Skip to content

ZCU-DATA/Security patches from vanilla DSpace 7.6.x (CVE-2024-38364, CVE-2025-53621/53622, CVE-2026-49830/49831)#1334

Open
milanmajchrak wants to merge 35 commits into
customer/zcu-datafrom
zcu-data/security-patches-7.6.7
Open

ZCU-DATA/Security patches from vanilla DSpace 7.6.x (CVE-2024-38364, CVE-2025-53621/53622, CVE-2026-49830/49831)#1334
milanmajchrak wants to merge 35 commits into
customer/zcu-datafrom
zcu-data/security-patches-7.6.7

Conversation

@milanmajchrak

@milanmajchrak milanmajchrak commented Jun 11, 2026

Copy link
Copy Markdown
Collaborator

Security patches from vanilla DSpace 7.6.2 / 7.6.4 / 7.6.7

This branch (7.6.1-level base) was missing the security fixes that vanilla DSpace shipped in 7.6.2, 7.6.4 and 7.6.7 (final 7.x release). This PR cherry-picks the complete set from upstream dspace-7_x, in release order:

From 7.6.2

Advisory CVE Fix
GHSA-94cc-xjxr-pwvf CVE-2024-38364 (low) XSS via deposited HTML/XML/JS documents: HTML, XML, RDF, JS are now hardcoded download-only (cannot be served inline), unknown formats always download, new webui.content_disposition_format = * wildcard supported. text/javascript added to the format registry.

(The branch already had the config-driven blocklist part of this fix; this PR adds the hardcoded enforcement + "unknown formats" handling from upstream.)

From 7.6.4

Advisory CVE Fix Upstream PR
GHSA-jjwr-5cfh-7xwh CVE-2025-53621 (medium) XXE in Simple Archive Format import and external import sources (PubMed, EPO, Scopus, WOS, CiNii, ORCID, CC license, DataCite...): centralized hardened XML parser factories in XMLUtils (DTD/external entities disabled) DSpace#11032, DSpace#10677
GHSA-vhvx-8xgc-99wf CVE-2025-53622 (medium) Path traversal in SAF package import via contents file: canonical-path validation of every referenced file + bitstream path containment inside the assetstore (DSBitStoreService) DSpace#11036
(hardening) SWORDv2 Zip Slip protection in SimpleZipContentIngester DSpace#10726

From 7.6.7

Advisory CVE Fix Upstream PR
GHSA-c827-pw3m-67w7 CVE-2026-49830 (medium) ORE aggregated resource URI validation (scheme + host allowlist) in OREIngestionCrosswalk DSpace#12542
GHSA-v66x-68f2-pxf5 CVE-2026-49831 (medium) Curation Task Reporter path traversal: new SecureFileAccess, curation output restricted to allowed base paths; -T/-r options CLI-only DSpace#12539
(hardening) Velocity template safety for Email (SecureUberspector + config allowlist message.templates.allowed-config) DSpace#12546
(hardening) GlobalRequestSecurityFilter rejecting path-traversal/JSP request patterns DSpace#12550

Config changes

  • dspace.cfg: webui.content_disposition_format comments updated (HTML/XML/RDF/JS now enforced in code); new message.templates.allowed-config allowlist
  • config/modules/curate.cfg: new commented curate.taskfile.base / curate.reporter.base
  • config/modules/oai.cfg: new commented ORE harvester URL-prefix allowlist
  • config/registries/bitstream-formats.xml: adds text/javascript (applies to new installs; existing installs may load it via registry-loader)

Behavioral notes

  • HTML/XML/JS bitstreams will now always download instead of displaying inline (XSS protection).
  • Curation -T/-r are CLI-only; REST-triggered curation can no longer pass arbitrary file paths.
  • Traversal requests return 403 (test expectations updated accordingly).
  • Email templates only see allowlisted config keys — extend message.templates.allowed-config if custom templates need more.

Intentionally not included

Verification

  • mvn package (dspace-api + dspace-server-webapp) passes locally.
  • Full unit + integration test suite runs via CI on this PR.

🤖 Generated with Claude Code

tdonohue and others added 30 commits June 11, 2026 11:05
@tdonohue @milanmajchrak
Avoid inline display of HTML/JS bitstreams. Add JS to list of known f…
cca1465 
…ormats so that it can be recognized by DSpace.

(cherry picked from commit 356a028)
(cherry picked from commit 0f74cb2)
@tdonohue @milanmajchrak
For additional security, ensure "unknown" formats are always download…
5c02b31 
…ed. Update test to prove behavior.

(cherry picked from commit 6da072d)
(cherry picked from commit c30ff35)
@tdonohue @milanmajchrak
To avoid misconfiguration, hardcode HTML, XML, RDF, JS to download on…
a4889bd 
…ly. Add a new wildcard setting to allow sites to force all files to download only.

(cherry picked from commit a091d34)
(cherry picked from commit 3bcd33d)
@tdonohue @github-advanced-security @milanmajchrak
Potential fix for code scanning alert no. 30: Resolving XML external …
f0a5c31 
…entity in user-controlled data

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
(cherry picked from commit a0ce50b)
(cherry picked from commit 6fe9af8)
@tdonohue @milanmajchrak
Cannot disable DTDs with PubMed, so instead disallow external entitie…
9f1bbc1 
…s & entity expansion

(cherry picked from commit f9614c4)
(cherry picked from commit 90ea371)
@tdonohue @github-advanced-security @milanmajchrak
Potential fix for code scanning alert no. 3549: Arbitrary file access…
85f8649 
… during archive extraction ("Zip Slip")

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
(cherry picked from commit 5fbdfc2)
(cherry picked from commit 086a26d)
@kshepherd @milanmajchrak
Safe and consistent XML entity handling in parsers
622dd30 
(cherry picked from commit f7dcbf1)
@tdonohue @milanmajchrak
EPO and PubMed only need to allow for DOCTYPEs. All other XML securit…
c39e684 
…y changes can be used.

