Skip to content

Security patches from vanilla DSpace 7.6.7 (CVE-2026-49830, CVE-2026-49831)#1340

Merged
milanmajchrak merged 18 commits into
dtq-devfrom
dtq-dev-security-patches-7.6.7
Jun 18, 2026
Merged

Security patches from vanilla DSpace 7.6.7 (CVE-2026-49830, CVE-2026-49831)#1340
milanmajchrak merged 18 commits into
dtq-devfrom
dtq-dev-security-patches-7.6.7

Conversation

@milanmajchrak

@milanmajchrak milanmajchrak commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

Security patches for dtq-dev (DSpace 7.6.5)

Backports the vanilla DSpace 7.6.7 security set onto dtq-dev

Ref: dspace-community security announcement

Why this is needed

Without it, the base keeps re-seeding the vulnerable code into future rebases. Of the 4 advisories in the announcement, two apply to 7.x (≤7.6.6, fixed in 7.6.7); the Velocity RCE and LDN path-traversal advisories are 8.x/9.x-only but their hardening is included here as defense-in-depth (same scope as the customer 7.6.7 PRs).

Fixes included

  • CVE-2026-49830 (GHSA-c827-pw3m-67w7) — ORE aggregated resource URI validation
  • CVE-2026-49831 (GHSA-v66x-68f2-pxf5) — Curation tasks path traversal (SecureFileAccess, taskfile/reporter base-path containment, -r/-T moved to CLI-only)
  • Velocity/Email template hardening (Utils.getSecureVelocityProperties, allowed-config map, removal of UnmodifiableConfigurationService)
  • GlobalRequestSecurityFilter (JSP/traversal request filtering, backported for javax)

Conflict resolution (vs. the clean customer cherry-picks)

Two files needed manual resolution because dtq-dev (UFAL) diverges from vanilla:

  • Email.java — dropped the now-unused java.util.Properties import (UFAL kept it), retained Collectors (still used).
  • Curation.java — kept UFAL's reporter abstraction (DoNothingReporter/SystemOutReporter/FilePrinterReporter) instead of vanilla's raw OutputStream. The reporter path is now validated via SecureFileAccess.validatePathForWrite(...) against curate.reporter.base before opening — same security guarantee, preserves UFAL output formatting.

Verification

  • mvn -pl dspace-api -am compile passes locally.
  • New security config keys added: message.templates.allowed-config, curate.taskfile.base, curate.reporter.base, oai.harvester.ore.file.*.
  • Full Unit + IT + docker builds run via PR CI.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • Curation CLI now supports -r/--reporter (for output destination) and -T/--taskfile (for task specifications) options.
  • Security Improvements

    • Added protection against path traversal and JSP injection attacks.
    • Implemented secure file path validation with configurable allowed base directories.
    • Added URI validation for OAI ORE resource ingestion.
    • Restricted configuration data exposed to email templates.

kshepherd added 17 commits June 18, 2026 13:30
* Safer Velocity configuration
* New "message.templates.allowed-config" config
* Remove "UnmodifiableConfiguration" in favour of a
  simple Map of whitelisted Config keys/values
* Centralise Velocity config in core Utils
* Small javadoc changes

(cherry picked from commit b2d6141)
(cherry picked from commit 5b31db5)
(cherry picked from commit 6b66531)
(cherry picked from commit 46a0dfb)
(cherry picked from commit 5803819)
(cherry picked from commit 4be430f)
(cherry picked from commit cf9be85)
(cherry picked from commit dc3e455)
(cherry picked from commit 295a046)
(cherry picked from commit 0b1deae)
(cherry picked from commit e2e6a79)
(cherry picked from commit 2e40077)
(cherry picked from commit 56ae287)
(cherry picked from commit 1a3dfd7)
(cherry picked from commit 22bec44)
Removes some JDK >= 16 usage

(cherry picked from commit 55905a2)
(cherry picked from commit a757221)
(cherry picked from commit 6437472)
(cherry picked from commit 37cd6eb)
(cherry picked from commit 00e4979)
(cherry picked from commit 27708ea)
@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@milanmajchrak, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 5 minutes and 14 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 64ff979f-9567-44f6-be48-97b0e2cae642

📥 Commits

Reviewing files that changed from the base of the PR and between 5d27a78 and f39fac0.

📒 Files selected for processing (1)
  • dspace/config/dspace.cfg
📝 Walkthrough

Walkthrough

Adds four independent security controls: a GlobalRequestSecurityFilter blocking path traversal and JSP execution with HTTP 403; a new SecureFileAccess utility enforcing filesystem path boundaries, integrated into the curation CLI; a Velocity template config allowlist via Utils.getAllowedTemplateConfig() replacing full config exposure in Email.send(); and URI scheme/host validation in OREIngestionCrosswalk before downloading aggregated resources.

Changes

HTTP Request Security Filter

Layer / File(s) Summary
GlobalRequestSecurityFilter: normalization and blocking
dspace-server-webapp/src/main/java/org/dspace/app/rest/security/GlobalRequestSecurityFilter.java
New highest-precedence OncePerRequestFilter decodes and normalizes request URIs, then returns HTTP 403 for path traversal or JSP execution patterns; otherwise delegates to the filter chain.
SitemapRestControllerIT: traversal tests updated to 403
dspace-server-webapp/src/test/java/org/dspace/app/rest/SitemapRestControllerIT.java
Traversal integration tests replace expected = ServletException.class with andExpect(status().isForbidden()), reflecting the new filter interception.

Filesystem Access Security

Layer / File(s) Summary
SecureFileAccess: path validation and stream helpers
dspace-api/src/main/java/org/dspace/storage/secure/SecureFileAccess.java
New utility class with validatePathForWrite (normalize-only) and validatePathForRead (symlink-resolving), plus getBufferedReader/getInputStream/getOutputStream wrappers and CWD/base-dir path helpers.
Curation CLI: secure task-file and reporter-file paths
dspace-api/src/main/java/org/dspace/curate/Curation.java, CurationCliScriptConfiguration.java, CurationClientOptions.java, dspace/config/modules/curate.cfg
handleCurationTask and initCurator use SecureFileAccess to restrict file reads/writes to configured base paths (curate.taskfile.base, curate.reporter.base); CLI options -T/-r are registered in CurationCliScriptConfiguration.
CurationScriptIT: task-file tests disabled
dspace-server-webapp/src/test/java/org/dspace/curate/CurationScriptIT.java
curateScript_InvalidTaskFile and curateScript_validRequest_TaskFile are annotated @Ignore to disable execution.

Velocity Template Config Restriction

Layer / File(s) Summary
Utils: getAllowedTemplateConfig and secure Velocity properties
dspace-api/src/main/java/org/dspace/core/Utils.java
Adds DEFAULT_ALLOWED_TEMPLATE_CONFIGS constant and getAllowedTemplateConfig() returning a Map<String, String> of only allowlisted config keys; getSecureVelocityProperties uses SecureUberspector and optional strict mode.
Email: allowlisted config context, remove UnmodifiableConfigurationService
dspace-api/src/main/java/org/dspace/core/Email.java
send() replaces full-config UnmodifiableConfigurationService injection with Utils.getAllowedTemplateConfig() and uses Utils.getSecureVelocityProperties; the nested UnmodifiableConfigurationService class is removed.
dspace.cfg: message.templates.allowed-config
dspace/config/dspace.cfg
Adds message.templates.allowed-config entries whitelisting dspace.name, dspace.ui.url, mail.admin, and related keys; includes commented message.templates.strict_mode.

