Basic XML entity preprocessor

[nikitawootten-nist]

User Story:

As a metaschema-node user reading in complex metaschemas, I may need to rely on BASIC processing of XML entities to load shared resources such as constraints shared between models.

OSCAL's metaschema definitions are an example of this. oscal_implementation-common_metaschema.xml for example has the following `DOCTYPE tag:

<!DOCTYPE METASCHEMA [
      <!ENTITY allowed-values-responsible-roles-operations SYSTEM "./shared-constraints/allowed-values-responsible-roles-operations.ent">
      <!ENTITY allowed-values-responsible-roles-component-production SYSTEM "./shared-constraints/allowed-values-responsible-roles-component-production.ent">
      <!ENTITY allowed-values-property-name-asset-type-values SYSTEM "./shared-constraints/allowed-values-property-name-asset-type-values.ent">
      <!ENTITY allowed-values-component_component_property-name SYSTEM "./shared-constraints/allowed-values-component_component_property-name.ent">
      <!ENTITY allowed-values-component_component_software SYSTEM "./shared-constraints/allowed-values-component_component_software.ent">
      <!ENTITY allowed-values-component_component_service SYSTEM "./shared-constraints/allowed-values-component_component_service.ent">
      <!ENTITY allowed-values-component_inventory-item_property-name SYSTEM "./shared-constraints/allowed-values-component_inventory-item_property-name.ent">
      <!ENTITY allowed-values-component_component_link-rel SYSTEM "./shared-constraints/allowed-values-component_component_link-rel.ent">
      <!ENTITY allowed-values-component-type SYSTEM "./shared-constraints/allowed-values-component-type.ent">
]>

Goals:

• [ ] A convenience function capable of reading in a raw XML document and extracting all entities.
• [ ] Using the ResourceResolver construct, the corresponding .ent files can be resolved to their string values.
• [ ] All instances of the entity are replaced with the resolved .ent file value using string replacement.
• [ ] Write a small threat model that addresses concerns around:
  • resolving entities using content from arbitrary remote URLs
  • HTTP client and regex exploits resulting from injected code
  • etc.
• [ ] Address threat model and the following security constraints
  • [ ] Only resolve to local filesystem
  • [ ] Only allow URLs for a specific base URI
  • [ ] Protection against "rogue" entities from being considered valid

Dependencies:

• 19

Acceptance Criteria

• [ ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• [ ] The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

[nikitawootten-nist]

After discussing the pros and cons of this stopgap we have decided to avoid building this out in lieu of the upcoming metaschema constraints overhaul.