(cherry picked from commit 8c80b67)
@kshepherd @milanmajchrak
Allow trusted XML builder to enforce base path for entities
de6bc7c 
(cherry picked from commit 99b2a63)
@kshepherd @milanmajchrak
Enforce path traversal check on import subdir (pre-processing)
135eec7 
(cherry picked from commit 259c3dd)
@kshepherd @milanmajchrak
Re-add file separator to normalized SAF item path
f33bca8 
(cherry picked from commit 45a9f8b)
@kshepherd @milanmajchrak
Remove unused imports
0e01832 
(cherry picked from commit dda6d9e)
@kshepherd @milanmajchrak
Fix missing XMLUtils imports
1f63734 
(cherry picked from commit e9bc74c)
@MMilosz @milanmajchrak
fix: prevent path traversal in SAF import
ba7b074 
(cherry picked from commit 596d866)
(cherry picked from commit 84e308c)
@kshepherd @milanmajchrak
Enforce bitstream path to be within (fs) bitstore base on get
44dadef 
(cherry picked from commit 6799660)
(cherry picked from commit b0a4a34)
@kshepherd @milanmajchrak
return existing File constructed and validated for bitstream
ecbeca2 
(cherry picked from commit 31b1c92)
(cherry picked from commit 907b42c)
@kshepherd @milanmajchrak
Fix line length in DSBitstore log
791f39e 
(cherry picked from commit dbf524c)
(cherry picked from commit bc17559)
@kshepherd @milanmajchrak
ORE aggregated resource URI validation
b9cc4ea 
(cherry picked from commit 7ac17f6)
@kshepherd @milanmajchrak
Velocity and template safety for Email and LDN messages
ba19c9a 
* Safer Velocity configuration
* New "message.templates.allowed-config" config
* Remove "UnmodifiableConfiguration" in favour of a
  simple Map of whitelisted Config keys/values
* Centralise Velocity config in core Utils
* Small javadoc changes

(cherry picked from commit b2d6141)
(cherry picked from commit 5b31db5)
@kshepherd @milanmajchrak
Better null checking in allowed config props
46f2a64 
(cherry picked from commit 6b66531)
(cherry picked from commit 46a0dfb)
@kshepherd @milanmajchrak
Access configurationService at runtime, not rely on class setup
436a8c9 
(cherry picked from commit 5803819)
(cherry picked from commit 4be430f)
@kshepherd @milanmajchrak
Remove strict mode Velocity engine configuration (allow nulls)
31d8730 
(cherry picked from commit 655fc62)
@kshepherd @milanmajchrak
Filter requests for JSPs or traversal
d7e9ffa 
(cherry picked from commit cf9be85)
(cherry picked from commit dc3e455)
@kshepherd @milanmajchrak
Add additional logging to GlobalRequestSecurityFilter
4c49ac6 
(cherry picked from commit 295a046)
(cherry picked from commit 0b1deae)
@kshepherd @milanmajchrak
Fix import order
d7f199d 
(cherry picked from commit e2e6a79)
(cherry picked from commit 2e40077)
@kshepherd @milanmajchrak
Update sitemap traversal test expectations
4996f01 
(cherry picked from commit 56ae287)
(cherry picked from commit 1a3dfd7)
@kshepherd @milanmajchrak
Backport GlobalRequestSecurityFilter for javax
0edc856 
(cherry picked from commit 8a2eee9)
@kshepherd @milanmajchrak
Add secure file access methods
3f1516c 
(cherry picked from commit 22bec44)
@kshepherd @milanmajchrak
Backport Curation I/O using secure file access
0189275 
Removes some JDK >= 16 usage

(cherry picked from commit 55905a2)
@kshepherd @milanmajchrak
Curation config support for allowed base paths
f6bb8ae 
(cherry picked from commit 4502224)
kshepherd added 4 commits June 11, 2026 11:05
@kshepherd @milanmajchrak
Move curation -r reporter param to CLI only
6a4ef82 
(cherry picked from commit 277af82)
@kshepherd @milanmajchrak
Fix import order
d17c7ca 
(cherry picked from commit a757221)
@kshepherd @milanmajchrak
Ignore CurationScriptIT -T taskFile tests, to rewrite w/ CLI
0e1f5d7 
(cherry picked from commit 6437472)
(cherry picked from commit 37cd6eb)
@kshepherd @milanmajchrak
Move taskfile -T option to CLI script config only
7a9b356 
(cherry picked from commit 00e4979)
(cherry picked from commit 27708ea)
@coderabbitai

coderabbitai Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9b121b18-b07b-4e0e-a139-02d5f866fb82

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@milanmajchrak
Fix failing IT by increasing number of formats by one
a4d52ad 
text/javascript was added to bitstream-formats.xml by the CVE-2024-38364
fix, so the format registry now contains one more format.
(equivalent of upstream commit 7143c97 from dspace-7_x)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@milanmajchrak @tdonohue @kshepherd @MMilosz