OREIngestionCrosswalk URI Validation

Layer / File(s) Summary
OREIngestionCrosswalk: validResourceUri and download guard
dspace-api/src/main/java/org/dspace/content/crosswalk/OREIngestionCrosswalk.java, dspace/config/modules/oai.cfg
Adds validResourceUri enforcing http/https and optionally restricting host to oai.harvester.ore.file.allowedUrlPrefix values or the parent entry host; the download path throws FileNotFoundException when validation fails.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant GlobalRequestSecurityFilter
  participant FilterChain
  Client->>GlobalRequestSecurityFilter: HTTP request with raw URI
  GlobalRequestSecurityFilter->>GlobalRequestSecurityFilter: normalizeAndDecodeUri
  alt traversal pattern detected
    GlobalRequestSecurityFilter-->>Client: HTTP 403 Forbidden
  else JSP execution pattern detected
    GlobalRequestSecurityFilter-->>Client: HTTP 403 Forbidden
  else URI is clean
    GlobalRequestSecurityFilter->>FilterChain: doFilter(request, response)
  end
Loading
sequenceDiagram
  participant CurationCLI as Curation CLI
  participant SecureFileAccess
  participant ConfigurationService
  participant Filesystem
  CurationCLI->>SecureFileAccess: calculateAbsolutePathUsingCwd(taskFile)
  CurationCLI->>ConfigurationService: getPropertyValue("curate.taskfile.base")
  CurationCLI->>SecureFileAccess: getBufferedReader(absolutePath, allowedBasePaths, UTF-8)
  SecureFileAccess->>SecureFileAccess: validatePathForRead(file, allowedBasePaths)
  SecureFileAccess->>Filesystem: toRealPath() + normalize() boundary check
  alt path within allowed base
    SecureFileAccess-->>CurationCLI: BufferedReader
  else path outside allowed base
    SecureFileAccess-->>CurationCLI: IOException
  end
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Suggested labels

Vanilla-upstream, track_to_dtq-dev

Suggested reviewers

  • vidiecan
🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 55.17% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check ⚠️ Warning The PR description does not follow the required template structure. It lacks the 'Analysis', 'Problems', 'Manual Testing', and 'Copilot review' sections specified in the template. Add the required template sections: include an 'Analysis' section explaining the technical details, a 'Problems' section if applicable, a 'Manual Testing' checkbox section, and a 'Copilot review' section with appropriate checkboxes.
✅ Passed checks (3 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title directly and specifically identifies the two CVEs being addressed and their DSpace version origin, accurately reflecting the security patches and backport objectives of the changeset.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🧹 Nitpick comments (1)
dspace-server-webapp/src/main/java/org/dspace/app/rest/security/GlobalRequestSecurityFilter.java (1)

121-126: ⚡ Quick win

Consider adding mixed literal/encoded dot pattern detection.

The %2e%2e check catches double-encoded traversal (%252e%252e), but mixed patterns like .%252e decode to .%2e after a single pass—this evades the current checks since it's neither literal .. nor %2e%2e.

While downstream controllers provide defense-in-depth (e.g., SitemapRestController matches exact filenames from directory listing), strengthening the filter would add another protective layer.

🛡️ Proposed enhancement
 private boolean isTraversalAttempt(String url) {
     return url.contains("../")
             || url.contains("/..")
             || url.contains("%2e%2e")
+            || url.contains(".%2e")
+            || url.contains("%2e.")
             || url.contains("..");
 }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@dspace-server-webapp/src/main/java/org/dspace/app/rest/security/GlobalRequestSecurityFilter.java`
around lines 121 - 126, The isTraversalAttempt method is missing detection for
mixed literal and encoded dot patterns that can evade the current checks.
Specifically, patterns like .%2e or %2e. (mixing literal dots with
percent-encoded dots) can decode to .. after a single decoding pass, bypassing
the existing checks for literal .. and encoded %2e%2e. Add additional checks to
the return statement in isTraversalAttempt to detect these mixed encoding
patterns by including checks for .%2e, %2e., and case-insensitive variants
(.%2E, %2E., etc.) alongside the existing pattern checks.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@dspace-api/src/main/java/org/dspace/content/crosswalk/OREIngestionCrosswalk.java`:
- Around line 289-311: Add null checks before dereferencing the result of
getHost() calls to prevent NullPointerException when URIs lack authority. In the
allowed prefix validation loop, check if both allowedUri.getHost() and
resourceUri.getHost() are non-null before calling toLowerCase() on them.
Similarly, in the fallback validation checks, verify that entryUri.getHost() and
resourceUri.getHost() are non-null before calling toLowerCase() on them. If
either host is null, handle it appropriately by either skipping that comparison
or returning false as needed for the validation logic.

In `@dspace-api/src/main/java/org/dspace/core/Email.java`:
- Around line 367-371: The email templates are unable to access the lr.help.mail
configuration value because it is not included in the allowlist for template
configuration. In the Email.java file where vctx.put("config",
Utils.getAllowedTemplateConfig()) is called, the getAllowedTemplateConfig method
only returns allowlisted keys. Add lr.help.mail to the allowlist by updating
either the DEFAULT_ALLOWED_TEMPLATE_CONFIGS constant in Utils.java or the
message.templates.allowed-config setting in dspace.cfg, so that templates in
clarin_download_link_admin, clarin_token, matomo_report, and share_submission
can properly resolve the help email address instead of receiving null values.

In `@dspace-api/src/main/java/org/dspace/core/Utils.java`:
- Around line 648-654: The Javadoc comment for the method creating default,
secure Velocity configuration properties contains two syntax errors. First, the
`@see` tag on line 650 incorrectly uses {`@link` Email} syntax within it; replace
`@see {`@link` Email}` with the correct format `@see Email` for a direct
reference, or move the link inline into the description text. Second, line 653
uses the invalid Javadoc tag `@returns`; replace it with the correct tag
`@return` which is the standard Javadoc syntax for describing return values.

In `@dspace-api/src/main/java/org/dspace/storage/secure/SecureFileAccess.java`:
- Around line 41-53: The validatePathForWrite method in SecureFileAccess.java
has a security vulnerability where it does not canonicalize the target path
itself before validation, unlike validatePathForRead. Currently, the method
normalizes the path lexically and checks if resolvedPath starts with basePath,
but this check can be bypassed if a parent directory is a symlink pointing
outside the allowed base. To fix this, apply toRealPath() to the resolvedPath
variable (similar to how basePath is converted to its real path) before
performing the startsWith validation check. This will ensure that any symlinks
in parent directories are resolved to their actual filesystem locations and
verified to be within the allowed base path before the write operation is
permitted.

