JCL-417: Validate LDP containment data in SolidContainer::getResources method

Author: acoburn

solid/src/main/java/com/inrupt/client/solid/SolidContainer.java

@@ -77,15 +77,33 @@ public SolidContainer(final URI identifier, final Dataset dataset, final Metadat
      * @return the contained resources
      */
     public Set<SolidResource> getResources() {
-        final Node node = new Node(rdf.createIRI(getIdentifier().toString()), getGraph());
-        try (final Stream<Node.TypedNode> stream = node.getResources()) {
-            return stream.map(child -> {
-                final Metadata.Builder builder = Metadata.newBuilder();
-                getMetadata().getStorage().ifPresent(builder::storage);
-                child.getTypes().forEach(builder::type);
-                return new SolidResourceReference(URI.create(child.getIRIString()), builder.build());
-            }).collect(Collectors.collectingAndThen(Collectors.toSet(), Collections::unmodifiableSet));
+        final String container = getIdentifier().toString();
+        // As defined by the Solid Protocol, containers always end with a slash.
+        if (container.endsWith("/")) {
+            final Node node = new Node(rdf.createIRI(getIdentifier().toString()), getGraph());
+            try (final Stream<Node.TypedNode> stream = node.getResources()) {
+                return stream.flatMap(child -> {
+                    final URI childLocation = URI.create(child.getIRIString()).normalize();
+                    // Solid containment is based on URI path hierarchy,
+                    // so all child resources must start with the URL of the parent
+                    if (childLocation.toString().startsWith(container)) {
+                        final String relativePath = childLocation.toString().substring(container.length());
+                        final String normalizedPath = relativePath.endsWith("/") ?
+                            relativePath.substring(0, relativePath.length() - 1) : relativePath;
+                        // Solid containment occurs via direct decent,
+                        // so any recursively contained resources must not be included
+                        if (!normalizedPath.isEmpty() && !normalizedPath.contains("/")) {
+                            final Metadata.Builder builder = Metadata.newBuilder();
+                            getMetadata().getStorage().ifPresent(builder::storage);
+                            child.getTypes().forEach(builder::type);
+                            return Stream.of(new SolidResourceReference(childLocation, builder.build()));
+                        }
+                    }
+                    return Stream.empty();
+                }).collect(Collectors.collectingAndThen(Collectors.toSet(), Collections::unmodifiableSet));
+            }
         }
+        return Collections.emptySet();
     }
 
     /**

solid/src/test/java/com/inrupt/client/solid/SolidClientTest.java

@@ -28,6 +28,7 @@
 import com.inrupt.client.Response;
 import com.inrupt.client.auth.Session;
 import com.inrupt.client.spi.RDFFactory;
+import com.inrupt.client.util.URIBuilder;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -36,6 +37,7 @@
 import java.util.*;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.CompletionException;
+import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
 import org.apache.commons.rdf.api.RDF;
@@ -216,6 +218,22 @@ void testGetBinaryCreate() {
         }).toCompletableFuture().join();
     }
 
+    @Test
+    void testSolidContainer() {
+        final URI uri = URI.create(config.get("solid_resource_uri") + "/container/");
+        final Set<URI> expected = new HashSet<>();
+        expected.add(URIBuilder.newBuilder(uri).path("newContainer/").build());
+        expected.add(URIBuilder.newBuilder(uri).path("test.txt").build());
+        expected.add(URIBuilder.newBuilder(uri).path("test2.txt").build());
+
+        client.read(uri, SolidContainer.class).thenAccept(container -> {
+            try (final SolidContainer c = container) {
+                assertEquals(expected,
+                        c.getResources().stream().map(SolidResource::getIdentifier).collect(Collectors.toSet()));
+            }
+        }).toCompletableFuture().join();
+    }
+
     @Test
     void testBinaryCreate() throws IOException {
         final URI uri = URI.create(config.get("solid_resource_uri") + "/binary");

solid/src/test/java/com/inrupt/client/solid/SolidMockHttpService.java

@@ -80,6 +80,25 @@ private void setupMocks() {
             )
         );
 
+        wireMockServer.stubFor(get(urlEqualTo("/container/"))
+            .withHeader("User-Agent", equalTo(USER_AGENT))
+            .willReturn(aResponse()
+                .withStatus(200)
+                .withHeader("Content-Type", "text/turtle")
+                .withHeader("Link", Link.of(LDP.BasicContainer, "type").toString())
+                .withHeader("Link", Link.of(URI.create("http://acl.example/solid/"), "acl").toString())
+                .withHeader("Link", Link.of(URI.create("http://storage.example/"),
+                        PIM.storage).toString())
+                .withHeader("Link", Link.of(URI.create("https://history.test/"), "timegate").toString())
+                .withHeader("WAC-Allow", "user=\"read write\",public=\"read\"")
+                .withHeader("Allow", "POST, PUT, PATCH")
+                .withHeader("Accept-Post", "application/ld+json, text/turtle")
+                .withHeader("Accept-Put", "application/ld+json, text/turtle")
+                .withHeader("Accept-Patch", "application/sparql-update, text/n3")
+                .withBodyFile("container.ttl")
+            )
+        );
+
         wireMockServer.stubFor(get(urlEqualTo("/recipe"))
             .withHeader("User-Agent", equalTo(USER_AGENT))
             .willReturn(aResponse()

solid/src/test/resources/__files/container.ttl

@@ -0,0 +1,25 @@
+@prefix dct: <http://purl.org/dc/terms/>.
+@prefix ldp: <http://www.w3.org/ns/ldp#>.
+@prefix xsd: <http://www.w3.org/2001/XMLSchema#>.
+@prefix pl: <http://www.w3.org/ns/iana/media-types/text/plain#>.
+
+<>
+    a ldp:BasicContainer ;
+    dct:modified "2022-11-25T10:36:36Z"^^xsd:dateTime;
+    ldp:contains <newContainer/>, <test.txt>, <test2.txt> .
+<newContainer/>
+    a ldp:BasicContainer ;
+    dct:modified "2022-11-25T10:36:36Z"^^xsd:dateTime .
+<test.txt>
+    a pl:Resource, ldp:NonRDFSource;
+    dct:modified "2022-11-25T10:34:14Z"^^xsd:dateTime .
+<test2.txt>
+    a pl:Resource, ldp:NonRDFSource;
+    dct:modified "2022-11-25T10:37:06Z"^^xsd:dateTime .
+
+# These containment triples should not be included in a getResources response
+<>
+    ldp:contains <https://example.com/other> , <newContainer/child> , <> , <./> .
+<https://example.test/container/>
+    a ldp:BasicContainer ;
+    ldp:contains <https://example.test/container/external> .