PRODESC-5780: ACS Repo DAU APIs to also use non-attach allow list (#830)

* PRODSEC-5780: ACS Repo DAU APIs to also use non-attach allow list

- moved existing pre-configured allow list from remote-api to repository layer
- ("nodes.nonAttachContentTypes" xml -> "content.nonAttach.mimetypes" prop)
- now also used by DAU (as well as existing V1 REST API and CMIS to get/download content)

repository/src/main/java/org/alfresco/repo/content/ContentServiceImpl.java

@@ -28,6 +28,7 @@ package org.alfresco.repo.content;
 import java.io.Serializable;
 import java.util.Collection;
 import java.util.HashSet;
+import java.util.Collections;
 import java.util.Map;
 import java.util.Set;
 
@@ -103,6 +104,9 @@ public class ContentServiceImpl implements ContentService, ApplicationContextAwa
     private boolean ignoreEmptyContent;
 
     private SystemWideDirectUrlConfig systemWideDirectUrlConfig;
+    
+    /** pre-configured allow list of media/mime types, eg. specific types of images & also pdf */
+    private Set<String> nonAttachContentTypes = Collections.emptySet();
 
     /**
      * The policy component
@@ -151,6 +155,14 @@ public class ContentServiceImpl implements ContentService, ApplicationContextAwa
         this.systemWideDirectUrlConfig = systemWideDirectUrlConfig;
     }
 
+    public void setNonAttachContentTypes(String nonAttachAllowListStr) 
+    {
+        if ((nonAttachAllowListStr != null) && (! nonAttachAllowListStr.isEmpty()))
+        {
+            nonAttachContentTypes = Set.of(nonAttachAllowListStr.trim().split("\\s*,\\s*"));
+        }
+    }
+
     public void setPolicyComponent(PolicyComponent policyComponent)
     {
         this.policyComponent = policyComponent;
@@ -635,6 +647,7 @@ public class ContentServiceImpl implements ContentService, ApplicationContextAwa
         String fileName = getFileName(nodeRef);
 
         validFor = adjustValidFor(validFor);
+        attachment = adjustAttachment(nodeRef, contentMimetype, attachment);
 
         DirectAccessUrl directAccessUrl = null;
         if (store.isContentDirectUrlEnabled())
@@ -691,4 +704,21 @@ public class ContentServiceImpl implements ContentService, ApplicationContextAwa
         }
          return validFor;
     }
+
+    private boolean adjustAttachment(NodeRef nodeRef, String mimeType, boolean attachmentIn)
+    {
+        boolean attachment = true;
+        if (! attachmentIn)
+        {
+            if ((nonAttachContentTypes != null) && (nonAttachContentTypes.contains(mimeType)))
+            {
+                attachment = false;
+            }
+            else
+            {
+                logger.warn("Ignored attachment=false for " + nodeRef.getId() + " since " + mimeType + " is not in the whitelist for non-attach content types");
+            }
+        }
+        return attachment;
+    }
 }

repository/src/main/resources/alfresco/content-services-context.xml

@@ -164,6 +164,9 @@
       <property name="systemWideDirectUrlConfig" >
          <ref bean="systemWideDirectUrlConfig" />
       </property>
+      <property name="nonAttachContentTypes">
+         <value>${content.nonAttach.mimetypes}</value>
+      </property>
    </bean>
    
    <bean id="contentService" parent="baseContentService">

repository/src/main/resources/alfresco/repository.properties

@@ -1317,3 +1317,6 @@ system.remove-alf_server-table-from-db.ignored=true
 
 # When using JSONP, allows unsecure usage of "callback" functions. Disabled by default for security reasons
 allow.unsecure.callback.jsonp=false
+
+# pre-configured allow list of media/mime types to allow inline instead of attachment (via Content-Disposition response header)
+content.nonAttach.mimetypes=application/pdf,image/jpeg,image/gif,image/png,image/tiff,image/bmp