Merge pull request #11171 from 4Science/task/main/DURACOM-392

Error in file upload after security fixes

dspace-api/src/main/java/org/dspace/storage/bitstore/DSBitStoreService.java

@@ -19,9 +19,11 @@ import java.security.NoSuchAlgorithmException;
 import java.util.List;
 import java.util.Map;
 
+import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.Logger;
 import org.dspace.content.Bitstream;
 import org.dspace.core.Utils;
+import org.dspace.services.factory.DSpaceServicesFactory;
 
 /**
  * Native DSpace (or "Directory Scatter" if you prefer) asset store.
@@ -252,7 +254,10 @@ public class DSBitStoreService extends BaseBitStoreService {
         }
         File bitstreamFile = new File(bufFilename.toString());
         Path normalizedPath = bitstreamFile.toPath().normalize();
-        if (!normalizedPath.startsWith(baseDir.getAbsolutePath())) {
+        String[] allowedAssetstoreRoots = DSpaceServicesFactory.getInstance().getConfigurationService()
+                .getArrayProperty("assetstore.allowed.roots", new String[]{});
+        if (!normalizedPath.startsWith(baseDir.getAbsolutePath())
+            && !StringUtils.startsWithAny(normalizedPath.toString(), allowedAssetstoreRoots)) {
             log.error("Bitstream path outside of assetstore root requested:" +
                     "bitstream={}, path={}, assetstore={}",
                     bitstream.getID(), normalizedPath, baseDir.getAbsolutePath());

dspace/config/modules/assetstore.cfg

@@ -18,6 +18,9 @@ assetstore.dir = ${dspace.dir}/assetstore
 # `bitstore.xml` configuration.
 assetstore.index.primary = 0
 
+#if the assetstore path is symbolic link, use this configuration to allow that path.
+#assetstore.allowed.roots = /data/assetstore
+
 #---------------------------------------------------------------#
 #-------------- Amazon S3 Specific Configurations --------------#
 #---------------------------------------------------------------#