Reject fedora resource property update that contains fcr namespace pr…

…efix. Resolves: https://jira.duraspace.org/browse/FCREPO-1244
fcrepo · Dec 11, 2014 · 38d5939 · 38d5939
1 parent cf8cd25
commit 38d5939
Show file tree

Hide file tree

Showing 7 changed files with 79 additions and 14 deletions.
diff --git a/fcrepo-http-api/src/main/java/org/fcrepo/http/api/ContentExposingResource.java b/fcrepo-http-api/src/main/java/org/fcrepo/http/api/ContentExposingResource.java
@@ -72,6 +72,7 @@
 import org.fcrepo.http.commons.domain.Range;
 import org.fcrepo.http.commons.domain.ldp.LdpPreferTag;
 import org.fcrepo.http.commons.responses.RangeRequestInputStream;
+import org.fcrepo.kernel.exception.FedoraInvalidNamespaceException;
 import org.fcrepo.kernel.exception.InvalidChecksumException;
 import org.fcrepo.kernel.exception.MalformedRdfException;
 import org.fcrepo.kernel.exception.RepositoryRuntimeException;
@@ -589,7 +590,8 @@ protected void replaceResourceBinaryWithStream(final FedoraBinary result,
     protected void replaceResourceWithStream(final FedoraResource resource,
                                              final InputStream requestBodyStream,
                                              final MediaType contentType,
-                                             final RdfStream resourceTriples) throws MalformedRdfException {
+                                             final RdfStream resourceTriples)
+                                             throws MalformedRdfException, FedoraInvalidNamespaceException {
         final Lang format = contentTypeToLang(contentType.toString());
 
         final Model inputModel = createDefaultModel()
@@ -600,7 +602,8 @@ protected void replaceResourceWithStream(final FedoraResource resource,
 
     protected void patchResourcewithSparql(final FedoraResource resource,
                                            final String requestBody,
-                                           final RdfStream resourceTriples) throws MalformedRdfException {
+                                           final RdfStream resourceTriples)
+                                           throws MalformedRdfException, FedoraInvalidNamespaceException {
         resource.updateProperties(translator(), requestBody, resourceTriples);
     }
 

diff --git a/fcrepo-http-api/src/main/java/org/fcrepo/http/api/FedoraLdp.java b/fcrepo-http-api/src/main/java/org/fcrepo/http/api/FedoraLdp.java
@@ -74,6 +74,7 @@
 import org.apache.jena.riot.RiotException;
 import org.fcrepo.http.commons.domain.ContentLocation;
 import org.fcrepo.http.commons.domain.PATCH;
+import org.fcrepo.kernel.exception.FedoraInvalidNamespaceException;
 import org.fcrepo.kernel.exception.InvalidChecksumException;
 import org.fcrepo.kernel.exception.MalformedRdfException;
 import org.fcrepo.kernel.exception.RepositoryRuntimeException;
@@ -220,6 +221,7 @@ public Response deleteObject() {
      * @param requestContentType
      * @param requestBodyStream
      * @return 204
+     * @throws RepositoryException
      */
     @PUT
     @Consumes
@@ -230,7 +232,7 @@ public Response createOrReplaceObjectRdf(
             @QueryParam("checksum") final String checksum,
             @HeaderParam("Content-Disposition") final ContentDisposition contentDisposition,
             @HeaderParam("If-Match") final String ifMatch)
-            throws InvalidChecksumException, MalformedRdfException {
+            throws InvalidChecksumException, MalformedRdfException, FedoraInvalidNamespaceException {
 
         final FedoraResource resource;
         final Response.ResponseBuilder response;
@@ -316,7 +318,7 @@ public Response createOrReplaceObjectRdf(
     @Consumes({contentTypeSPARQLUpdate})
     @Timed
     public Response updateSparql(@ContentLocation final InputStream requestBodyStream)
-            throws IOException, MalformedRdfException {
+            throws IOException, MalformedRdfException, FedoraInvalidNamespaceException {
 
         if (null == requestBodyStream) {
             throw new BadRequestException("SPARQL-UPDATE requests must have content!");
@@ -372,6 +374,7 @@ public Response updateSparql(@ContentLocation final InputStream requestBodyStrea
      * requests without a Content-Type get routed here.
      *
      * @return 201
+     * @throws RepositoryException
      */
     @POST
     @Consumes({MediaType.APPLICATION_OCTET_STREAM + ";qs=1001", MediaType.WILDCARD})
@@ -381,7 +384,7 @@ public Response createObject(@QueryParam("checksum") final String checksum,
                                  @HeaderParam("Content-Type") final MediaType requestContentType,
                                  @HeaderParam("Slug") final String slug,
                                  @ContentLocation final InputStream requestBodyStream)
-            throws InvalidChecksumException, IOException, MalformedRdfException {
+            throws InvalidChecksumException, IOException, MalformedRdfException, FedoraInvalidNamespaceException {
 
         if (!(resource() instanceof Container)) {
             throw new ClientErrorException("Object cannot have child nodes", CONFLICT);

diff --git a/fcrepo-http-api/src/test/java/org/fcrepo/integration/http/api/FedoraLdpIT.java b/fcrepo-http-api/src/test/java/org/fcrepo/integration/http/api/FedoraLdpIT.java
@@ -921,6 +921,22 @@ public void testIngestWithNewAndSparqlQuery() throws Exception {
         assertNotEquals("Last-Modified should not be blank for new nodes", lastmod.trim(), "");
     }
 
