[bugfix] If the value for an external variable is sent to the XML:DB API but the XQuery does not declare such an external variable, then raise an error.

Author: adamretter

exist-core/src/main/java/org/exist/xmldb/LocalXPathQueryService.java

@@ -49,6 +49,7 @@
 import org.apache.logging.log4j.Logger;
 import org.exist.EXistException;
 import org.exist.debuggee.Debuggee;
+import org.exist.dom.QName;
 import org.exist.security.PermissionDeniedException;
 import org.exist.security.Subject;
 import org.exist.source.DBSource;
@@ -63,6 +64,13 @@
 import org.exist.storage.txn.Txn;
 import org.exist.util.LockException;
 import org.exist.xmldb.function.LocalXmldbFunction;
+import org.exist.xquery.CompiledXQuery;
+import org.exist.xquery.ExternalModule;
+import org.exist.xquery.Variable;
+import org.exist.xquery.VariableDeclaration;
+import org.exist.xquery.XPathException;
+import org.exist.xquery.XQuery;
+import org.exist.xquery.XQueryContext;
 import org.exist.xquery.value.AnyURIValue;
 import org.exist.xquery.value.BinaryValue;
 import org.exist.xquery.value.Sequence;
@@ -82,10 +90,6 @@
 import org.exist.dom.persistent.NodeSet;
 import org.exist.security.Permission;
 import com.evolvedbinary.j8fu.Either;
-import org.exist.xquery.CompiledXQuery;
-import org.exist.xquery.XPathException;
-import org.exist.xquery.XQuery;
-import org.exist.xquery.XQueryContext;
 
 import javax.annotation.Nullable;
 
@@ -424,7 +428,20 @@ protected void declareVariables(final XQueryContext context) throws XPathExcepti
 
         // declare static variables
         for (final Map.Entry<String, Object> entry : variableDecls.entrySet()) {
-            context.declareVariable(entry.getKey(), true, entry.getValue());
+            final String varNameStr = entry.getKey();
+
+            final QName varName;
+            try {
+                varName = QName.parse(context, varNameStr);
+            } catch (final QName.IllegalQNameException e) {
+                throw new XPathException(org.exist.xquery.ErrorCodes.W3CErrorCode.XPST0081, "Error declaring variable, invalid qname: " + varNameStr + ". " + e.getMessage(), e);
+            }
+
+            if (!context.isExternalVariableDeclared(varName)) {
+                throw new XPathException(org.exist.xquery.ErrorCodes.W3CErrorCode.XPDY0002, "External variable " + varName + " is not declared in the XQuery");
+            }
+
+            context.declareVariable(varName, true, entry.getValue());
         }
     }
 

exist-core/src/main/java/org/exist/xmlrpc/RpcConnection.java

@@ -265,30 +265,43 @@ private String createId(final XmldbURI collUri) throws EXistException, Permissio
     protected QueryResult doQuery(final DBBroker broker, final CompiledXQuery compiled,
                                   final NodeSet contextSet, final Map<String, Object> parameters) throws XPathException, EXistException, PermissionDeniedException {
         final XQuery xquery = broker.getBrokerPool().getXQueryService();
-
-        checkPragmas(compiled.getContext(), parameters);
+        final XQueryContext context = compiled.getContext();
+        checkPragmas(context, parameters);
         LockedDocumentMap lockedDocuments = null;
         try {
             //  declare static variables
             final Map<String, Object> variableDecls = (Map<String, Object>) parameters.get(RpcAPI.VARIABLES);
             if (variableDecls != null) {
                 for (final Map.Entry<String, Object> entry : variableDecls.entrySet()) {
+                    final String varNameStr = entry.getKey();
+
+                    final QName varName;
+                    try {
+                        varName = QName.parse(context, varNameStr);
+                    } catch (final QName.IllegalQNameException e) {
+                        throw new XPathException(org.exist.xquery.ErrorCodes.W3CErrorCode.XPST0081, "Error declaring variable, invalid qname: " + varNameStr + ". " + e.getMessage(), e);
+                    }
+
+                    if (!context.isExternalVariableDeclared(varName)) {
+                        throw new XPathException(org.exist.xquery.ErrorCodes.W3CErrorCode.XPDY0002, "External variable " + varName + " is not declared in the XQuery");
+                    }
+
                     if (LOG.isDebugEnabled()) {
-                        LOG.debug("declaring {} = {}", entry.getKey(), entry.getValue());
+                        LOG.debug("declaring {} = {}", varName, entry.getValue());
                     }
-                    compiled.getContext().declareVariable(entry.getKey(), true, entry.getValue());
+                    context.declareVariable(varName, true, entry.getValue());
                 }
             }
 
             final long start = System.currentTimeMillis();
             lockedDocuments = beginProtected(broker, parameters);
             if (lockedDocuments != null) {
-                compiled.getContext().setProtectedDocs(lockedDocuments);
+                context.setProtectedDocs(lockedDocuments);
             }
             final Properties outputProperties = new Properties();
             final Sequence result = xquery.execute(broker, compiled, contextSet, outputProperties);
             // pass last modified date to the HTTP response
-            HTTPUtils.addLastModifiedHeader(result, compiled.getContext());
+            HTTPUtils.addLastModifiedHeader(result, context);
             LOG.info("query took {}ms.", System.currentTimeMillis() - start);
             return new QueryResult(result, outputProperties);
         } catch (final XPathException e) {

exist-core/src/test/java/org/exist/xmldb/XMLDBExternalVariableTest.java

@@ -115,6 +115,31 @@ private String getBaseUri() {
         return baseUri.replace(PORT_PLACEHOLDER, Integer.toString(existWebServer.getPort()));
     }
 
+    @Test
+    public void queryPostWithExternalVariableNotSupplied() throws XMLDBException {
+        try (final Collection dbCollection = DatabaseManager.getCollection(getBaseUri() + "/db", TestUtils.ADMIN_DB_USER, TestUtils.ADMIN_DB_PWD)) {
+            final XQueryService xqueryService = dbCollection.getService(XQueryService.class);
+
+            xqueryService.declareVariable("local:my-variable", "hello");
+            xqueryService.declareVariable("local:other-variable", "goodbye");
+
+            final CompiledExpression compiled = xqueryService.compile("declare variable $local:my-variable as xs:string* external;\n$local:my-variable");
+
+            try {
+                xqueryService.execute(compiled);
+                fail("Expected XMLDBException with cause XPathException: XPDY0002 External variable local:other-variable is not declared in the XQuery");
+            } catch (final XMLDBException e) {
+                final Throwable cause = e.getCause();
+                assertTrue(cause instanceof XPathException);
+            }
+        }
+    }
+
+    @Test
+    public void queryPostWithExternalVariableUndeclared() throws XMLDBException {
+        queryPostWithExternalVariable(ErrorCodes.W3CErrorCode.XPDY0002, "xs:string*", (ExternalVariableValueRep[]) null);
+    }
+
     @Test
     public void queryPostWithExternalVariableUntypedNotSupplied() throws XMLDBException {
         queryPostWithExternalVariable(ErrorCodes.W3CErrorCode.XPDY0002, null, (ExternalVariableValueRep[]) null);

exist-core/src/test/java/org/exist/xquery/XPathQueryTest.java

@@ -1899,6 +1899,7 @@ public void staticVariables() throws XMLDBException {
         assertEquals(1, result.getSize());
         result = service2.query("declare variable $name as xs:string external; $name");
         assertEquals(1, result.getSize());
+        service2.clearVariables();
         result = service2.query( doc, "//item[stock = 43]");
         assertEquals(1, result.getSize());
         result = service2.query(doc, "//item");