[CST-21947] fix security fix

2025-10-07 01:54:22 +00:00 · 2025-08-14 12:02:08 +02:00
parent dd106cad66
commit 3ea0befd28
2 changed files with 12 additions and 4 deletions
--- a/dspace-api/src/main/java/org/dspace/storage/bitstore/DSBitStoreService.java
+++ b/dspace-api/src/main/java/org/dspace/storage/bitstore/DSBitStoreService.java
@@ -19,9 +19,11 @@ import java.security.NoSuchAlgorithmException;
 import java.util.List;
 import java.util.Map;

+import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.Logger;
 import org.dspace.content.Bitstream;
 import org.dspace.core.Utils;
+import org.dspace.services.factory.DSpaceServicesFactory;

 /**
 * Native DSpace (or "Directory Scatter" if you prefer) asset store.
@@ -252,7 +254,10 @@ public class DSBitStoreService extends BaseBitStoreService {
        }
        File bitstreamFile = new File(bufFilename.toString());
        Path normalizedPath = bitstreamFile.toPath().normalize();
-        if (!normalizedPath.startsWith(baseDir.getAbsolutePath())) {
+        String[] allowedAssetstoreRoots = DSpaceServicesFactory.getInstance().getConfigurationService()
+                .getArrayProperty("assetstore.allowed.roots", new String[]{});
+        if (!normalizedPath.startsWith(baseDir.getAbsolutePath())
+            && !StringUtils.startsWithAny(normalizedPath.toString(), allowedAssetstoreRoots)) {
            log.error("Bitstream path outside of assetstore root requested:" +
                    "bitstream={}, path={}, assetstore={}",
                    bitstream.getID(), normalizedPath, baseDir.getAbsolutePath());
--- a/dspace/config/modules/assetstore.cfg
+++ b/dspace/config/modules/assetstore.cfg
@@ -12,12 +12,15 @@ assetstore.dir = ${dspace.dir}/assetstore
 # This value will be used as `incoming` default store inside the `bitstore.xml`
 # Possible values are:
 #     - 0: to use the `localStore`;
-#     - 1: to use the `s3Store`. 
+#     - 1: to use the `s3Store`.
 # If you want to add additional assetstores, they must be added to that bitstore.xml
 # and new values should be provided as key-value pairs in the `stores` map of the
-# `bitstore.xml` configuration. 
+# `bitstore.xml` configuration.
 assetstore.index.primary = 0

+#if the assetstore path is symbolic link, use this configuration to allow that path.
+#assetstore.allowed.roots = /data/assetstore
+
 #---------------------------------------------------------------#
 #-------------- Amazon S3 Specific Configurations --------------#
 #---------------------------------------------------------------#
@@ -54,4 +57,4 @@ assetstore.s3.awsSecretKey =

 # If the credentials are left empty,
 # then this setting is ignored and the default AWS region will be used.
-assetstore.s3.awsRegionName =
+assetstore.s3.awsRegionName =