+    @Test
+    public void testIngestWithSparqlQueryJcrNS() throws Exception {
+        final HttpPost method = postObjMethod("");
+        method.addHeader("Content-Type", "application/sparql-update");
+        final BasicHttpEntity entity = new BasicHttpEntity();
+        entity.setContent(new ByteArrayInputStream(
+                ("PREFIX fcr: <http://xmlns.com/my-fcr/> "
+                        + "INSERT { <> <http://purl.org/dc/elements/1.1/title> \"this is a title\" } WHERE {}")
+                        .getBytes()));
+        method.setEntity(entity);
+        final HttpResponse response = client.execute(method);
+        final int status = response.getStatusLine().getStatusCode();
+        assertFalse("Got a CREATED response with jcr namspace prefix!",
+                CREATED.getStatusCode() == status);
+    }
+
     @Test
     public void testIngestWithNewAndGraph() throws Exception {
         final HttpPost method = postObjMethod("");
@@ -1517,6 +1533,28 @@ public void testUpdateAndReplaceObjectGraph() throws Exception {
 
     }
 
+    @Test
+    public void testUpdateWithSparqlQueryJcrNS() throws Exception {
+        final HttpResponse createResponse = createObject("");
+        final String subjectURI = createResponse.getFirstHeader("Location").getValue();
+        final HttpPatch updateObjectGraphMethod = new HttpPatch(subjectURI);
+
+        updateObjectGraphMethod.addHeader("Content-Type",
+                "application/sparql-update");
+
+        final BasicHttpEntity e = new BasicHttpEntity();
+        e.setContent(new ByteArrayInputStream(
+                ("PREFIX fcr: <http://xmlns.com/my-fcr/> "
+                        + "INSERT { <" + subjectURI + "> <info:rubydora#label> \"asdfg\" } WHERE {}")
+                        .getBytes()));
+
+        updateObjectGraphMethod.setEntity(e);
+        final HttpResponse response = client.execute(updateObjectGraphMethod);
+        final int status = response.getStatusLine().getStatusCode();
+        assertFalse("Got updated response with jcr namspace prefix!\n",
+                NO_CONTENT.getStatusCode() == status);
+    }
+
     @Test
     public void testUpdateObjectGraphWithProblems() throws Exception {
 

diff --git a/fcrepo-kernel-impl/src/main/java/org/fcrepo/kernel/impl/FedoraResourceImpl.java b/fcrepo-kernel-impl/src/main/java/org/fcrepo/kernel/impl/FedoraResourceImpl.java
@@ -41,7 +41,6 @@
 import java.util.Iterator;
 import java.util.List;
 
-
 import javax.jcr.ItemNotFoundException;
 import javax.jcr.Node;
 import javax.jcr.PathNotFoundException;
@@ -56,10 +55,13 @@
 import com.google.common.base.Predicate;
 import com.google.common.collect.Iterators;
 import com.hp.hpl.jena.rdf.model.Resource;
+
+import org.apache.commons.lang3.StringUtils;
 import org.fcrepo.kernel.FedoraJcrTypes;
 import org.fcrepo.kernel.models.NonRdfSourceDescription;
 import org.fcrepo.kernel.models.FedoraBinary;
 import org.fcrepo.kernel.models.FedoraResource;
+import org.fcrepo.kernel.exception.FedoraInvalidNamespaceException;
 import org.fcrepo.kernel.exception.MalformedRdfException;
 import org.fcrepo.kernel.exception.PathNotFoundRuntimeException;
 import org.fcrepo.kernel.exception.RepositoryRuntimeException;
@@ -351,7 +353,7 @@ public boolean hasType(final String type) {
     @Override
     public void updateProperties(final IdentifierConverter<Resource, FedoraResource> idTranslator,
                                  final String sparqlUpdateStatement, final RdfStream originalTriples)
-            throws MalformedRdfException {
+            throws MalformedRdfException, FedoraInvalidNamespaceException {
 
         final Model model = originalTriples.asModel();
 
