[CST-21947] fix security fix

(cherry picked from commit 6c3274630c)

dspace-api/src/main/java/org/dspace/storage/bitstore/DSBitStoreService.java

@@ -19,9 +19,11 @@ import java.security.NoSuchAlgorithmException;
 import java.util.List;
 import java.util.Map;
 
+import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.Logger;
 import org.dspace.content.Bitstream;
 import org.dspace.core.Utils;
+import org.dspace.services.factory.DSpaceServicesFactory;
 
 /**
  * Native DSpace (or "Directory Scatter" if you prefer) asset store.
@@ -252,7 +254,10 @@ public class DSBitStoreService extends BaseBitStoreService {
         }
         File bitstreamFile = new File(bufFilename.toString());
         Path normalizedPath = bitstreamFile.toPath().normalize();
-        if (!normalizedPath.startsWith(baseDir.getAbsolutePath())) {
+        String[] allowedAssetstoreRoots = DSpaceServicesFactory.getInstance().getConfigurationService()
+                .getArrayProperty("assetstore.allowed.roots", new String[]{});
+        if (!normalizedPath.startsWith(baseDir.getAbsolutePath())
+            && !StringUtils.startsWithAny(normalizedPath.toString(), allowedAssetstoreRoots)) {
             log.error("Bitstream path outside of assetstore root requested:" +
                     "bitstream={}, path={}, assetstore={}",
                     bitstream.getID(), normalizedPath, baseDir.getAbsolutePath());

dspace/config/modules/assetstore.cfg

@@ -102,3 +102,5 @@ assetstore.s3.awsRegionName =
 # The maximum counter value for S3 operations.
 # Default: -1 (unlimited) connection is never manualy closed in BitstoreService
 # assetstore.jcloud.maxCounter = -1
+
+#assetstore.allowed.roots = /data/assetstore