Skip to content

UFAL/Security patches from vanilla DSpace 7.6.7 (CVE-2026-49830, CVE-2026-49831)#1330

Open
milanmajchrak wants to merge 20 commits into
customer/lindatfrom
lindat/security-patches-7.6.7
Open

UFAL/Security patches from vanilla DSpace 7.6.7 (CVE-2026-49830, CVE-2026-49831)#1330
milanmajchrak wants to merge 20 commits into
customer/lindatfrom
lindat/security-patches-7.6.7

Conversation

@milanmajchrak

@milanmajchrak milanmajchrak commented Jun 11, 2026

Copy link
Copy Markdown
Collaborator

Security patches from vanilla DSpace 7.6.7

DSpace 7.6.7 (final 7.x release, 2026-05-28) shipped a coordinated set of security fixes. This branch was missing all of them. This PR cherry-picks the complete set from upstream dspace-7_x:

Advisory CVE Fix Upstream PR
GHSA-c827-pw3m-67w7 CVE-2026-49830 (medium) ORE aggregated resource URI validation (scheme + host allowlist) in OREIngestionCrosswalk DSpace#12542
GHSA-v66x-68f2-pxf5 CVE-2026-49831 (medium) Curation Task Reporter path traversal: new SecureFileAccess, curation output restricted to allowed base paths DSpace#12539
(hardening) Velocity template safety for Email: SecureUberspector, restricted introspection, only allowlisted config exposed to templates DSpace#12546
(hardening) GlobalRequestSecurityFilter: rejects path-traversal/JSP request patterns at the REST webapp boundary DSpace#12550

Config changes

  • dspace.cfg: new message.templates.allowed-config allowlist (config keys exposed to email templates)
  • config/modules/curate.cfg: new commented curate.taskfile.base / curate.reporter.base options
  • config/modules/oai.cfg: new commented ORE harvester URL-prefix allowlist option

Behavioral notes

  • Curation -T (taskFile) and -r (reporter) options are now CLI-only — they can no longer be passed to REST-triggered processes (this is the CVE-2026-49831 fix).
  • Path-traversal requests (e.g. to /sitemaps) now return 403 instead of 400 (test expectations updated).
  • Email Velocity templates only see config keys listed in message.templates.allowed-config (default: dspace.name, dspace.shortname, dspace.ui.url, mail.helpdesk, mail.message.helpdesk.telephone, mail.admin, mail.admin.name). If a customer template references other ${config...} keys, add them to this list.

Intentionally not included

Verification

  • mvn package (dspace-api + dspace-server-webapp) passes locally.
  • Full unit + integration test suite runs via CI on this PR.

🤖 Generated with Claude Code

kshepherd added 17 commits June 11, 2026 10:48
@kshepherd @milanmajchrak
ORE aggregated resource URI validation
a57f4c5 
(cherry picked from commit 7ac17f6)
@kshepherd @milanmajchrak
Velocity and template safety for Email and LDN messages
4e19b94 
* Safer Velocity configuration
* New "message.templates.allowed-config" config
* Remove "UnmodifiableConfiguration" in favour of a
  simple Map of whitelisted Config keys/values
* Centralise Velocity config in core Utils
* Small javadoc changes

(cherry picked from commit b2d6141)
(cherry picked from commit 5b31db5)
@kshepherd @milanmajchrak
Better null checking in allowed config props
f3fbfa8 
(cherry picked from commit 6b66531)
(cherry picked from commit 46a0dfb)
@kshepherd @milanmajchrak
Access configurationService at runtime, not rely on class setup
30d6c94 
(cherry picked from commit 5803819)
(cherry picked from commit 4be430f)
@kshepherd @milanmajchrak
Remove strict mode Velocity engine configuration (allow nulls)
05cc771 
(cherry picked from commit 655fc62)
@kshepherd @milanmajchrak
Filter requests for JSPs or traversal
1484ceb 
(cherry picked from commit cf9be85)
(cherry picked from commit dc3e455)
@kshepherd @milanmajchrak
Add additional logging to GlobalRequestSecurityFilter
b5ac787 
(cherry picked from commit 295a046)
(cherry picked from commit 0b1deae)
@kshepherd @milanmajchrak
Fix import order
b51274b 
(cherry picked from commit e2e6a79)
(cherry picked from commit 2e40077)
@kshepherd @milanmajchrak
Update sitemap traversal test expectations
6f78750 
(cherry picked from commit 56ae287)
(cherry picked from commit 1a3dfd7)
@kshepherd @milanmajchrak
Backport GlobalRequestSecurityFilter for javax
c4cb116 
(cherry picked from commit 8a2eee9)
@kshepherd @milanmajchrak
Add secure file access methods
5d675cf 
(cherry picked from commit 22bec44)
@kshepherd @milanmajchrak
Backport Curation I/O using secure file access
5d1e8bc 
Removes some JDK >= 16 usage

(cherry picked from commit 55905a2)
@kshepherd @milanmajchrak
Curation config support for allowed base paths
e7f4604 
(cherry picked from commit 4502224)
@kshepherd @milanmajchrak
Move curation -r reporter param to CLI only
6612d9f 
(cherry picked from commit 277af82)
@kshepherd @milanmajchrak
Fix import order
139c7b1 
(cherry picked from commit a757221)
@kshepherd @milanmajchrak
Ignore CurationScriptIT -T taskFile tests, to rewrite w/ CLI
7a3facf 
(cherry picked from commit 6437472)
(cherry picked from commit 37cd6eb)
@kshepherd @milanmajchrak
Move taskfile -T option to CLI script config only
3e250e2 
(cherry picked from commit 00e4979)
(cherry picked from commit 27708ea)
@coderabbitai

coderabbitai Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3822da6d-4e7b-4ae6-ba7d-e3f46609ae80

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

milanmajchrak and others added 3 commits June 11, 2026 12:28
@milanmajchrak
Fix BitstreamFormatRestRepositoryIT format count
640e52c 
The bitstream format registry on this branch contains 107 formats but the
test still expected 95, so the create* tests have been failing on the base
branch as well (pre-existing). Align the constant with the actual registry
content.
@tdonohue @milanmajchrak
Fix broken tests due to random order execution. When CreateMissingIde…
0e1aa49 
…ntifiersIT is run before WorkflowCurationIT, it was causing the latter to fail.

(cherry picked from commit 816dfbe)
(cherry picked from commit 6a781f6)
@milanmajchrak
Make BitstreamFormatRestRepositoryIT count assertions order-robust
14d802a 
The format count in the test DB depends on test class execution order
(other test classes on this branch leak formats into the registry), so
the create* tests randomly failed with a fixed expected constant - both
on this branch and on the base branch. Capture the current count before
each create attempt and assert relative to it, instead of relying on
DEFAULT_AMOUNT_FORMATS.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@milanmajchrak @kshepherd @tdonohue