@@ -361,6 +363,13 @@ public void updateProperties(final IdentifierConverter<Resource, FedoraResource>
         model.register(listener);
 
         final UpdateRequest request = create(sparqlUpdateStatement, idTranslator.reverse().convert(this).toString());
+
+        // reject if update request contains any fcr namespacess
+        final String fcrNS = request.getPrefix("fcr");
+        if (StringUtils.isNotBlank(fcrNS)) {
+            throw new FedoraInvalidNamespaceException ("Update content contains fcr namespace " + fcrNS + ".");
+        }
+
         model.setNsPrefixes(request.getPrefixMapping());
         execute(request, model);
 
@@ -443,10 +452,17 @@ public Boolean isNew() {
      */
     @Override
     public void replaceProperties(final IdentifierConverter<Resource, FedoraResource> idTranslator,
-        final Model inputModel, final RdfStream originalTriples) throws MalformedRdfException {
+        final Model inputModel, final RdfStream originalTriples)
+        throws MalformedRdfException, FedoraInvalidNamespaceException {
 
         final RdfStream replacementStream = new RdfStream().namespaces(inputModel.getNsPrefixMap());
 
+        // reject if update request contains any fcr namespacess
+        final String fcrNS = inputModel.getNsPrefixURI("fcr");
+        if (inputModel.getNsPrefixMap().containsKey("fcr")) {
+            throw new FedoraInvalidNamespaceException("Update content contains fcr namespace " + fcrNS + ".");
+        }
+
         final GraphDifferencingIterator differencer =
             new GraphDifferencingIterator(inputModel, originalTriples);
 

diff --git a/fcrepo-kernel-impl/src/test/java/org/fcrepo/integration/kernel/impl/FedoraObjectImplIT.java b/fcrepo-kernel-impl/src/test/java/org/fcrepo/integration/kernel/impl/FedoraObjectImplIT.java
@@ -192,7 +192,7 @@ public void testObjectGraphWithUriProperty() throws RepositoryException {
     }
 
     @Test
-    public void testUpdatingObjectGraphWithErrors() {
+    public void testUpdatingObjectGraphWithErrors() throws RepositoryException {
         final String pid = getRandomPid();
         final Container object = containerService.findOrCreate(session, pid);
 
@@ -211,7 +211,7 @@ public void testUpdatingObjectGraphWithErrors() {
     }
 
     @Test
-    public void testReplaceObjectGraphWithErrors() {
+    public void testReplaceObjectGraphWithErrors() throws RepositoryException {
         final String pid = getRandomPid();
         final Container object = containerService.findOrCreate(session, pid);
 

diff --git a/...po-kernel-impl/src/test/java/org/fcrepo/integration/kernel/impl/FedoraResourceImplIT.java b/...po-kernel-impl/src/test/java/org/fcrepo/integration/kernel/impl/FedoraResourceImplIT.java
@@ -337,7 +337,7 @@ public void testDatastreamGraph() throws RepositoryException, InvalidChecksumExc
     }
 
     @Test
-    public void testUpdatingObjectGraph() throws MalformedRdfException {
+    public void testUpdatingObjectGraph() throws RepositoryException {
 
         final FedoraResource object =
             containerService.findOrCreate(session, "/testObjectGraphUpdates");

diff --git a/fcrepo-kernel/src/main/java/org/fcrepo/kernel/models/FedoraResource.java b/fcrepo-kernel/src/main/java/org/fcrepo/kernel/models/FedoraResource.java
@@ -19,10 +19,13 @@
 import java.util.Iterator;
 
 import javax.jcr.Node;
-import javax.jcr.Property;import javax.jcr.version.Version;
+import javax.jcr.Property;
+import javax.jcr.version.Version;
 import javax.jcr.version.VersionHistory;
 
 import com.hp.hpl.jena.rdf.model.Resource;
+
+import org.fcrepo.kernel.exception.FedoraInvalidNamespaceException;
 import org.fcrepo.kernel.exception.MalformedRdfException;
 import org.fcrepo.kernel.identifiers.IdentifierConverter;
 import org.fcrepo.kernel.utils.iterators.RdfStream;
@@ -115,7 +118,8 @@ public interface FedoraResource {
      */
     void updateProperties(final IdentifierConverter<Resource, FedoraResource> idTranslator,
                           final String sparqlUpdateStatement,
-                          final RdfStream originalTriples) throws MalformedRdfException;
+                          final RdfStream originalTriples)
+                          throws MalformedRdfException, FedoraInvalidNamespaceException;
 
     /**
      * Return the RDF properties of this object using the provided context
@@ -164,7 +168,8 @@ RdfStream getTriples(IdentifierConverter<Resource, FedoraResource> idTranslator,
      */
     void replaceProperties(final IdentifierConverter<Resource, FedoraResource> idTranslator,
                                 final Model inputModel,
-                                final RdfStream originalTriples) throws MalformedRdfException;
+                                final RdfStream originalTriples)
+                                throws MalformedRdfException, FedoraInvalidNamespaceException;
 
     /**
          * Construct an ETag value from the last modified date and path. JCR has a