Add a test to prove the default settings are to always download these formats

(cherry picked from commit e6bfb833ee)
2025-10-07 01:54:22 +00:00 · 2024-06-10 10:09:33 -05:00
parent 7ba150f4fc
commit 7951c8e428
1 changed files with 29 additions and 1 deletions
--- a/dspace-server-webapp/src/test/java/org/dspace/app/rest/BitstreamRestControllerIT.java
+++ b/dspace-server-webapp/src/test/java/org/dspace/app/rest/BitstreamRestControllerIT.java
@@ -1247,7 +1247,6 @@ public class BitstreamRestControllerIT extends AbstractControllerIntegrationTest
        Mockito.verify(inputStreamSpy, times(1)).close();
    }

-
    @Test
    public void checkContentDispositionOfFormats() throws Exception {
        configurationService.setProperty("webui.content_disposition_format", new String[] {
@@ -1285,6 +1284,35 @@ public class BitstreamRestControllerIT extends AbstractControllerIntegrationTest
        verifyBitstreamDownload(html, "text/html;charset=UTF-8", false);
    }

+    @Test
+    public void checkDefaultContentDispositionFormats() throws Exception {
+        // This test is similar to the above test, but it verifies that our *default settings* for
+        // webui.content_disposition_format are protecting us from loading specific formats *inline*.
+        context.turnOffAuthorisationSystem();
+        Community community = CommunityBuilder.createCommunity(context).build();
+        Collection collection = CollectionBuilder.createCollection(context, community).build();
+        Item item = ItemBuilder.createItem(context, collection).build();
+        String content = "Test Content";
+        Bitstream html;
+        Bitstream js;
+        Bitstream xml;
+        try (InputStream is = IOUtils.toInputStream(content, CharEncoding.UTF_8)) {
+            html = BitstreamBuilder.createBitstream(context, item, is)
+                                   .withMimeType("text/html").build();
+            js = BitstreamBuilder.createBitstream(context, item, is)
+                                  .withMimeType("text/javascript").build();
+            xml = BitstreamBuilder.createBitstream(context, item, is)
+                                  .withMimeType("text/xml").build();
+        }
+        context.restoreAuthSystemState();
+
+        // By default, HTML, JS & XML should all download. This protects us from possible XSS attacks, as
+        // each of these formats can embed JavaScript which may execute when the file is loaded *inline*.
+        verifyBitstreamDownload(html, "text/html;charset=UTF-8", true);
+        verifyBitstreamDownload(js, "text/javascript;charset=UTF-8", true);
+        verifyBitstreamDownload(xml, "text/xml;charset=UTF-8", true);
+    }
+
    private void verifyBitstreamDownload(Bitstream file, String contentType, boolean shouldDownload) throws Exception {
        String token = getAuthToken(admin.getEmail(), password);
        String header = getClient(token).perform(get("/api/core/bitstreams/" + file.getID() + "/content")