From 992f3dc9c2d1673a0a9c8617f18cb08b171a050a Mon Sep 17 00:00:00 2001
From: labkey-jeckels <jeckels@labkey.com>
Date: Mon, 16 Feb 2026 11:02:09 -0800
Subject: [PATCH] Improved validation for XML parsing and paths

---
 api/src/org/labkey/api/reader/ExcelLoader.java              | 3 ++-
 .../org/labkey/core/attachment/AttachmentServiceImpl.java   | 2 +-
 .../org/labkey/filecontent/FileSystemAttachmentParent.java  | 2 +-
 .../src/org/labkey/pipeline/api/PipelineStatusManager.java  | 6 ++++++
 4 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/api/src/org/labkey/api/reader/ExcelLoader.java b/api/src/org/labkey/api/reader/ExcelLoader.java
index 32b613afe2b..658f6e0a972 100644
--- a/api/src/org/labkey/api/reader/ExcelLoader.java
+++ b/api/src/org/labkey/api/reader/ExcelLoader.java
@@ -46,6 +46,7 @@
 import org.labkey.api.util.FileUtil;
 import org.labkey.api.util.JunitUtil;
 import org.labkey.api.util.StringUtilsLabKey;
+import org.labkey.api.util.XmlBeansUtil;
 import org.labkey.vfs.FileLike;
 import org.labkey.vfs.FileSystemLike;
 import org.xml.sax.Attributes;
@@ -540,7 +541,7 @@ private Thread startAsyncParsing() throws IOException, InvalidFormatException
                         if (sheetMatches(sheetIndex, iter.getSheetName()))
                         {
                             InputSource sheetSource = new InputSource(stream);
-                            SAXParserFactory saxFactory = SAXParserFactory.newInstance();
+                            SAXParserFactory saxFactory = XmlBeansUtil.SAX_PARSER_FACTORY;
                             try
                             {
                                 SAXParser saxParser = saxFactory.newSAXParser();
diff --git a/core/src/org/labkey/core/attachment/AttachmentServiceImpl.java b/core/src/org/labkey/core/attachment/AttachmentServiceImpl.java
index 390a77b3e17..6a1012da65a 100644
--- a/core/src/org/labkey/core/attachment/AttachmentServiceImpl.java
+++ b/core/src/org/labkey/core/attachment/AttachmentServiceImpl.java
@@ -289,7 +289,7 @@ public synchronized void addAttachments(AttachmentParent parent, List<Attachment
         }
 
         Set<String> filesToSkip = new TreeSet<>();
-        File fileLocation = parent instanceof AttachmentDirectory ? ((AttachmentDirectory) parent).getFileSystemDirectory() : null;
+        File fileLocation = parent instanceof AttachmentDirectory dir ? dir.getFileSystemDirectory() : null;
 
         for (AttachmentFile file : files)
         {
diff --git a/filecontent/src/org/labkey/filecontent/FileSystemAttachmentParent.java b/filecontent/src/org/labkey/filecontent/FileSystemAttachmentParent.java
index 8aebc12cda1..f9b1542e750 100644
--- a/filecontent/src/org/labkey/filecontent/FileSystemAttachmentParent.java
+++ b/filecontent/src/org/labkey/filecontent/FileSystemAttachmentParent.java
@@ -191,7 +191,7 @@ public void addAttachment(User user, AttachmentFile file) throws IOException
     {
         Path fileLocation = getFileSystemDirectoryPath();
         InputStream is = file.openInputStream();
-        Path saveFile = fileLocation.resolve(file.getFilename());
+        Path saveFile = FileUtil.appendName(fileLocation, file.getFilename());
         try
         {
             Files.copy(is, saveFile);
diff --git a/pipeline/src/org/labkey/pipeline/api/PipelineStatusManager.java b/pipeline/src/org/labkey/pipeline/api/PipelineStatusManager.java
index 959122963e1..6cbcfedb093 100644
--- a/pipeline/src/org/labkey/pipeline/api/PipelineStatusManager.java
+++ b/pipeline/src/org/labkey/pipeline/api/PipelineStatusManager.java
@@ -694,6 +694,12 @@ public static void completeStatus(User user, Collection<Long> rowIds)
                     PipelineStatusFileImpl sf = PipelineStatusManager.getStatusFile(rowId);
                     if (sf != null)
                     {
+                        Container container = sf.lookupContainer();
+                        if (container == null || !container.hasPermission(user, UpdatePermission.class))
+                        {
+                            throw new UnauthorizedException();
+                        }
+
                         LOG.info("Job " + sf.getFilePath() + " was marked as complete by " + user);
                         sf.setStatus(PipelineJob.TaskStatus.complete.toString());
                         sf.setInfo(null);