[bugfix] If the value for an external variable is sent to the REST API but the XQuery does not declare such an external variable, then raise an error.

Closes #67

Author: adamretter

exist-core/src/main/java/org/exist/http/RESTServer.java

@@ -1515,6 +1515,10 @@ private void declareExternalAndXQJVariables(final XQueryContext context,
                 q = new QName(localname, uri, XMLConstants.DEFAULT_NS_PREFIX);
             }
 
+            if (!context.isExternalVariableDeclared(q)) {
+                throw new XPathException(ErrorCodes.W3CErrorCode.XPDY0002, "External variable " + q + " is not declared in the XQuery");
+            }
+
             if (uri != null && prefix != null) {
                 context.declareNamespace(prefix, uri);
             }

exist-core/src/main/java/org/exist/xquery/XQueryContext.java

@@ -1535,7 +1535,14 @@ public void reset(final boolean keepGlobals) {
         cachedUriCollectionResults.clear();
 
         if (!keepGlobals) {
-            globalVariables.clear();
+            for (final Variable globalVariable : globalVariables.values()) {
+                if (globalVariable.isExternal()) {
+                    if (globalVariable instanceof VariableImpl) {
+                        ((VariableImpl) globalVariable).destroy(this, null);
+                    }
+                    globalVariable.setValue(null);
+                }
+            }
         }
 
         if (dynamicOptions != null) {
@@ -1923,6 +1930,35 @@ public void undeclareGlobalVariable(final QName name) {
         globalVariables.remove(name);
     }
 
+    /**
+     * Determines if a Global External Variable is declared.
+     *
+     * @param variableName The name of the variable.
+     *
+     * @return true, if the variable is declared (in either this module or an imported module), or false if the variable is undeclared.
+     */
+    public boolean isExternalVariableDeclared(final QName variableName) {
+        for (final Map.Entry<QName, Variable> mainGlobalVariable : globalVariables.entrySet()) {
+            if (mainGlobalVariable.getValue().isExternal() && mainGlobalVariable.getKey().equals(variableName)) {
+                return true;
+            }
+        }
+
+        for (final Module[] namespaceModules : modules.values()) {
+            for (final Module namespaceModule : namespaceModules) {
+                if (!namespaceModule.isInternalModule()) {
+                    for (final VariableDeclaration libGlobalVariable : ((ExternalModule) namespaceModule).getVariableDeclarations()) {
+                        if (libGlobalVariable.isExternal() && libGlobalVariable.getName().equals(variableName)) {
+                            return true;
+                        }
+                    }
+                }
+            }
+        }
+
+        return false;
+    }
+
     @Override
     public Variable declareVariable(final String qname, final Object value) throws XPathException {
         return declareVariable(qname, false, value);

exist-core/src/test/java/org/exist/http/RESTExternalVariableTest.java

@@ -98,6 +98,57 @@ public class RESTExternalVariableTest {
         .elseUse(ElementSelectors.byName)
         .build());
 
+    @Test
+    public void queryPostWithExternalVariableNotSupplied() throws IOException {
+        final String query =
+                "<exist:query xmlns:exist=\"http://exist.sourceforge.net/NS/exist\" xmlns:sx=\"http://exist-db.org/xquery/types/serialized\" xmlns:" + TEST_PREFIX + "=\"" + TEST_NAMESPACE + "\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" wrap=\"yes\" typed=\"yes\">\n" +
+                "\t<exist:text><![CDATA[\n" +
+                "declare variable $local:my-variable as xs:string* external;\n" +
+                "$local:my-variable\n" +
+                "\t]]></exist:text>\n" +
+                "</exist:query>\n";
+
+        final HttpResponse response = doPostWithAuth(getResourceUri(), query);
+        final int resultStatusCode = response.getStatusLine()
+               .getStatusCode();
+
+        assertEquals("Server returned response code: " + resultStatusCode, HttpStatus.BAD_REQUEST_400, resultStatusCode);
+
+        final String actual = readResponse(response.getEntity());
+        assertThat(actual, CompareMatcher.isIdenticalTo("<exception><path>/db/test/test.xml</path><message>err:XPDY0002 The value of external variable: local:my-variable has not been set</message></exception>"));
+    }
+
+    @Test
+    public void queryPostWithExternalVariableUndeclared() throws IOException {
+        final String query =
+                "<exist:query xmlns:exist=\"http://exist.sourceforge.net/NS/exist\" xmlns:sx=\"http://exist-db.org/xquery/types/serialized\" xmlns:" + TEST_PREFIX + "=\"" + TEST_NAMESPACE + "\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" wrap=\"yes\" typed=\"yes\">\n" +
+                "\t<exist:variables>\n" +
+                "\t\t<exist:variable>\n" +
+                "\t\t\t<exist:qname><exist:prefix>local</exist:prefix><exist:localname>my-variable</exist:localname></exist:qname>\n" +
+                "\t\t\t<sx:sequence><sx:value type=\"xs:string\">hello</sx:value></sx:sequence>\n" +
+                "\t\t</exist:variable>\n" +
+                "\t\t<exist:variable>\n" +
+                "\t\t\t<exist:qname><exist:prefix>local</exist:prefix><exist:localname>other-variable</exist:localname></exist:qname>\n" +
+                "\t\t\t<sx:sequence><sx:value type=\"xs:string\">goodbye</sx:value></sx:sequence>\n" +
+                "\t\t</exist:variable>\n" +
+                "\t</exist:variables>\n" +
+                "\t<exist:text><![CDATA[\n" +
+                "declare variable $local:my-variable as xs:string* external;\n" +
+                "$local:my-variable\n" +
+                "\t]]></exist:text>\n" +
+                "</exist:query>\n";
+
+        final HttpResponse response = doPostWithAuth(getResourceUri(), query);
+        final int resultStatusCode = response.getStatusLine()
+                .getStatusCode();
+
+        assertEquals("Server returned response code: " + resultStatusCode, HttpStatus.BAD_REQUEST_400, resultStatusCode);
+
+        final String actual = readResponse(response.getEntity());
+
+        assertThat(actual, CompareMatcher.isIdenticalTo("<exception><path>/db/test/test.xml</path><message>err:XPDY0002 External variable local:other-variable is not declared in the XQuery</message></exception>"));
+    }
+
     @Test
     public void queryPostWithExternalVariableUntypedNotSupplied() throws IOException {
         queryPostWithExternalVariable(HttpStatus.BAD_REQUEST_400, null, (ExternalVariableValueRep[]) null);
@@ -1592,7 +1643,8 @@ private void queryPostWithExternalVariable(final Tuple2<Integer, String> expecte
 
         assertEquals("Server returned response code: " + resultStatusCode, (int) expectedResponse._1, resultStatusCode);
 
-        final String actual = readResponse(response.getEntity());
+        String actual = readResponse(response.getEntity());
+        actual = actual.replaceFirst("\\s*\\[source:[^\\]]*\\]</message></exception>$", "</message></exception>");  // NOTE(AR) remove any source information from the actual response
 
         @Nullable final String expected;
         if (expectedResponse._1 == HttpStatus.OK_200) {