[SONAR] cleanup some security warnings and hardening (#6837)

Add deprecation to some endpoints

cleanup and jetty fix

Author: hansva

docker/integration-tests/unit-tests.Dockerfile

@@ -90,7 +90,6 @@ RUN chown -R ${JENKINS_USER}:${JENKINS_GROUP} ${DEPLOYMENT_PATH}/hop \
 # Download Additional drivers/dependencies
 ADD --chown=${JENKINS_USER}:${JENKINS_GROUP} https://repo1.maven.org/maven2/com/vertica/jdbc/vertica-jdbc/23.4.0-0/vertica-jdbc-23.4.0-0.jar /opt/hop/lib/jdbc/vertica-jdbc-23.4.0-0.jar
 ADD --chown=${JENKINS_USER}:${JENKINS_GROUP} https://repo1.maven.org/maven2/com/mysql/mysql-connector-j/9.2.0/mysql-connector-j-9.2.0.jar /opt/hop/lib/jdbc/mysql-connector-j-9.2.0.jar
-ADD --chown=${JENKINS_USER}:${JENKINS_GROUP} https://repo1.maven.org/maven2/org/openjdk/nashorn/nashorn-core/15.4/nashorn-core-15.4.jar /opt/hop/plugins/transforms/script/lib/nashorn-core-15.4.jar
 
 # make volume available so that hop pipeline and workflow files can be provided easily
 VOLUME ["/files"]

docs/hop-user-manual/modules/ROOT/pages/hop-server/rest-api.adoc

@@ -24,14 +24,22 @@ Hop Server has a rich set of web services that can be used to query and manage t
 
 TIP: when specified, the id for a workflow or pipeline represents one execution of a workflow or pipeline on the server.
 
-== addExport
+== addExport _(deprecated)_
+
+[WARNING]
+====
+*Deprecated since 2.18.0.* Use `registerPackage` (`hop/registerPackage`) instead.
+The remote pipeline and workflow engines call `registerPackage` for all export operations.
+This endpoint will be removed in a future release.
+====
 
 name::
 addExport
 
 description::
 Upload a resources export file.
 Add a zipped pipeline or workflow to the body payload as a binary file.
+*Deprecated* — use `registerPackage` instead.
 
 endPoint::
 GET `hop/addExport`
@@ -56,13 +64,20 @@ A zip file with the export is created on the server's file system.
 </webresult>
 ----
 
-== addPipeline
+== addPipeline _(deprecated)_
+
+[WARNING]
+====
+*Deprecated since 2.18.0.* Use <<Register Pipeline,`registerPipeline`>> (`hop/registerPipeline`) instead.
+This endpoint is no longer used by the remote pipeline engine and will be removed in a future release.
+====
 
 name::
 addPipeline
 
 description::
-Add a pipeline for execution
+Add a pipeline for execution.
+*Deprecated* — use `registerPipeline` instead.
 
 endPoint::
 GET `hop/addPipeline`
@@ -75,15 +90,22 @@ example request::
 `+http://localhost:8081/hop/addPipeline/xml=Y+` with XML payload
 
 result::
-- 
+-
+
+== addWorkflow _(deprecated)_
 
-== addWorkflow
+[WARNING]
+====
+*Deprecated since 2.18.0.* Use <<Register Workflow,`registerWorkflow`>> (`hop/registerWorkflow`) instead.
+This endpoint is no longer used by the remote workflow engine and will be removed in a future release.
+====
 
 name::
 addWorkflow
 
 description::
-Add a workflow for execution
+Add a workflow for execution.
+*Deprecated* — use `registerWorkflow` instead.
 
 endPoint::
 GET `hop/addWorkflow`

engine/pom.xml

@@ -120,10 +120,6 @@
                 </exclusion>
             </exclusions>
         </dependency>
-        <dependency>
-            <groupId>org.eclipse.jetty</groupId>
-            <artifactId>jetty-jaas</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.eclipse.jetty</groupId>
             <artifactId>jetty-security</artifactId>
@@ -199,6 +195,10 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <dependency>
+            <groupId>org.jspecify</groupId>
+            <artifactId>jspecify</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.mozilla</groupId>
             <artifactId>rhino-all</artifactId>

engine/src/main/java/org/apache/hop/www/AddExportServlet.java

@@ -56,8 +56,13 @@
  * a zip file. It ends up in a temporary file.
  *
  * <p>The servlet returns the name of the file stored.
+ *
+ * @deprecated Use {@link RegisterPackageServlet} ({@code /hop/registerPackage}) instead. The remote
+ *     pipeline and workflow engines call {@code registerPackage} for all export operations. This
+ *     endpoint will be removed in a future release.
  */
-@HopServerServlet(id = "addExport", name = "Upload a resources export file")
+@Deprecated(since = "2.18.0")
+@HopServerServlet(id = "addExport", name = "Upload a resources export file (deprecated)")
 public class AddExportServlet extends BaseHttpServlet implements IHopServerPlugin {
   public static final String PARAMETER_LOAD = "load";
   public static final String PARAMETER_TYPE = "type";
@@ -84,7 +89,10 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)
       logDebug("Addition of export requested");
     }
 