In `@dspace/config/modules/oai.cfg`:
- Around line 163-165: The example values for
oai.harvester.ore.file.allowedUrlPrefix configuration property are missing the
URI scheme component. Update the two commented-out example lines (lines 164 and
165) to include the full URI with scheme prefix (such as https:// or http://)
before the domain names, so they read as complete URIs (e.g.,
https://dspace.myinstitution.edu and https://files.myinstitution.edu) rather
than just host names, to match what the validator expects at runtime.

---

Nitpick comments:
In
`@dspace-server-webapp/src/main/java/org/dspace/app/rest/security/GlobalRequestSecurityFilter.java`:
- Around line 121-126: The isTraversalAttempt method is missing detection for
mixed literal and encoded dot patterns that can evade the current checks.
Specifically, patterns like .%2e or %2e. (mixing literal dots with
percent-encoded dots) can decode to .. after a single decoding pass, bypassing
the existing checks for literal .. and encoded %2e%2e. Add additional checks to
the return statement in isTraversalAttempt to detect these mixed encoding
patterns by including checks for .%2e, %2e., and case-insensitive variants
(.%2E, %2E., etc.) alongside the existing pattern checks.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 52b48de3-ccaf-46f1-bd56-7aa0cc422530

📥 Commits

Reviewing files that changed from the base of the PR and between 8f4b80d and 5d27a78.

📒 Files selected for processing (13)
  • dspace-api/src/main/java/org/dspace/content/crosswalk/OREIngestionCrosswalk.java
  • dspace-api/src/main/java/org/dspace/core/Email.java
  • dspace-api/src/main/java/org/dspace/core/Utils.java
  • dspace-api/src/main/java/org/dspace/curate/Curation.java
  • dspace-api/src/main/java/org/dspace/curate/CurationCliScriptConfiguration.java
  • dspace-api/src/main/java/org/dspace/curate/CurationClientOptions.java
  • dspace-api/src/main/java/org/dspace/storage/secure/SecureFileAccess.java
  • dspace-server-webapp/src/main/java/org/dspace/app/rest/security/GlobalRequestSecurityFilter.java
  • dspace-server-webapp/src/test/java/org/dspace/app/rest/SitemapRestControllerIT.java
  • dspace-server-webapp/src/test/java/org/dspace/curate/CurationScriptIT.java
  • dspace/config/dspace.cfg
  • dspace/config/modules/curate.cfg
  • dspace/config/modules/oai.cfg

Comment thread dspace-api/src/main/java/org/dspace/core/Email.java
Comment thread dspace-api/src/main/java/org/dspace/core/Utils.java
Comment thread dspace/config/modules/oai.cfg
@milanmajchrak milanmajchrak changed the title DEV/Security patches from vanilla DSpace 7.6.7 (CVE-2026-49830, CVE-2026-49831) Security patches from vanilla DSpace 7.6.7 (CVE-2026-49830, CVE-2026-49831) Jun 18, 2026
@milanmajchrak milanmajchrak requested a review from Copilot June 18, 2026 12:10

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Backports vanilla DSpace 7.6.7 security hardening into this fork (DSpace 7.6.5 base), focusing on ORE aggregated-resource URI validation, curation task/report file path traversal defenses, and tighter Velocity template configuration exposure / execution restrictions.

Changes:

  • Added ORE aggregated-resource URI validation controls/config and implemented validation in OREIngestionCrosswalk.
  • Introduced SecureFileAccess and integrated it into curation taskfile/reporter handling; moved -r/-T to CLI-only options.
  • Hardened Velocity usage for Email/templates via restricted config exposure and secure Velocity properties; added a global request hardening filter and updated related ITs.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 8 comments.

Show a summary per file
File Description
dspace/config/modules/oai.cfg Adds new (commented) ORE URL validation/allowlist config keys.
dspace/config/modules/curate.cfg Documents new base-path containment config for taskfiles and reporter outputs.
dspace/config/dspace.cfg Adds allowlist config for template-exposed configuration and optional strict Velocity mode.
dspace-server-webapp/src/test/java/org/dspace/curate/CurationScriptIT.java Disables two -T taskfile-related integration tests via @Ignore.
dspace-server-webapp/src/test/java/org/dspace/app/rest/SitemapRestControllerIT.java Updates traversal tests to expect 403 Forbidden instead of servlet exception.
dspace-server-webapp/src/main/java/org/dspace/app/rest/security/GlobalRequestSecurityFilter.java New global servlet filter to block traversal and JSP execution attempts.
dspace-api/src/main/java/org/dspace/storage/secure/SecureFileAccess.java New utility for base-path validation and safe stream/reader creation.
dspace-api/src/main/java/org/dspace/curate/CurationCliScriptConfiguration.java Adds CLI-only -r/--reporter and -T/--taskfile options.
dspace-api/src/main/java/org/dspace/curate/CurationClientOptions.java Removes -r/-T from options available via REST/scripts endpoints; clarifies behavior in Javadoc.
dspace-api/src/main/java/org/dspace/curate/Curation.java Validates taskfile and reporter paths against configured base dirs using SecureFileAccess.
dspace-api/src/main/java/org/dspace/core/Utils.java Adds secure Velocity properties builder and a restricted template config map builder.
dspace-api/src/main/java/org/dspace/core/Email.java Switches to secure Velocity properties and restricts template-accessible configuration.
dspace-api/src/main/java/org/dspace/content/crosswalk/OREIngestionCrosswalk.java Adds ORE aggregated resource URI validation and related configuration usage.

Comment thread dspace-api/src/main/java/org/dspace/core/Utils.java
Comment thread dspace-api/src/main/java/org/dspace/core/Utils.java
The 7.6.7 Velocity hardening restricts templates to an allowlisted
"config" map (Utils.getAllowedTemplateConfig). UFAL/CLARIN templates
(clarin_download_link_admin, clarin_token, matomo_report,
share_submission) reference config.get('lr.help.mail'), which vanilla
DSpace does not ship, so it was missing from the allowlist and those
emails would render a null help address. Add it to dspace.cfg only;
Utils.java stays identical to upstream.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@milanmajchrak milanmajchrak merged commit 22cfef5 into dtq-dev Jun 18, 2026
27 checks passed
milanmajchrak added a commit that referenced this pull request Jul 2, 2026
* UFAL/Fixed failing integration test (ufal#1332) (#1249)

* Add debug messages to fauling test

(cherry picked from commit 4cc3694)

Co-authored-by: Milan Kuchtiak <kuchtiak@ufal.mff.cuni.cz>

* [Port to dtq-dev] Fix OpenAIRE integration: null handling and HTTP client lifecycle (#1248)

* Fix OpenAIRE integration: null handling and HTTP client lifecycle (ufal#1330)

* Add test for OpenAIRE connector

* Initial plan

* Add null check for OpenAIRE response to prevent NullPointerException

Co-authored-by: kosarko <1842385+kosarko@users.noreply.github.com>

* Fix HTTP client lifecycle to prevent premature connection closure

Co-authored-by: kosarko <1842385+kosarko@users.noreply.github.com>

* Keep the try with resources but copy the response

into an in memory stream and return that

* license:check

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: kosarko <1842385+kosarko@users.noreply.github.com>
(cherry picked from commit 02984db)

