UFAL/Security patches from vanilla DSpace 7.6.7 (CVE-2026-49830, CVE-2026-49831)

[milanmajchrak]

Security patches from vanilla DSpace 7.6.7

DSpace 7.6.7 (final 7.x release, 2026-05-28) shipped a coordinated set of security fixes. This branch was missing all of them. This PR cherry-picks the complete set from upstream dspace-7_x:

Advisory	CVE	Fix	Upstream PR
GHSA-c827-pw3m-67w7	CVE-2026-49830 (medium)	ORE aggregated resource URI validation (scheme + host allowlist) in OREIngestionCrosswalk	DSpace#12542
GHSA-v66x-68f2-pxf5	CVE-2026-49831 (medium)	Curation Task Reporter path traversal: new SecureFileAccess, curation output restricted to allowed base paths	DSpace#12539
(hardening)	—	Velocity template safety for Email: SecureUberspector, restricted introspection, only allowlisted config exposed to templates	DSpace#12546
(hardening)	—	GlobalRequestSecurityFilter: rejects path-traversal/JSP request patterns at the REST webapp boundary	DSpace#12550

Config changes

• dspace.cfg: new message.templates.allowed-config allowlist (config keys exposed to email templates)
• config/modules/curate.cfg: new commented curate.taskfile.base / curate.reporter.base options
• config/modules/oai.cfg: new commented ORE harvester URL-prefix allowlist option

Behavioral notes

• Curation -T (taskFile) and -r (reporter) options are now CLI-only — they can no longer be passed to REST-triggered processes (this is the CVE-2026-49831 fix).
• Path-traversal requests (e.g. to /sitemaps) now return 403 instead of 400 (test expectations updated).
• Email Velocity templates only see config keys listed in message.templates.allowed-config (default: dspace.name, dspace.shortname, dspace.ui.url, mail.helpdesk, mail.message.helpdesk.telephone, mail.admin, mail.admin.name). If a customer template references other ${config...} keys, add them to this list.

Intentionally not included

• Upstream [Port dspace-7_x] Disable most file formats for "inline" display (in a user's browser) by default, unless overridden by configuration. DSpace/DSpace#12149 (webui.content_disposition_inline allowlist rework) — changes default inline-display behavior; left for a separate decision.

Verification

• mvn package (dspace-api + dspace-server-webapp) passes locally.
• Full unit + integration test suite runs via CI on this PR.

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3822da6d-4e7b-4ae6-ba7d-e3f46609ae80

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}