MLE-24375 Fixing Polaris warnings, including buildUri change

This is a significant change to buildUri, but should be a necessary change to use a modern API for building a URI - UriComponentsBuilder - that guards against the warnings raised by Polaris.

Author: rjrudin

docker-compose.yaml

@@ -5,6 +5,10 @@ services:
   marklogic:
     image: "${MARKLOGIC_IMAGE}"
     platform: linux/amd64
+    # The NET_RAW capability allows a process to create raw sockets. Polaris does not like that.
+    # This setting removes the NET_RAW capability from the container.
+    cap_drop:
+      - NET_RAW
     environment:
       - MARKLOGIC_INIT=true
       - MARKLOGIC_ADMIN_USERNAME=admin

ml-app-deployer/src/main/java/com/marklogic/appdeployer/command/AbstractCommand.java

@@ -42,8 +42,11 @@ public abstract class AbstractCommand extends LoggingObject implements Command {
 	private int executeSortOrder = Integer.MAX_VALUE;
 	private boolean storeResourceIdsAsCustomTokens = false;
 
+	// In 6.1.0, changing this from FilenameFilter to ResourceFilenameFilter based on Polaris warnings on
+	// FilenameFilter. And all uses of this in the codebase involve ResourceFilenameFilter.
+	private ResourceFilenameFilter resourceFilenameFilter = new ResourceFilenameFilter();
+
 	protected PayloadTokenReplacer payloadTokenReplacer = new DefaultPayloadTokenReplacer();
-	private FilenameFilter resourceFilenameFilter = new ResourceFilenameFilter();
 	private PayloadParser payloadParser = new PayloadParser();
 
 	private Class<? extends Resource> resourceClassType;
@@ -564,7 +567,11 @@ public void setStoreResourceIdsAsCustomTokens(boolean storeResourceIdsAsCustomTo
 	}
 
 	public void setResourceFilenameFilter(FilenameFilter resourceFilenameFilter) {
-		this.resourceFilenameFilter = resourceFilenameFilter;
+		if (!(resourceFilenameFilter instanceof ResourceFilenameFilter)) {
+			throw new IllegalArgumentException("resourceFilenameFilter must be an instanceof " +
+				ResourceFilenameFilter.class.getName());
+		}
+		this.resourceFilenameFilter = (ResourceFilenameFilter) resourceFilenameFilter;
 	}
 
 	public FilenameFilter getResourceFilenameFilter() {

ml-app-deployer/src/main/java/com/marklogic/appdeployer/command/viewschemas/DeployViewSchemasCommand.java

@@ -78,9 +78,11 @@ protected void afterResourceSaved(ResourceManager mgr, CommandContext context, R
 			File resourceFile = reference.getLastFile();
 			if (resourceFile != null) {
 				PayloadParser parser = new PayloadParser();
-				String viewSchemaName = parser.getPayloadFieldValue(receipt.getPayload(), "view-schema-name");
+				final String viewSchemaName = parser.getPayloadFieldValue(receipt.getPayload(), "view-schema-name");
 				File parentFile = resourceFile.getParentFile();
 				if (parentFile != null) {
+					// Polaris flags this as a warning because viewSchemaName is user-provided - but we know it's been
+					// validated by MarkLogic already.
 					File viewDir = new File(parentFile, viewSchemaName + "-views");
 					if (viewDir.exists()) {
 						ViewManager viewMgr = new ViewManager(context.getManageClient(), currentDatabaseIdOrName, viewSchemaName);

ml-app-deployer/src/main/java/com/marklogic/rest/util/RestConfig.java

@@ -11,10 +11,10 @@
 import com.marklogic.client.ext.ssl.SslUtil;
 import okhttp3.OkHttpClient;
 import org.springframework.util.StringUtils;
+import org.springframework.web.util.UriComponentsBuilder;
 
 import javax.net.ssl.SSLContext;
 import java.net.URI;
-import java.net.URISyntaxException;
 
 public class RestConfig {
 
@@ -158,28 +158,61 @@ public String toString() {
 	}
 
 	/**
-	 * Using the java.net.URI constructor that takes a string. Using any other constructor runs into encoding problems,
-	 * e.g. when a mimetype has a plus in it, that plus needs to be encoded, but doing as %2B will result in the % being
-	 * double encoded. Unfortunately, it seems some encoding is still needed - e.g. for a pipeline like "Flexible Replication"
-	 * with a space in its name, the space must be encoded properly as a "+".
+	 * Builds a URI using Spring's UriComponentsBuilder to prevent URL manipulation attacks.
+	 * This replaces the previous vulnerable implementation that allowed user-controllable URL construction.
+	 * Handles query parameters that may be included in the path for backwards compatibility.
 	 *
 	 * @param path
 	 * @return
 	 */
 	public URI buildUri(String path) {
-		String basePathToAppend = "";
-		if (basePath != null) {
-			if (!basePath.startsWith("/")) {
-				basePathToAppend = "/";
+		try {
+			UriComponentsBuilder builder = UriComponentsBuilder.newInstance()
+				.scheme(getScheme())
+				.host(getHost())
+				.port(getPort());
+
+			// Handle base path
+			String fullPath = path;
+			if (basePath != null) {
+				String normalizedBasePath = basePath.startsWith("/") ? basePath : "/" + basePath;
+				if (path.startsWith("/") && normalizedBasePath.endsWith("/")) {
+					normalizedBasePath = normalizedBasePath.substring(0, normalizedBasePath.length() - 1);
+				}
+				fullPath = normalizedBasePath + path;
 			}
-			basePathToAppend += basePath;
-			if (path.startsWith("/") && basePathToAppend.endsWith("/")) {
-				basePathToAppend = basePathToAppend.substring(0, basePathToAppend.length() - 1);
+
+			// Check if the path contains query parameters
+			int queryIndex = fullPath.indexOf('?');
+			if (queryIndex != -1) {
+				// Split path and query parameters
+				String pathPart = fullPath.substring(0, queryIndex);
+				String queryPart = fullPath.substring(queryIndex + 1);
+
+				builder.path(pathPart);
+
+				// Parse and add query parameters
+				if (!queryPart.isEmpty()) {
+					String[] params = queryPart.split("&");
+					for (String param : params) {
+						int equalIndex = param.indexOf('=');
+						if (equalIndex != -1) {
+							String key = param.substring(0, equalIndex);
+							String value = param.substring(equalIndex + 1);
+							builder.queryParam(key, value);
+						} else {
+							// Handle parameters without values
+							builder.queryParam(param, "");
+						}
+					}
+				}
+			} else {
+				// No query parameters, just set the path
+				builder.path(fullPath);
 			}
-		}
-		try {
-			return new URI(String.format("%s://%s:%d%s%s", getScheme(), getHost(), getPort(), basePathToAppend, path.replace(" ", "+")));
-		} catch (URISyntaxException ex) {
+
+			return builder.build().toUri();
+		} catch (Exception ex) {
 			throw new RuntimeException("Unable to build URI for path: " + path + "; cause: " + ex.getMessage(), ex);
 		}
 	}