Avoid inline display of HTML/JS bitstreams. Add JS to list of known formats so that it can be recognized by DSpace.

2025-10-07 18:14:26 +00:00 · 2024-06-06 11:44:28 -05:00
parent 4c5a91fc02
commit 356a028186
3 changed files with 21 additions and 1 deletions
--- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/BitstreamRestController.java
+++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/BitstreamRestController.java
@@ -209,7 +209,13 @@ public class BitstreamRestController {
        if (format == null) {
            return false;
        }
-        List<String> formats = List.of((configurationService.getArrayProperty("webui.content_disposition_format")));
+        // Default to always downloading HTML/JavaScript files. These formats can embed JavaScript which would be run
+        // in the user's browser when loaded inline. This could be the basis for an XSS attack.
+        // RTF is also added because most browsers attempt to display it as plain text.
+        String [] defaultFormats = { "text/html", "text/javascript", "text/richtext" };
+
+        List<String> formats = List.of(configurationService.getArrayProperty("webui.content_disposition_format",
+                                                                             defaultFormats));
        boolean download = formats.contains(format.getMIMEType());
        if (!download) {
            for (String ext : format.getExtensions()) {
--- a/dspace/config/dspace.cfg
+++ b/dspace/config/dspace.cfg
@@ -1387,6 +1387,11 @@ webui.content_disposition_threshold = 8388608
 # Set which mimetypes, file extensions will NOT be opened inline
 # Files with these mimetypes/extensions will always be downloaded,
 # regardless of the threshold above
+# We HIGHLY RECOMMEND forcing HTML / Javascript to always download.
+# If a bitstream contained malicious Javascript, it would be executed in a user's browser when opened inline.
+webui.content_disposition_format = text/html
+webui.content_disposition_format = text/javascript
+# RTF is always downloaded because most browsers attempt to display it as plain text.
 webui.content_disposition_format = text/richtext

 #### Multi-file HTML document/site settings #####
--- a/dspace/config/registries/bitstream-formats.xml
+++ b/dspace/config/registries/bitstream-formats.xml
@@ -827,4 +827,13 @@
        <extension>avif</extension>
    </bitstream-type>

+    <bitstream-type>
+        <mimetype>text/javascript</mimetype>
+        <short_description>JavaScript</short_description>
+        <description>JavaScript</description>
+        <support_level>1</support_level>
+        <internal>false</internal>
+        <extension>js</extension>
+    </bitstream-type>
+
 </dspace-bitstream-types>