLReaders;
 import org.jdom2.output.Format;
 import org.jdom2.output.XMLOutputter;
 import org.jdom2.xpath.XPathExpression;
 import org.jdom2.xpath.XPathFactory;
-import org.xml.sax.InputSource;
 
 import java.io.StringReader;
 import java.util.ArrayList;
@@ -45,19 +43,7 @@ public Fragment(Fragment other) {
 
 	public Fragment(String xml, Namespace... namespaces) {
 		try {
-			SAXBuilder builder = new SAXBuilder(XMLReaders.NONVALIDATING);
-
-			// Prevent DTDs from being loaded
-			builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-
-			// Disable external entities
-			builder.setFeature("http://xml.org/sax/features/external-general-entities", false);
-			builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-
-			// Set a no-op EntityResolver to block external DTDs
-			builder.setEntityResolver((publicId, systemId) -> new InputSource(new StringReader("")));
-
-			internalDoc = builder.build(new StringReader(xml));
+			internalDoc = XmlUtil.newSAXBuilder().build(new StringReader(xml));
 			List<Namespace> list = new ArrayList<>();
 			list.add(Namespace.getNamespace("arp", "http://marklogic.com/manage/alert-rule/properties"));
 			list.add(Namespace.getNamespace("c", "http://marklogic.com/manage/clusters"));

ml-app-deployer/src/main/java/com/marklogic/rest/util/XPathUtil.java

@@ -12,8 +12,8 @@ public abstract class XPathUtil {
 	 * @return
 	 */
 	public static String sanitizeValueForXPathExpression(String resourceIdOrName) {
-		// MarkLogic generally the following characters in a resource name, and we know an ID will never have them.
-		// Removing them avoids issues with XPath queries.
+		// MarkLogic generally prohibits the following characters in a resource name, and we know an ID will never
+		// have them. Removing them avoids issues with XPath injection attacks.
 		return resourceIdOrName != null ?
 			resourceIdOrName.replace("'", "").replace("\"", "").replace("[", "").replace("]", "") :
 			null;

ml-app-deployer/src/test/java/com/marklogic/junit/Fragment.java

@@ -15,11 +15,11 @@
  */
 package com.marklogic.junit;
 
+import com.marklogic.client.ext.util.XmlUtil;
 import org.jdom2.Document;
 import org.jdom2.Element;
 import org.jdom2.Namespace;
 import org.jdom2.filter.Filters;
-import org.jdom2.input.SAXBuilder;
 import org.jdom2.output.Format;
 import org.jdom2.output.XMLOutputter;
 import org.jdom2.xpath.XPathExpression;
@@ -51,7 +51,7 @@ public Fragment(Document doc) {
 
 	public Fragment(String xml, Namespace... namespaces) {
 		try {
-			internalDoc = new SAXBuilder().build(new StringReader(xml));
+			internalDoc = XmlUtil.newSAXBuilder().build(new StringReader(xml));
 			this.namespaces = namespaces;
 		} catch (Exception e) {
 			throw new RuntimeException(e);

ml-javaclient-util/src/main/java/com/marklogic/client/ext/es/EntityServicesManager.java

@@ -17,11 +17,11 @@
 
 import com.marklogic.client.DatabaseClient;
 import com.marklogic.client.document.GenericDocumentManager;
+import com.marklogic.client.ext.util.XmlUtil;
 import com.marklogic.client.io.BytesHandle;
 import com.marklogic.client.io.DocumentMetadataHandle;
 import org.jdom2.Element;
 import org.jdom2.Namespace;
-import org.jdom2.input.SAXBuilder;
 
 import java.io.StringReader;
 import java.util.Objects;
@@ -93,7 +93,7 @@ protected GeneratedCode initializeGeneratedCode(String modelUri) {
 		Objects.requireNonNull(output);
 		Element root;
 		try {
-			root = new SAXBuilder().build(new StringReader(output)).getRootElement();
+			root = XmlUtil.newSAXBuilder().build(new StringReader(output)).getRootElement();
 		} catch (Exception e) {
 			throw new RuntimeException("Unable to parse model XML: " + e.getMessage(), e);
 		}

ml-javaclient-util/src/main/java/com/marklogic/client/ext/modulesloader/impl/DefaultExtensionMetadataProvider.java

