Improved validation for XML parsing and paths (#7422)

Author: labkey-jeckels

api/src/org/labkey/api/reader/ExcelLoader.java

@@ -46,6 +46,7 @@
 import org.labkey.api.util.FileUtil;
 import org.labkey.api.util.JunitUtil;
 import org.labkey.api.util.StringUtilsLabKey;
+import org.labkey.api.util.XmlBeansUtil;
 import org.labkey.vfs.FileLike;
 import org.labkey.vfs.FileSystemLike;
 import org.xml.sax.Attributes;
@@ -540,7 +541,7 @@ private Thread startAsyncParsing() throws IOException, InvalidFormatException
                         if (sheetMatches(sheetIndex, iter.getSheetName()))
                         {
                             InputSource sheetSource = new InputSource(stream);
-                            SAXParserFactory saxFactory = SAXParserFactory.newInstance();
+                            SAXParserFactory saxFactory = XmlBeansUtil.SAX_PARSER_FACTORY;
                             try
                             {
                                 SAXParser saxParser = saxFactory.newSAXParser();

core/src/org/labkey/core/attachment/AttachmentServiceImpl.java

@@ -289,7 +289,7 @@ public synchronized void addAttachments(AttachmentParent parent, List<Attachment
         }
 
         Set<String> filesToSkip = new TreeSet<>();
-        File fileLocation = parent instanceof AttachmentDirectory ? ((AttachmentDirectory) parent).getFileSystemDirectory() : null;
+        File fileLocation = parent instanceof AttachmentDirectory dir ? dir.getFileSystemDirectory() : null;
 
         for (AttachmentFile file : files)
         {

filecontent/src/org/labkey/filecontent/FileSystemAttachmentParent.java

@@ -191,7 +191,7 @@ public void addAttachment(User user, AttachmentFile file) throws IOException
     {
         Path fileLocation = getFileSystemDirectoryPath();
         InputStream is = file.openInputStream();
-        Path saveFile = fileLocation.resolve(file.getFilename());
+        Path saveFile = FileUtil.appendName(fileLocation, file.getFilename());
         try
         {
             Files.copy(is, saveFile);

pipeline/src/org/labkey/pipeline/api/PipelineStatusManager.java

@@ -694,6 +694,12 @@ public static void completeStatus(User user, Collection<Long> rowIds)
                     PipelineStatusFileImpl sf = PipelineStatusManager.getStatusFile(rowId);
                     if (sf != null)
                     {
+                        Container container = sf.lookupContainer();
+                        if (container == null || !container.hasPermission(user, UpdatePermission.class))
+                        {
+                            throw new UnauthorizedException();
+                        }
+
                         LOG.info("Job " + sf.getFilePath() + " was marked as complete by " + user);
                         sf.setStatus(PipelineJob.TaskStatus.complete.toString());
                         sf.setInfo(null);