fix[SP-7346]: update doSetMetadata endpoint to accept XML

[befc]

NOTE: This PR was created by Copilot automation.

Backport Information

• SP Issue: SP-7346 - Backport of BISERVER-15545 - (11.0 Suite) PUT /repo/files/.../metadata endpoint returns 415 for XML in Pentaho 10.2
• Base Case: BISERVER-15545 - Backport of BISERVER-15545 - (11.0 Suite) PUT /repo/files/.../metadata endpoint returns 415 for XML in Pentaho 10.2
• Original Master PRs:
  • fix[BISERVER-15545]: update doSetMetadata endpoint to accept XML #6201
  • fix[BISERVER-15545]: enhance doSetMetadata to handle invalid or unparseable XML payloads #6251

Changes

• Cherry-picked from fix[BISERVER-15545]: update doSetMetadata endpoint to accept XML #6201
• Cherry-picked from fix[BISERVER-15545]: enhance doSetMetadata to handle invalid or unparseable XML payloads #6251
• Commit: d782d53
• Commit: e95364b

Conflict Resolution

• No manual conflict resolution required

Target

• Target Branch: 11.0 (11.0 Suite maintenance branch)

[Copilot]

Pull request overview

Backports the addition of an XML-consuming overload for PUT /repo/files/{pathId}/metadata (originally from PRs #6201 and #6251) to the 11.0 branch. The new endpoint securely unmarshals XML using a StAX reader that disables external entities/DTDs (mitigating XXE), reusing the existing getSecureXmlStreamReader/getUnmarshaller helpers already employed by the ACL and creator XML endpoints. Tests for XXE protection and XML success/error paths are restored.

Changes:

• Adds XML overload of doSetMetadata with secure unmarshalling, plus private helpers unmarshalMetadata, closeXmlStreamReader, and InvalidXmlPayloadException.
• Renames existing JSON tests and adds new tests for XML success/error paths and XXE handling (415 on malicious payload, 200 on clean payload).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
extensions/src/main/java/org/pentaho/platform/web/http/api/resources/FileResource.java	Adds the new XML overload for doSetMetadata and supporting helpers/exception type.
extensions/src/test/java/org/pentaho/platform/web/http/api/resources/FileResourceTest.java	Restores XXE tests, renames JSON metadata tests, and adds XML success/error tests.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[hitachivantarasonarqube]

Quality Gate failed

• 72.70% Coverage on New Code (is less than 80.00%)
• 1 New Issues (is greater than 0)

Project ID: pentaho:pentaho-platform-ce-parent

View in SonarQube

[buildguy]

Note:

---

Frogbot also supports Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning. This features are included as part of the JFrog Advanced Security package, which isn't enabled on your system.

---

🐸 JFrog Frogbot

[buildguy]

✅ Build finished in 41m 5s

Build command:

mvn clean verify -B -e -Daudit -Djs.no.sandbox -pl extensions

---

👌 All tests passed!

Tests run: 1796, Failures: 0, Skipped: 1    Test Results

---

ℹ️ This is an automatic message