* Handle NumberFormatException in OpenAIREFundingDataProvider.getNumberOfResults and use explicit UTF-8 charset in OpenAIRERestConnectorTest

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: kosarko <1842385+kosarko@users.noreply.github.com>
Co-authored-by: milanmajchrak <milan.majchrak@dataquest.sk>

* UFAL/Added a comment to do not forget mounting the file which is changed via ocnfiguration feature (#1247)

* UFAL/Issue 1315: Store file preview to database when file preview is created on Item Page load. (ufal#1316) (#1241)

* Issue ufal/clarin-dspace1315: Store file preview to database when file preview is created on item page load

* assert text improvement

* PR comments: commit context only when any of the file preview is successfully created

* change variable name

(cherry picked from commit aab626b)

Co-authored-by: Milan Kuchtiak <kuchtiak@ufal.mff.cuni.cz>

* UFAL/Issue 1313: fixed error when file preview is not generated for bitstream with store_number = 77 (ufal#1318) (#1240)

* Issue ufal#1313: fixed error when file preview is not generated for bitstream with store number = 77

* resolve MR comments

(cherry picked from commit 04d64f7)

Co-authored-by: Milan Kuchtiak <kuchtiak@ufal.mff.cuni.cz>

* UFAL/Nw version metadata issues (#1236)

* Issue ufal#1266: dc.date.available and dc.relation.replaces metadata not cleared properly (ufal#1307)

* Issue ufal#1266: dc.date.available and dc.relation.replaces metadata not cleaned properly in new item version

* resolve MR comments - update ignoredMetadataFields in versioning-service.xml

* update ClarinVersionedHandleIdentifierProviderIT test to check dc.identifier.uri metadata for new version

(cherry picked from commit 7ffaf9a)

* Issue 1319: do not copy dc.identifier.doi metadata when new item version is created

(cherry picked from commit 1b7ed17)

---------

Co-authored-by: Milan Kuchtiak <kuchtiak@ufal.mff.cuni.cz>

* UFAL/Fix: add bitstream download-by-handle endpoint for curl instructions (#1252)

* fix: add bitstream download-by-handle endpoint for curl instructions

Adds GET /api/core/bitstreams/handle/{prefix}/{suffix}/{filename} endpoint
that directly serves bitstream content by item handle and filename.

This resolves the issue where curl download instructions generated by the
UI produced URLs pointing to non-existent backend endpoints, resulting in
404 errors when users attempted to download files via command line.

The new endpoint resolves the handle to an Item, finds the bitstream by
exact filename in ORIGINAL bundles, and streams the raw content with
correct Content-Type and Content-Disposition headers.

Refs: dataquest-dev/dspace-angular#1210

* Fixed compliing errors

* Small refactoring - use constants and removed unnecessary changes

* added comments, return 404 status instead of 402

* unauthorized instead of forbidden

* fix: use RFC 5987 Content-Disposition for non-ASCII filenames

curl -J on Windows cannot create files with non-ASCII characters (e.g.
diacritics like e/a) from a raw UTF-8 Content-Disposition filename header.

Uses filename*=UTF-8''percent-encoded-name (RFC 5987/6266) which curl
properly decodes. Also includes an ASCII fallback in filename param.

* fix: move context.complete() after streaming to prevent truncated downloads

context.complete() was called before bitstreamService.retrieve(), closing
the DB connection and causing 'end of response with X bytes missing' errors.
Now context.complete() is called only after the full content has been streamed.
For S3 redirect and HEAD paths, context.complete() remains before return
since no streaming is needed.

* fix: use real UTF-8 filename in Content-Disposition instead of ASCII fallback

The filename parameter now contains the original name (with diacritics like
e/a) instead of replacing non-ASCII chars with underscores. Characters in
the ISO-8859-1 range are transmitted correctly by Tomcat and understood by
curl on Western/Central-European systems. The filename* parameter still
provides RFC 5987 percent-encoded UTF-8 for modern clients (curl 7.56+).

* fix: revert to ASCII fallback in Content-Disposition, add edge-case tests

Content-Disposition filename parameter now uses ASCII fallback (non-ASCII
replaced with underscore) per RFC 6266. Modern clients use filename* (RFC
5987) which has the full UTF-8 name. The curl command no longer relies on
Content-Disposition at all (uses -o instead of -OJ).

New integration tests for edge cases:
- Multiple dots in filename (archive.v2.1.tar.gz)
- Double quotes in filename (escaped in Content-Disposition)
- CJK characters (beyond ISO-8859-1)
- Same filename in ORIGINAL and TEXT bundles (only ORIGINAL served)

* fix: resolve compilation errors and fix IT test assertions

- Remove duplicate HttpStatus import (apache vs spring)
- Add missing MediaType import (spring)
- Fix Content-Type assertion to include charset=UTF-8
- Use URI.create() for pre-encoded URLs in tests to prevent
  double-encoding (%25) rejection by StrictHttpFirewall

All 15 integration tests pass.

* test: add complex filename test (diacritics, plus, hash, unmatched paren)

New IT test for filename 'Media (+)#9) ano' verifying correct URL decoding,
Content-Disposition encoding, and content delivery. 16/16 tests pass.

* fix authorization, comments, tests

* fix: change expected status from 401 to 403 for authenticated non-admin user

The test downloadBitstreamByHandleUnauthorizedForNonAdmin uses getClient(token)
which means the user IS authenticated. The controller correctly returns 403
(Forbidden) for authenticated users without access, not 401 (Unauthorized).
401 is only for anonymous/unauthenticated requests.

---------

Co-authored-by: Paurikova2 <michaela.paurikova@dataquest.sk>

* Reduce warn logs noise (#1268)

* Log 404 responses at DEBUG instead of WARN to reduce log noise

* Log 404 responses at DEBUG instead of WARN (configurable via logging.server.debug-404)

* Skip stack trace extraction for suppressed 404 debug logs

* Replace custom debug-404 property with dedicated Log4j2 logger (org.dspace.app.rest.NotFound)

* Suppress 404 warn logs via dedicated Log4j2 logger (org.dspace.app.rest.NotFound)

* Turn off that warn logs for the dspace.log

* Updated log name to be more unique

* The row lenght was updated to be less than 120 chars (#1274)

* Reduce noisy WARN logs to DEBUG level (#1269)

Changed two frequently occurring WARN log messages to DEBUG level:
- Context.java: 'Initializing a context while an active transaction exists'
- ClarinItemServiceImpl.java: 'Cannot update item dates metadata because the approximate date is empty'

* Added oai bundle exclude feature

* Updated docs

* Fix OAI bundle exclusion docs and isolate OAIPMHBundleExposureIT config state

* Fix indentation in OAIPMHBundleExposureIT field declaration

* Updated docs

* fix failing Curation tests (ufal#1353) (#1304)

* fix RequiredMetadataIT failure

* different fix for failing curator tests

* change response to see last bitstream format results

* cleaning custom bitstream format creation in PreviewContentServiceImplIT test

* add debug messages

* IIIFCacheEventConsumer: don't consume events when event subject is null

(cherry picked from commit 50db8cd)

**NOTE**: This is without the `dspace-api/src/test/java/org/dspace/curate/ItemMetadataQACheckerIT.java` change
will add that one into #1237

