Merge pull request #257 from Esri/3.0_fixes

mhogeweg · web-flow · commit 2c86ad2a70c0 · 2025-11-07T06:50:18.000-08:00
Reverted some security fix as it broke harvesting
diff --git a/geoportal-commons/geoportal-commons-csw-client/src/main/java/com/esri/geoportal/commons/csw/client/impl/Client.java b/geoportal-commons/geoportal-commons-csw-client/src/main/java/com/esri/geoportal/commons/csw/client/impl/Client.java
@@ -37,6 +37,7 @@
 import java.time.ZonedDateTime;
 import java.time.format.DateTimeFormatter;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Date;
 import java.util.List;
 import java.util.regex.Matcher;
@@ -131,8 +132,7 @@ public IRecords findRecords(int start, int max, Date from, Date to, String searc
     HttpPost post = createRecordsPostRequest(capabilites.get_getRecordsPostURL(), requestBody);
 
     HttpClientContext context = cred!=null && !cred.isEmpty()? createHttpClientContext(baseUrl, cred): null;
-    try (CloseableHttpResponse httpResponse = httpClient.execute(post,context); 
-            InputStream responseInputStream = httpResponse.getEntity().getContent();) {
+    try (CloseableHttpResponse httpResponse = httpClient.execute(post,context); InputStream responseInputStream = httpResponse.getEntity().getContent();) {
       if (httpResponse.getStatusLine().getStatusCode()>=400) {
         throw new HttpResponseException(httpResponse.getStatusLine().getStatusCode(), httpResponse.getStatusLine().getReasonPhrase());
       }
@@ -167,16 +167,7 @@ public String readMetadata(String id) throws Exception {
 
         // perform transformation
         StringWriter writer = new StringWriter();
-        DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
-        builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-        builderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
-        builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-        builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
-        builderFactory.setXIncludeAware(false);
-        builderFactory.setExpandEntityReferences(false);
-        DocumentBuilder builder = builderFactory.newDocumentBuilder();
-        Document inputDoc = builder.parse(contentStream);
-        transformer.transform(new DOMSource(inputDoc), new StreamResult(writer));
+        transformer.transform(new StreamSource(contentStream), new StreamResult(writer));
 
         String intermediateResult = writer.toString();
 
@@ -316,32 +307,21 @@ private List<IRecord> readRecords(InputStream contentStream) throws IOException,
 
     // perform transformation
     StringWriter writer = new StringWriter();
-  
-    DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
-    builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-    builderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
-    builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-    builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
-    builderFactory.setXIncludeAware(false);
-    builderFactory.setExpandEntityReferences(false);
-    DocumentBuilder builder = builderFactory.newDocumentBuilder();
-    Document inputDoc = builder.parse(contentStream);
-    
-    transformer.transform(new DOMSource(inputDoc), new StreamResult(writer));
+    transformer.transform(new StreamSource(contentStream), new StreamResult(writer));
     
     LOG.trace(String.format("Received records:\n%s", writer.toString()));
 
     try (ByteArrayInputStream transformedContentStream = new ByteArrayInputStream(writer.toString().getBytes("UTF-8"))) {
 
       // create internal request DOM
-//      DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
-//      builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-//      builderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
-//      builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-//      builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
-//      builderFactory.setXIncludeAware(false);
-//      builderFactory.setExpandEntityReferences(false);
-//      DocumentBuilder builder = builderFactory.newDocumentBuilder();
+      DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
+      builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+      builderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+      builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+      builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+      builderFactory.setXIncludeAware(false);
+      builderFactory.setExpandEntityReferences(false);
+      DocumentBuilder builder = builderFactory.newDocumentBuilder();
       Document resultDom = builder.parse(new InputSource(transformedContentStream));
 
       // create xpath
