From c9164d0e1f1106f5a9d26dca81962b954508a533 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Prunayre?= <fx.prunayre@gmail.com>
Date: Mon, 2 Sep 2024 16:50:27 +0200
Subject: [PATCH] API / Improve parameter check for XSL conversion. (#8201)

---
 .../kernel/GeonetworkDataDirectory.java       | 13 +++++++++
 .../AbstractGeonetworkDataDirectoryTest.java  | 27 ++++++++++++++++++-
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/core/src/main/java/org/fao/geonet/kernel/GeonetworkDataDirectory.java b/core/src/main/java/org/fao/geonet/kernel/GeonetworkDataDirectory.java
index 86a0cdca444..cc5296232bd 100644
--- a/core/src/main/java/org/fao/geonet/kernel/GeonetworkDataDirectory.java
+++ b/core/src/main/java/org/fao/geonet/kernel/GeonetworkDataDirectory.java
@@ -27,8 +27,11 @@
 import jeeves.server.sources.http.JeevesServlet;
 import org.fao.geonet.ApplicationContextHolder;
 import org.fao.geonet.constants.Geonet;
+import org.fao.geonet.exceptions.BadParameterEx;
+import org.fao.geonet.utils.FilePathChecker;
 import org.fao.geonet.utils.IO;
 import org.fao.geonet.utils.Log;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationEvent;
 import org.springframework.context.ConfigurableApplicationContext;
@@ -63,6 +66,9 @@ public class GeonetworkDataDirectory {
      */
     public static final String GEONETWORK_BEAN_KEY = "GeonetworkDataDirectory";
 
+    @Autowired
+    SchemaManager schemaManager;
+
     private Path webappDir;
     private Path systemDataDir;
     private Path indexConfigDir;
@@ -797,11 +803,18 @@ public Path getXsltConversion(String conversionId) {
         if (conversionId.startsWith(IMPORT_STYLESHEETS_SCHEMA_PREFIX)) {
             String[] pathToken = conversionId.split(":");
             if (pathToken.length == 3) {
+                String schema = pathToken[1];
+                if (!schemaManager.existsSchema(schema)) {
+                    throw new BadParameterEx(String.format(
+                        "Conversion not found. Schema '%s' is not registered in this catalog.", schema));
+                }
+                FilePathChecker.verify(pathToken[2]);
                 return this.getSchemaPluginsDir()
                     .resolve(pathToken[1])
                     .resolve(pathToken[2] + ".xsl");
             }
         } else {
+            FilePathChecker.verify(conversionId);
             return this.getWebappDir().resolve(Geonet.Path.IMPORT_STYLESHEETS).
                 resolve(conversionId + ".xsl");
         }
diff --git a/core/src/test/java/org/fao/geonet/kernel/AbstractGeonetworkDataDirectoryTest.java b/core/src/test/java/org/fao/geonet/kernel/AbstractGeonetworkDataDirectoryTest.java
index 7f7f4b26b4a..63624516b09 100644
--- a/core/src/test/java/org/fao/geonet/kernel/AbstractGeonetworkDataDirectoryTest.java
+++ b/core/src/test/java/org/fao/geonet/kernel/AbstractGeonetworkDataDirectoryTest.java
@@ -26,6 +26,8 @@
 import jeeves.server.ServiceConfig;
 
 import org.fao.geonet.AbstractCoreIntegrationTest;
+import org.fao.geonet.constants.Geonet;
+import org.fao.geonet.exceptions.BadParameterEx;
 import org.jdom.Element;
 import org.junit.Test;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -34,7 +36,7 @@
 import java.nio.file.Path;
 import java.util.ArrayList;
 
-import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.*;
 
 /**
  * Abstract class for GeonetworkDataDirectory tests where the data directory layout is a default
@@ -76,6 +78,29 @@ public void testInit() throws Exception {
         assertSystemDirSubFolders(expectedDataDir);
     }
 
+    @Test
+    public void testGetXsltConversion() {
+        Path xsltConversion = dataDirectory.getXsltConversion("conversion");
+        assertEquals(dataDirectory.getWebappDir().resolve(Geonet.Path.IMPORT_STYLESHEETS).resolve("conversion.xsl"), xsltConversion);
+        try {
+            dataDirectory.getXsltConversion("../conversion");
+        } catch (BadParameterEx e) {
+            assertEquals("../conversion is not a valid value for: Invalid character found in path.", e.getMessage());
+        }
+
+        xsltConversion = dataDirectory.getXsltConversion("schema:iso19115-3.2018:convert/fromISO19115-3.2014");
+        assertNotNull(xsltConversion);
+        try {
+            dataDirectory.getXsltConversion("schema:notExistingSchema:convert/fromISO19115-3.2014");
+        } catch (BadParameterEx e) {
+            assertEquals("Conversion not found. Schema 'notExistingSchema' is not registered in this catalog.", e.getMessage());
+        }
+        try {
+            dataDirectory.getXsltConversion("schema:iso19115-3.2018:../../custom/path");
+        } catch (BadParameterEx e) {
+            assertEquals("../../custom/path is not a valid value for: Invalid character found in path.", e.getMessage());
+        }
+    }
     private void assertSystemDirSubFolders(Path expectedDataDir) {
         final Path expectedConfigDir = expectedDataDir.resolve("config");
         assertEquals(expectedConfigDir, dataDirectory.getConfigDir());