Co-authored-by: Milan Kuchtiak <kuchtiak@ufal.mff.cuni.cz>

* UFAL/Remove 'clariah' submission process (#1305)

Removed the 'clariah' submission process it is not used

(cherry picked from commit cae96d5)

* UFAL/Issue 1349: admin user is not allowed to delete himself/herself (ufal#1350) (#1306)

* Issue 1349: admin user is not allowed to delete himself/herself

* improve the fix: test context.getCurrentUser() for null

* throw IllegalStateException rather than AuthorizeException, and allow client to see the error message

(cherry picked from commit b913627)

Co-authored-by: Milan Kuchtiak <kuchtiak@ufal.mff.cuni.cz>

* Issue 1354: add dc.relation.isreplacedby only when item is installed (ufal#1356) (#1308)

* Issue 1354: add dc.relation.isreplacedby only when item is installed

* set dc.relation.replaces on new item creation

* fixed JavaDoc

* fixed failing tests

* test if dc.relation.isreplacedby metadata are only added when new item version is installed

* use Context#reloadEntity rather than calling find method

* removing unused field

* also removing the now unused import

---------


(cherry picked from commit 3e204e5)

Co-authored-by: Milan Kuchtiak <kuchtiak@ufal.mff.cuni.cz>

* UFAL/Issue 1339: fixed NPE when hidden item metadata are checked for the item with deleted submitter (ufal#1344) (#1290)

* Issue 1339: fixed NPE when hidden item metadata are checked for the item with deleted submitter

(cherry picked from commit 64fda50)

Co-authored-by: Milan Kuchtiak <kuchtiak@ufal.mff.cuni.cz>

* Issue 1321: disable File preview for files where user has no Bitstream READ permission (ufal#1327) (#1280)

* Issue 1321: disable File preview for files where the user has no Bitstream READ permission

* alow file preview in case only the License agreement is needed

* don't allow to create file preview for non-authorized user, nor for item that requires license confirmation

* fixed failing FilePreviewIT test. Now only the user with file READ permission can generate file preview

* add more tests for HTML file preview

* add test for HTML File preview

* improve warning messages

* extend test to see if non admin user can see already generated file preview

---------


(cherry picked from commit 50d7bbc)

Co-authored-by: Milan Kuchtiak <kuchtiak@ufal.mff.cuni.cz>

* UFAL/issue 1324: curation task - implement 3 types of reporters to allow proper report writing to selected destination (ufal#1326) (#1264)

* issue 1324: implement 3 types of reporters to allow proper writing to file or to console

* don't throw exception when not needed

* no AbstractUnitTest required - AbstractDSpaceTest is sufficient

* improve append(str) method in reporters, by using StringUtils.chomp() method

(cherry picked from commit 6f19d1f)

Co-authored-by: Milan Kuchtiak <kuchtiak@ufal.mff.cuni.cz>

* Issue ufal#1292 link/unlink items with version relationship (ufal#1304) (#1253)

* Issue 1292: script to allow link two items into version relationship

* implement link and unlink actions

* ItemVersionLinkerIT test

* improve ItemVersionLinkerIT, fix ScriptRestRepositoryIT

* improve test to be more realistic

* improve options description

* better call of itemService.clearMetadata()

* clear correctly dc.relation.replaces and dc.relation.isreplacedby

* use dc.identifier.uri metadata value rather than item.getHandle() to set dc.relation.replaces and dc.relation.isreplacedby

* code-cleanup

* add also as a cli script

* Use Item.ANY instead of null

tested with the production db dump on the items mentions in the issue
(11234/1-5537). It was returning:
```
The script has started
Item '11234/1-5537' has no handle assigned.
```

because it's dc.identifier.uri.*

---------



(cherry picked from commit 903b35a)

Co-authored-by: Milan Kuchtiak <kuchtiak@ufal.mff.cuni.cz>

* UFAL/[Port to dtq-dev] Port ItemMetadataQAChecker curation task from v5 to v7 (#1237)

* Port ItemMetadataQAChecker curation task from v5 to v7 (ufal#1312)

* Add ItemMetadataQAChecker curation task with tests

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: kosarko <1842385+kosarko@users.noreply.github.com>
(cherry picked from commit d5517be)

* Issue ufal#1310 curation task to check relation metadata (ufal#1325)

* issue 1310: check versioning releationship for items with relation metadata

* improve implementation + test

* More readable, I think.

* update logging

add the handle of the referenced item where possible

* a test case to cover "no related item"

* improve the failure message

---------

Co-authored-by: Ondřej Košarko <ko_ok@centrum.cz>
(cherry picked from commit c97f406)

* fix failing Curation tests (ufal#1353)

* fix RequiredMetadataIT failure

* different fix for failing curator tests

* change response to see last bitstream format results

* cleaning custom bitstream format creation in PreviewContentServiceImplIT test

* resolve MR comments

* add debug messages

* more debug messages

* IIIFCacheEventConsumer: don't consume events when event subject is null

(cherry picked from commit 50db8cd)

**NOTE**: this is just `dspace-api/src/test/java/org/dspace/curate/ItemMetadataQACheckerIT.java` the rest is in #1304

* removed empty line

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: kosarko <1842385+kosarko@users.noreply.github.com>
Co-authored-by: Milan Kuchtiak <kuchtiak@ufal.mff.cuni.cz>

* UFAL/Separate CLARIN license payload from sections.license (#1319)

* fix(submission): separate CLARIN license payload from sections.license

* fix(clarin-license): rename step path to /select, rename DataClarinLicense to ClarinDataLicense, and clean up comments

* fix(clarin-license): align DTO name with Rest suffix convention

* fix(submission): align CLARIN section DTO naming and apply Copilot review fixes

* Align CLARIN license patch semantics and tighten section path handling

* Fix checkstyle issue

* Stabilize unknown CLARIN license metadata assertion

* Added doc and checked null value

* Harden CLARIN license patch handling and logging

* UFAL/Fix clarin-license IT: expect 422 for empty value on select patch (#1323)

* Expect 422 for empty value on clarin-license select patch

* Treat blank value as clear on clarin-license section select

* UFAL/Fix refbox buttons (ufal#1367) (#1318)

* adding test and fixing the issue

fixes ufal#1366 there was a conflict between the
produces=application/json and response.setContentType("application/xml")

* Strengthen citations endpoint test assertions for ufal#1366 regression coverage

Agent-Logs-Url: https://github.com/ufal/clarin-dspace/sessions/e385ef9e-8186-4899-b811-fc82bbfa942b



---------



(cherry picked from commit 8400982)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: kosarko <1842385+kosarko@users.noreply.github.com>

* Health report, report diff fixes (#1254)

* fix(health-report): fix CLI args, multi-check support, and report-diff comparison logic

* Fix ReportDiff setup and date validation

* fix failed integration test

* added tests, used -c 1 2 instead of -c 1 -c 2

* used UNLIMITED_VALUES unstead of MAX_VALUE

* improved doc

* used multilist for -c , removed unused method

* improved doc

* WIP updated health report and report diff

* Complete update of health-report and report-diff

* Sorting reports and updating tests, plus enable multiple -c in report-diff

* Improved docs, output and info and logic

* Improved comparision of reports w/o changes, or with only one report specified

* Updated tests

* Removed unused Report and refactor getChecks

* Address review comments: simplify null checks, deduplicate skipped-checks section, validate report IDs before defaulting