@@ -23,8 +23,8 @@
 import com.marklogic.client.ext.helper.LoggingObject;
 import com.marklogic.client.ext.modulesloader.ExtensionMetadataAndParams;
 import com.marklogic.client.ext.modulesloader.ExtensionMetadataProvider;
+import com.marklogic.client.ext.util.XmlUtil;
 import org.jdom2.Element;
-import org.jdom2.input.SAXBuilder;
 import org.jdom2.output.XMLOutputter;
 import org.springframework.core.io.Resource;
 import org.springframework.core.io.support.PathMatchingResourcePatternResolver;
@@ -62,7 +62,7 @@ public ExtensionMetadataAndParams provideExtensionMetadataAndParams(Resource r)
         Resource metadataResource = resolver.getResource(metadataFile);
         if (metadataResource != null) {
             try {
-                Element root = new SAXBuilder().build(metadataResource.getInputStream()).getRootElement();
+                Element root = XmlUtil.newSAXBuilder().build(metadataResource.getInputStream()).getRootElement();
                 m.setTitle(root.getChildText("title"));
                 Element desc = root.getChild("description");
                 if (desc != null && desc.getChildren() != null && desc.getChildren().size() == 1) {

ml-javaclient-util/src/main/java/com/marklogic/client/ext/modulesloader/impl/DefaultModulesLoader.java

@@ -28,10 +28,10 @@
 import com.marklogic.client.ext.helper.LoggingObject;
 import com.marklogic.client.ext.modulesloader.*;
 import com.marklogic.client.ext.tokenreplacer.TokenReplacer;
+import com.marklogic.client.ext.util.XmlUtil;
 import com.marklogic.client.io.Format;
 import com.marklogic.client.io.StringHandle;
 import org.jdom2.Element;
-import org.jdom2.input.SAXBuilder;
 import org.springframework.beans.factory.DisposableBean;
 import org.springframework.core.io.Resource;
 import org.springframework.core.task.SyncTaskExecutor;
@@ -319,7 +319,7 @@ protected void applyJsonProperties(ServerConfigurationManager mgr, Resource r, F
 	protected void applyXmlProperties(ServerConfigurationManager mgr, Resource r, File file) {
 		Element root;
 		try {
-			root = new SAXBuilder().build(r.getInputStream()).getRootElement();
+			root = XmlUtil.newSAXBuilder().build(r.getInputStream()).getRootElement();
 		} catch (Exception e) {
 			throw new RuntimeException("Unable to read XML REST properties file: " + file.getAbsolutePath(), e);
 		}

ml-javaclient-util/src/main/java/com/marklogic/client/ext/schemasloader/impl/QbvDocumentFileProcessor.java

@@ -22,12 +22,12 @@
 import com.marklogic.client.ext.file.DocumentFileProcessor;
 import com.marklogic.client.ext.helper.FilenameUtil;
 import com.marklogic.client.ext.helper.LoggingObject;
+import com.marklogic.client.ext.util.XmlUtil;
 import com.marklogic.client.extra.jdom.JDOMHandle;
 import com.marklogic.client.io.Format;
 import com.marklogic.client.io.StringHandle;
 import org.jdom2.Document;
 import org.jdom2.Element;
-import org.jdom2.input.SAXBuilder;
 import org.springframework.util.FileCopyUtils;
 
 import java.io.File;
@@ -99,7 +99,7 @@ private void processQbvFile(DocumentFile qbvFile) {
 			if (Format.XML.equals(handleString.getFormat())) {
 				Document xmlDocument;
 				try {
-					xmlDocument = new SAXBuilder().build(new StringReader(handleString.get()));
+					xmlDocument = XmlUtil.newSAXBuilder().build(new StringReader(handleString.get()));
 				} catch (Exception e) {
 					throw new RuntimeException(format("Query-Based View generation failed for file: %s; cause: %s", qbvFile.getFile().getAbsolutePath(), e.getMessage()));
 				}