PRODESC-5780: ACS Repo DAU APIs to also use non-attach allow list (#830)

* PRODSEC-5780: ACS Repo DAU APIs to also use non-attach allow list

- moved existing pre-configured allow list from remote-api to repository layer
- ("nodes.nonAttachContentTypes" xml -> "content.nonAttach.mimetypes" prop)
- now also used by DAU (as well as existing V1 REST API and CMIS to get/download content)
This commit is contained in:
montgolfiere
2021-12-07 17:21:31 +00:00
committed by GitHub
parent 2039018ce5
commit 89de2e4677
6 changed files with 55 additions and 24 deletions

View File

@@ -2,7 +2,7 @@
* #%L
* Alfresco Remote API
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* Copyright (C) 2005 - 2021 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
@@ -86,7 +86,8 @@ public abstract class CMISServletDispatcher implements CMISDispatcher
private boolean allowUnsecureCallbackJSONP;
private Set<String> nonAttachContentTypes = Collections.emptySet(); // pre-configured whitelist, eg. images & pdf
// pre-configured allow list of media/mime types, eg. specific types of images & also pdf
private Set<String> nonAttachContentTypes = Collections.emptySet();
public void setTenantAdminService(TenantAdminService tenantAdminService)
{
@@ -133,9 +134,12 @@ public abstract class CMISServletDispatcher implements CMISDispatcher
this.cmisVersion = CmisVersion.fromValue(cmisVersion);
}
public void setNonAttachContentTypes(Set<String> nonAttachWhiteList)
public void setNonAttachContentTypes(String nonAttachAllowListStr)
{
this.nonAttachContentTypes = nonAttachWhiteList;
if ((nonAttachAllowListStr != null) && (! nonAttachAllowListStr.isEmpty()))
{
nonAttachContentTypes = Set.of(nonAttachAllowListStr.trim().split("\\s*,\\s*"));
}
}
protected synchronized Descriptor getCurrentDescriptor()

View File

@@ -239,11 +239,15 @@ public class NodesImpl implements Nodes
private ConcurrentHashMap<String,NodeRef> ddCache = new ConcurrentHashMap<>();
private Set<String> nonAttachContentTypes = Collections.emptySet(); // pre-configured whitelist, eg. images & pdf
// pre-configured allow list of media/mime types, eg. specific types of images & also pdf
private Set<String> nonAttachContentTypes = Collections.emptySet();
public void setNonAttachContentTypes(Set<String> nonAttachWhiteList)
public void setNonAttachContentTypes(String nonAttachAllowListStr)
{
this.nonAttachContentTypes = nonAttachWhiteList;
if ((nonAttachAllowListStr != null) && (! nonAttachAllowListStr.isEmpty()))
{
nonAttachContentTypes = Set.of(nonAttachAllowListStr.trim().split("\\s*,\\s*"));
}
}
public void init()

View File

@@ -509,19 +509,6 @@
</property>
</bean>
<bean id="nodes.nonAttachContentTypes" class="org.springframework.beans.factory.config.SetFactoryBean">
<property name="sourceSet">
<set>
<value>application/pdf</value>
<value>image/jpeg</value>
<value>image/gif</value>
<value>image/png</value>
<value>image/tiff</value>
<value>image/bmp</value>
</set>
</property>
</bean>
<bean id="nodes.personLookupProperties" class="org.springframework.beans.factory.config.SetFactoryBean">
<property name="sourceSet">
<set>
@@ -542,7 +529,7 @@
<property name="quickShareLinks" ref="QuickShareLinks"/>
<property name="behaviourFilter" ref="policyBehaviourFilter"/>
<property name="ignoreTypes" ref="nodes.ignoreTypes"/>
<property name="nonAttachContentTypes" ref="nodes.nonAttachContentTypes"/>
<property name="nonAttachContentTypes" value="${content.nonAttach.mimetypes}"/>
<property name="personLookupProperties" ref="nodes.personLookupProperties"/>
<property name="poster" ref="activitiesPoster" />
<property name="smartStore" ref="smartStore"/>
@@ -1142,7 +1129,7 @@
<property name="version" value="1.0"/>
<property name="cmisVersion" value="1.0"/>
<property name="tenantAdminService" ref="tenantAdminService"/>
<property name="nonAttachContentTypes" ref="nodes.nonAttachContentTypes"/>
<property name="nonAttachContentTypes" value="${content.nonAttach.mimetypes}"/>
</bean>
<bean id="cmisAtomPubDispatcher1.1" class="org.alfresco.opencmis.PublicApiAtomPubCMISDispatcher" init-method="init">
@@ -1154,7 +1141,7 @@
<property name="version" value="1.1"/>
<property name="cmisVersion" value="1.1"/>
<property name="tenantAdminService" ref="tenantAdminService"/>
<property name="nonAttachContentTypes" ref="nodes.nonAttachContentTypes"/>
<property name="nonAttachContentTypes" value="${content.nonAttach.mimetypes}"/>
</bean>
<bean id="cmisBrowserDispatcher1.1" class="org.alfresco.opencmis.PublicApiBrowserCMISDispatcher" init-method="init">
@@ -1166,7 +1153,7 @@
<property name="version" value="1.1"/>
<property name="cmisVersion" value="1.1"/>
<property name="tenantAdminService" ref="tenantAdminService"/>
<property name="nonAttachContentTypes" ref="nodes.nonAttachContentTypes"/>
<property name="nonAttachContentTypes" value="${content.nonAttach.mimetypes}"/>
<property name="allowUnsecureCallbackJSONP" value="${allow.unsecure.callback.jsonp}"/>
</bean>