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

---------

Co-authored-by: Matus Kasak <matus.kasak@dataquest.sk>
Co-authored-by: Paurikova2 <michaela.paurikova@dataquest.sk>
Co-authored-by: milanmajchrak <milan.majchrak@dataquest.sk>
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>

* Fix flaky tests in IT pipeline (#1321)

* Fixed integration tests because they use to fail sometimes

* test: stabilize flaky CI tests (Hibernate cleanup retry, Shibboleth auth sequence reset, ORCID assertion hardening)

* test: fix flaky ITs at the source (live ORCID, Shibboleth config-reload) + Hibernate CME diagnostics

ORCID CachingOrcidRestConnectorTest no longer hits the live ORCID sandbox:
search/getLabel/search_fail mock the HTTP layer (httpGet made protected) with a
canned expanded-search response, so they are deterministic instead of asserting
against fluctuating sandbox data.

Shibboleth WWW-Authenticate flakiness: add a test-only config-definition.xml with
config-reload=false. Runtime setProperty(...AuthenticationMethod...) overrides were
silently discarded whenever the auto-reload listener rebuilt the combined config
(restoring clarin-dspace.cfg's [Password, ClarinShib] default), intermittently
leaking 'password realm' into the header. Verified: with auto-reload off the override
survives; the explicit reloadConfig() reset in @after still works.

Hibernate ConcurrentModificationException in @after cleanup: the per-session JDBC
ResourceRegistry is not thread-safe, so the CME means two threads touch one Session.
Capture a full thread dump on CME (target/cme-dumps/) to identify the colliding
thread in CI; keep a resilient retry so an already-passed test isn't failed by this
teardown race. (Context.finalize() ruled out: sessions are thread-local.)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* test: revert IT-env config-reload=false override

Disabling config auto-reload globally in the test environment broke
AuthorizeConfigIT.testReloadConfiguration, which deliberately verifies that
AuthorizeConfiguration picks up live changes written to local.cfg via the
auto-reload mechanism. Auto-reload is a tested feature here, so it must not be
disabled to work around the Shibboleth WWW-Authenticate flakiness.

The Shibboleth flakiness (runtime setProperty override discarded when the combined
config is rebuilt) needs a reload-safe fix in the auth test instead; tracked
separately.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* test: make Shibboleth auth-sequence override reload-safe (fix WWW-Authenticate flakiness)

The flaky 'password realm' leak in AuthenticationRestControllerIT had this root cause:
configurationService.setProperty(plugin.sequence...AuthenticationMethod, ...) only
updates the in-memory view of the combined configuration. That view is discarded
whenever it is rebuilt, and the auto-reload listener rebuilds it as soon as any
reloadable cfg file's mtime changes mid-run (e.g. another test writing local.cfg).
When that rebuild lands between the override and the request, clarin-dspace.cfg's
default [PasswordAuthentication, ClarinShibAuthentication] returns and 'password realm'
leaks into the header. The previous clear-then-set helper did not help (it is
equivalent to a plain setProperty).

Fix: set the sequence via a JVM system property (highest-precedence override layer,
re-read on every rebuild) + reloadConfig(), and clear it in @after. This survives
auto-reload without disabling it (so AuthorizeConfigIT, which verifies auto-reload,
still passes).

Verified in the real /api/authn/status endpoint: an explicit reloadConfig() after a
setProperty override reproduces the leak, while the system-property approach keeps the
header Shibboleth-only across rebuilds. Full AuthenticationRestControllerIT (43 tests)
passes, and running it alongside ClarinAuthenticationRestControllerIT /
AnonymousAdditionalAuthorizationFilterIT confirms the property does not leak across classes.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* test: add Hibernate concurrency monitor + CI upload to pinpoint @after CME

The intermittent ConcurrentModificationException in @after cleanup is a genuine
cross-thread data race on Hibernate's per-session, non-thread-safe JDBC
ResourceRegistry (xref): a second thread mutates the test thread's session while
it commits/rolls back. Verified against hibernate-core-5.6.15 sources that the
releaseResources forEach lambda never touches xref, so single-thread re-entrancy
is impossible (this disproves the earlier HHH-15116 single-thread theory). The
window is microseconds, so it does not reproduce locally even with deliberate
cross-thread session sharing; it only surfaces under CI load.

A live thread dump of a running IT JVM shows NO legitimate background thread ever
touches Hibernate (all are Solr/HTTP/Jetty/JVM). So the culprit is a transient
thread, and any non-test thread caught inside Hibernate JDBC/session code is by
definition the offender.

- HibernateConcurrencyMonitor: JVM-wide background sampler that records (de-duped)
  any non-test thread found inside org.hibernate.{resource.jdbc,engine.jdbc,
  internal.SessionImpl}; flushed to target/cme-dumps/ on CME and at JVM shutdown.
  Pure observer, never changes test behaviour.
- AbstractIntegrationTestWithDatabase: start the monitor and mark the JUnit thread
  in setUp; flush it alongside the existing thread dump on a captured CME.
- build.yml: always-upload **/target/cme-dumps/** (not gated on failure) so a
  successful cleanup retry no longer hides the diagnostic.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix: don't close iterate() Hibernate stream from a finalize() (root cause of flaky CME)

Root cause of the intermittent ConcurrentModificationException in @after integration-test
cleanup, identified via the HibernateConcurrencyMonitor CI dumps: the GC Finalizer thread,
running org.dspace.core.AbstractHibernateDAO$1.finalize(), closed the Hibernate Stream
returned by AbstractHibernateDAO.iterate(). Closing a stream closes its ScrollableResults,
which mutates the owning Session's per-session, non-thread-safe JDBC ResourceRegistry (xref)
- but on the Finalizer thread, concurrently with the thread that owns the session. When that
collided with the owning thread's commit/rollback (releaseResources -> xref.forEach), it threw
ConcurrentModificationException. The CI dumps showed this exact finalizer stack as the only
non-test thread inside Hibernate in dspace-api, and present in dspace-server-webapp too.

This was confirmed genuine cross-thread access (not the previously assumed single-thread/HHH
bug): verified against hibernate-core-5.6.15 sources that the releaseResources forEach lambda
never touches xref, so single-thread re-entrancy is impossible.

Fix: close the backing stream on the owning thread when iteration is exhausted, and remove the
finalize() override. An iterator abandoned before exhaustion is released safely when its
Context/Session is closed (releaseResources then runs on the owning thread).

Adds AbstractHibernateDAOIteratorIT to guard against reintroducing a stream-closing finalizer.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix: remove broken Context.finalize() that leaked finalizer-thread sessions

Context.finalize() ran on the GC Finalizer thread and called
dbConnection.isTransActionAlive()/abort(), which resolve sessionFactory.getCurrentSession()
to a brand-new session bound to the Finalizer thread - never the (now-unreachable) thread
that opened the Context. So it could not roll back the Context's transaction anyway; it only
opened and leaked a throwaway Hibernate session on the Finalizer thread, and threw
IllegalStateException once the SessionFactory was closed (seen in the CI thread dumps used to
diagnose the flaky integration-test ConcurrentModificationException).

