From 0f74cb22bf1e5eedec766cb9e8b85ff9d35d2f2e Mon Sep 17 00:00:00 2001
From: Tim Donohue <tim.donohue@lyrasis.org>
Date: Thu, 6 Jun 2024 11:44:28 -0500
Subject: [PATCH] Avoid inline display of HTML/JS bitstreams.  Add JS to list
 of known formats so that it can be recognized by DSpace.

(cherry picked from commit 356a0281867989cd1bf6345f9d369f9c992791c8)
---
 .../org/dspace/app/rest/BitstreamRestController.java     | 8 +++++++-
 dspace/config/dspace.cfg                                 | 5 +++++
 dspace/config/registries/bitstream-formats.xml           | 9 +++++++++
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/dspace-server-webapp/src/main/java/org/dspace/app/rest/BitstreamRestController.java b/dspace-server-webapp/src/main/java/org/dspace/app/rest/BitstreamRestController.java
index 9b5ede37c8..e3d6076844 100644
--- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/BitstreamRestController.java
+++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/BitstreamRestController.java
@@ -209,7 +209,13 @@ public class BitstreamRestController {
         if (format == null) {
             return false;
         }
-        List<String> formats = List.of((configurationService.getArrayProperty("webui.content_disposition_format")));
+        // Default to always downloading HTML/JavaScript files. These formats can embed JavaScript which would be run
+        // in the user's browser when loaded inline. This could be the basis for an XSS attack.
+        // RTF is also added because most browsers attempt to display it as plain text.
+        String [] defaultFormats = { "text/html", "text/javascript", "text/richtext" };
+
+        List<String> formats = List.of(configurationService.getArrayProperty("webui.content_disposition_format",
+                                                                             defaultFormats));
         boolean download = formats.contains(format.getMIMEType());
         if (!download) {
             for (String ext : format.getExtensions()) {
diff --git a/dspace/config/dspace.cfg b/dspace/config/dspace.cfg
index fc840ef003..1d108d5c33 100644
--- a/dspace/config/dspace.cfg
+++ b/dspace/config/dspace.cfg
@@ -1373,6 +1373,11 @@ webui.content_disposition_threshold = 8388608
 # Set which mimetypes, file extensions will NOT be opened inline
 # Files with these mimetypes/extensions will always be downloaded,
 # regardless of the threshold above
+# We HIGHLY RECOMMEND forcing HTML / Javascript to always download.
+# If a bitstream contained malicious Javascript, it would be executed in a user's browser when opened inline.
+webui.content_disposition_format = text/html
+webui.content_disposition_format = text/javascript
+# RTF is always downloaded because most browsers attempt to display it as plain text.
 webui.content_disposition_format = text/richtext
 
 #### Multi-file HTML document/site settings #####
diff --git a/dspace/config/registries/bitstream-formats.xml b/dspace/config/registries/bitstream-formats.xml
index 3515773fd7..fe0943e015 100644
--- a/dspace/config/registries/bitstream-formats.xml
+++ b/dspace/config/registries/bitstream-formats.xml
@@ -827,4 +827,13 @@
         <extension>avif</extension>
     </bitstream-type>
 
+    <bitstream-type>
+        <mimetype>text/javascript</mimetype>
+        <short_description>JavaScript</short_description>
+        <description>JavaScript</description>
+        <support_level>1</support_level>
+        <internal>false</internal>
+        <extension>js</extension>
+    </bitstream-type>
+
 </dspace-bitstream-types>