-    PrintWriter out = response.getWriter();
+    PrintWriter out = getSafeWriter(response);
+    if (out == null) {
+      return;
+    }
     InputStream in = request.getInputStream(); // read from the client
     if (log.isDetailed()) {
       logDetailed("Encoding: " + request.getCharacterEncoding());

engine/src/main/java/org/apache/hop/www/AddPipelineServlet.java

@@ -42,7 +42,13 @@
 import org.apache.hop.pipeline.engine.IPipelineEngine;
 import org.apache.hop.pipeline.engine.PipelineEngineFactory;
 
-@HopServerServlet(id = "addPipeline", name = "Add a pipeline for execution")
+/**
+ * @deprecated Use {@link RegisterPipelineServlet} ({@code /hop/registerPipeline}) instead. This
+ *     endpoint is no longer called by the remote pipeline engine and will be removed in a future
+ *     release.
+ */
+@Deprecated(since = "2.18.0")
+@HopServerServlet(id = "addPipeline", name = "Add a pipeline for execution (deprecated)")
 public class AddPipelineServlet extends BaseHttpServlet implements IHopServerPlugin {
   @Serial private static final long serialVersionUID = -6850701762586992604L;
 
@@ -67,8 +73,14 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)
 
     boolean useXML = "Y".equalsIgnoreCase(request.getParameter("xml"));
 
-    PrintWriter out = response.getWriter();
-    BufferedReader in = request.getReader();
+    PrintWriter out = getSafeWriter(response);
+    if (out == null) {
+      return;
+    }
+    BufferedReader in = getSafeReader(request, response);
+    if (in == null) {
+      return;
+    }
     if (log.isDetailed()) {
       logDetailed("Encoding: " + request.getCharacterEncoding());
     }

engine/src/main/java/org/apache/hop/www/AddWorkflowServlet.java

@@ -42,7 +42,13 @@
 import org.apache.hop.workflow.engine.IWorkflowEngine;
 import org.apache.hop.workflow.engine.WorkflowEngineFactory;
 
-@HopServerServlet(id = "addWorkflow", name = "Add a workflow to the server")
+/**
+ * @deprecated Use {@link RegisterWorkflowServlet} ({@code /hop/registerWorkflow}) instead. This
+ *     endpoint is no longer called by the remote workflow engine and will be removed in a future
+ *     release.
+ */
+@Deprecated(since = "2.18.0")
+@HopServerServlet(id = "addWorkflow", name = "Add a workflow to the server (deprecated)")
 public class AddWorkflowServlet extends BaseHttpServlet implements IHopServerPlugin {
   @Serial private static final long serialVersionUID = -6850701762586992604L;
 
@@ -67,8 +73,14 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)
 
     boolean useXML = "Y".equalsIgnoreCase(request.getParameter("xml"));
 
-    PrintWriter out = response.getWriter();
-    BufferedReader in = request.getReader(); // read from the client
+    PrintWriter out = getSafeWriter(response);
+    if (out == null) {
+      return;
+    }
+    BufferedReader in = getSafeReader(request, response);
+    if (in == null) {
+      return;
+    }
     if (log.isDetailed()) {
       logDetailed("Encoding: " + request.getCharacterEncoding());
     }
@@ -196,7 +208,7 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)
 
   protected String[] getAllArgumentStrings(Map<String, String> arguments) {
     if (Utils.isEmpty(arguments)) {
-      return null;
+      return new String[0];
     }
 
     String[] argNames = arguments.keySet().toArray(new String[arguments.size()]);

engine/src/main/java/org/apache/hop/www/BaseHopServerPlugin.java

@@ -19,6 +19,7 @@
 
 import com.google.common.collect.FluentIterable;
 import com.google.common.collect.ImmutableMultimap;
+import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
@@ -40,8 +41,15 @@ public abstract class BaseHopServerPlugin extends BaseHttpServlet
    */
   @Deprecated(since = "2.0")
   @Override
-  public void doGet(HttpServletRequest req, final HttpServletResponse resp) throws IOException {
-    service(req, resp);
+  public void doGet(HttpServletRequest req, final HttpServletResponse resp)
+      throws ServletException, IOException {
+    try {
+      service(req, resp);
+    } catch (IOException e) {
+      logError("I/O error servicing request for " + getContextPath(), e);
+      sendSafeError(
+          resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Unable to process server request.");
+    }
   }
 
   @Override
@@ -57,12 +65,6 @@ protected void service(HttpServletRequest req, HttpServletResponse resp) throws
     handleRequest(new HopServerRequestImpl(req, resp));
   }
 
-  @Override
-  public abstract void handleRequest(IHopServerRequest request) throws IOException;
-
-  @Override
-  public abstract String getContextPath();
-
   @Override
   public String getService() {
     return getContextPath() + " (" + toString() + ")";