Abandoned Contexts are cleaned up safely when their owning thread's session ends; callers
already close Contexts via complete()/abort()/try-with-resources (Context is AutoCloseable).

Removes the now-redundant ContextTest.testFinalize (close()/abort() are covered by
testClose/testAbort/testAbort2).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* test: remove flaky-CME diagnostic scaffolding and teardown retry (root cause fixed)

The intermittent @after ConcurrentModificationException is now fixed at its source
(AbstractHibernateDAO.iterate no longer closes its Hibernate stream from a finalizer; broken
Context.finalize() removed). The temporary diagnostics that pinpointed it are no longer needed:

- Restore AbstractIntegrationTestWithDatabase.destroy() to its plain form (drop the 3x cleanup
  retry and the per-CME thread dump) and remove the HibernateConcurrencyMonitor wiring.
- Delete HibernateConcurrencyMonitor.
- Revert the build.yml always-upload of target/cme-dumps.

CI keeps -Dfailsafe.rerunFailingTestsCount=2 as the generic flaky-test safety net.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* revert: keep Context.finalize() (out of scope, not the CME cause)

Reverts the Context.finalize() removal (and the ContextTest.testFinalize deletion). The flaky
@after ConcurrentModificationException is fully fixed by the AbstractHibernateDAO.iterate()
change alone; Context.finalize() runs on a single GC Finalizer thread against its own
finalizer-thread session and provably cannot cause that cross-thread xref race. Removing a
finalizer from this core, widely-used class is a riskier change that does not belong in a
flaky-test fix, so leave Context untouched. The (pre-existing, harmless) finalizer-thread
session it opens can be addressed separately if desired.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* test: address review comments on flaky-test fix

- AbstractHibernateDAOIteratorIT: add Javadoc to the test method and walk the iterator's full
  class hierarchy (up to Object) when asserting no finalize() override, so a finalizer
  reintroduced on a superclass/helper is also caught (per CodeRabbit review).
- AuthenticationRestControllerIT: wrap an over-length (122 char) Javadoc line.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

* Security patches from vanilla DSpace 7.6.7 (CVE-2026-49830, CVE-2026-49831) (#1340)

* ORE aggregated resource URI validation

(cherry picked from commit 7ac17f6)

* Velocity and template safety for Email and LDN messages

* Safer Velocity configuration
* New "message.templates.allowed-config" config
* Remove "UnmodifiableConfiguration" in favour of a
  simple Map of whitelisted Config keys/values
* Centralise Velocity config in core Utils
* Small javadoc changes

(cherry picked from commit b2d6141)
(cherry picked from commit 5b31db5)

* Better null checking in allowed config props

(cherry picked from commit 6b66531)
(cherry picked from commit 46a0dfb)

* Access configurationService at runtime, not rely on class setup

(cherry picked from commit 5803819)
(cherry picked from commit 4be430f)

* Remove strict mode Velocity engine configuration (allow nulls)

(cherry picked from commit 655fc62)

* Filter requests for JSPs or traversal

(cherry picked from commit cf9be85)
(cherry picked from commit dc3e455)

* Add additional logging to GlobalRequestSecurityFilter

(cherry picked from commit 295a046)
(cherry picked from commit 0b1deae)

* Fix import order

(cherry picked from commit e2e6a79)
(cherry picked from commit 2e40077)

* Update sitemap traversal test expectations

(cherry picked from commit 56ae287)
(cherry picked from commit 1a3dfd7)

* Backport GlobalRequestSecurityFilter for javax

(cherry picked from commit 8a2eee9)

* Add secure file access methods

(cherry picked from commit 22bec44)

* Backport Curation I/O using secure file access

Removes some JDK >= 16 usage

(cherry picked from commit 55905a2)

* Curation config support for allowed base paths

(cherry picked from commit 4502224)

* Move curation -r reporter param to CLI only

(cherry picked from commit 277af82)

* Fix import order

(cherry picked from commit a757221)

* Ignore CurationScriptIT -T taskFile tests, to rewrite w/ CLI

(cherry picked from commit 6437472)
(cherry picked from commit 37cd6eb)

* Move taskfile -T option to CLI script config only

(cherry picked from commit 00e4979)
(cherry picked from commit 27708ea)

* UFAL/Allow lr.help.mail in email template config allowlist

The 7.6.7 Velocity hardening restricts templates to an allowlisted
"config" map (Utils.getAllowedTemplateConfig). UFAL/CLARIN templates
(clarin_download_link_admin, clarin_token, matomo_report,
share_submission) reference config.get('lr.help.mail'), which vanilla
DSpace does not ship, so it was missing from the allowlist and those
emails would render a null help address. Add it to dspace.cfg only;
Utils.java stays identical to upstream.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: Kim Shepherd <kim@shepherd.nz>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

* Autolabel for new issues (#1341)

Co-authored-by: Matus Kasak <matus.kasak@dataquest.sk>

* [Port to dtq-dev] Issue 1364: tgz file preview fix (#1338)

* Issue 1364: tgz file preview fix (ufal#1372)

* Issue 1364: tgz file preview fix

* resolve MR comments + fixed test

* Update help message for force preview option

* get rid of the password requirement on FilePreview script

---------

Co-authored-by: Ondřej Košarko <kosarko@ufal.mff.cuni.cz>
(cherry picked from commit 00a2a37)

* PR Comments

---------

Co-authored-by: Milan Kuchtiak <kuchtiak@ufal.mff.cuni.cz>

* [Port to dtq-dev] Issue 1343: add PUT and DELETE endpoint methods to ClarinLicenseLabel REST repository (#1325)

* Issue 1343: add PUT and DELETE endpoint methods to ClarinLicenseLabel REST repository (ufal#1357)

* Issue 1343: add PUT and DELETE endpoint methods to ClarinLicenseLabelRest repository

* resolve Copilot comments

* fixed PUT request in ClarinLicenseLabelRestRepository

* added check for Clarin License Label -> Label string to be shorter that 5 characters

* implement coorrect put method in ClarinLicenseLabelRestRepository

* add constraints to license_label table: made label UNIQUE, make license_label not deletable when used in clarin licenses

* change order of deleting objects in test cleanup(): delete license objects before license_label objects (to satisfy license_label constraints)

* resolve PR Copilot comments, fixed failing ClarinWorkspaceItemRestRepositoryIT

* prevent creating duplicate Clarin License Labels in REST API

* not necessary to trim label twice

* minor fixes, suggested by Copilot

* Rename SQL migration files to use today's date (2026.06.01)

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
(cherry picked from commit b041c90)

* Fix test compilation: update createClarinLicense call sites for new label arg

The backport added a `label` String parameter to the createClarinLicense
test helper but left six 4-arg call sites unchanged, breaking testCompile
in dspace-server-webapp. Pass a label at each remaining call site
("lbl"; "lbl1"/"lbl2" for the paired-license test) to match the helper's
new signature, preserving the previously hard-coded "lbl" behaviour.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* PR comments: code cleanup

---------

Co-authored-by: Milan Kuchtiak <kuchtiak@ufal.mff.cuni.cz>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

* AI-Skills/Wire private AI skills submodule (.dspace-skills) (#1343)

* test: de-flake ORCID cache tests and ZIP-download IT (#1344)

* test: de-flake ORCID cache tests and ZIP-download IT

Two independent flaky tests keep turning the dtq-dev pipeline red after #1321:

1. CachingOrcidRestConnectorTest.testCachable / testCacheableWithError still
   hit the live ORCID sandbox (#1321 only mocked getLabel/search/search_fail).
   They use the real Spring @Cacheable bean (to exercise the CGLIB caching
   proxy), so they could not be spied. Point the bean's apiURL at a local
   MockWebServer serving the canned orcid-expanded-search.xml instead -- keeps
   the real caching proxy and HTTP transport under test, removes the network
   dependency. No production change.

2. MetadataBitstreamControllerIT.downloadAllZip compared the response to a
   locally-built ZIP byte-for-byte; a ZIP entry's DOS timestamp (2s resolution)
   defaults to "now" on both sides and differs across a 2s boundary. Assert the
   unzipped entry name + content instead of raw bytes.

Test-only changes. Verified locally (ORCID class 8/8 green, repeated offline
runs; webapp test module compiles; checkstyle clean).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* test: assert exactly one ZIP entry in downloadAllZip

Address CodeRabbit: a Map keyed by entry name could mask duplicate ZIP entries
(same filename overwrites). Track the entry count separately and assert it is 1,
so an unexpected extra entry fails the test.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* test: de-flake SSR authorization and Solr TopCountries ITs

Two more intermittent failures on dtq-dev, both addressed at the root cause
(test-only changes):

1. AuthorizationRestRepositoryIT.findByObjectSSRTest flaked with 400 instead of
   200. The test sets dspace.server.ssr.url (used by Utils.getBaseObjectRestFromUri
   to resolve the request URI) and the AlwaysThrowExceptionFeature.turnoff flag via
   configurationService.setProperty(...). Such in-memory overrides are silently
   dropped when the combined config is rebuilt by the auto-reload listener (fires on
   any reloadable cfg file mtime change mid-run). When ssr.url is dropped the URI no
   longer resolves -> 400; if turnoff were also dropped the /search/object path would
   let alwaysexception throw -> 500. Fix: set both via JVM system properties (+
   reloadConfig) so they sit in the highest-precedence override layer and survive
   auto-reload, cleared in @after. Same pattern as #1321's Shibboleth fix
   (AuthenticationRestControllerIT#setAuthenticationMethodSequence). Applied to all
   three SSR tests.

2. StatisticsRestRepositoryIT.topCountriesReport_Community_Visited flaked with an
   empty report (points: []). postView() commits with waitSearcher=false, so the
   just-posted view events can be invisible to the immediately-following report query
   (and a dropped solr-statistics.autoCommit override would skip the commit entirely).
   Fix: after posting the view events, force solrLoggerService.commit() (waitSearcher
   =true) so the events are flushed and visible before the report is queried.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

* [Backport dtq-dev] Issue 1360: allow to change license in workflow item, in PATCH operation (ufal#1365) (#1327)

* Issue 1360: allow to change license in workflow item, in PATCH operation (ufal#1365)

* Issue 1360: allow to change license in workflow item, in PATCH operation

* improve fix + Integration test

* resolve Copilot comments

* resolve more MR comments

* return 404 in case PATCH request references non existing license

* improve error message for task claimed by other user

* resolve second round of Copilot comments

* small code refactoring

* fixed failing test

(cherry picked from commit 40672c3)

* resolve PR comments

---------

Co-authored-by: Milan Kuchtiak <kuchtiak@ufal.mff.cuni.cz>

* [Port to dtq-dev] Issue ufal#1317 metadata health check (#1307)

* Issue ufal#1317 metadata health check (ufal#1338)

* Issue 1317: health-check for metadata - initial commit

* implement MetadataCheck report

* improve MetadataCheck

* improve MetadataCheck with more sophisticated selection of error/warning messages

* code cleanup

* rename qa-metadata-error-patterns.json to metadata-check-patterns.json

* implement copilot suggestions

* add test for Metadata check to HealthReportIT

* improved documentation

* added test

* improve documentation

* set default error dispersion quota to 5

(cherry picked from commit 39157a5)

* add JavaDoc description

* resolve coderabbitai comment

* update report-diff-fields.json

* resolve Copilot comments

---------

Co-authored-by: Milan Kuchtiak <kuchtiak@ufal.mff.cuni.cz>

* test: de-flake ItemHandleCheckerIT (mock the live handle resolver) (#1346)

* test: de-flake ItemHandleCheckerIT (mock the live handle resolver)

ItemHandleCheckerIT.testItemHandleNotFound intermittently failed on dtq-dev with
a synthetic 617 (SocketTimeoutException) instead of 404. The checkhandles task
(ItemHandleChecker) issues a HEAD request to each item's handle URL
(handle.canonical.prefix + handle) with a 3s read timeout; the test pointed the
prefix at the live http://hdl.handle.net/ and asserted the resolver returns 404
(non-existent handle) and 302->200 (a real handle). When the live resolver was
slow/unreachable the HEAD timed out -> 617 -> red pipeline. Same class of flake
as the ORCID tests; not a regression (the merge commit passed many other runs).

Fix (test-only): serve the handle URLs from a local okhttp3 MockWebServer. setUp
sets handle.canonical.prefix to the mock base URL; a path-based dispatcher returns
302 (+Location to a -target path) for the redirect handle, 200 for the target, and
404 otherwise. The real/invalid/ignored URLs are derived from the mock base instead
of hard-coded hdl.handle.net literals; the server is closed in @after. All six tests
keep their original assertions and behavior; only the live-network hop is removed.

Verified locally: 6/6 green across 4 runs, no external network involved.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* test: restore handle.canonical.prefix in ItemHandleCheckerIT teardown

Address CodeRabbit: setUp overwrites the shared handle.canonical.prefix with the
per-run mock-server URL. Capture the previous value and restore it in destroy()
(after closing the mock server) so a later test in the same JVM is never left
pointing at the now-closed localhost port. (The superclass destroy() reloadConfig()
already resets it, but restoring explicitly makes the test self-contained.)

Re-verified locally: 6/6 green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

* UFAL/Obtain special groups from user context when new token is generated (on token refresh)  (ufal#1378) (#1347)

* Issue 1373: obtain special groups from user context when new token is generated (on token refresh)

* resolve Copilot comments

* resolve Copilot Comments: compute special groups only when when user is authenticated

* Remove HttpSession dependency from ClarinShibAuthentication

Use request-scoped attributes for shib.authenticated instead of
HttpSession/JSESSIONID, aligning with upstream ShibAuthentication.
Follow-up to ufal#1373/ufal#1378.

* Guard against null special groups in Context.getSpecialGroups

A special-group UUID may reference a Group that has since been deleted;
GroupService.find returns null in that case. The list was built with an
unconditional add, so it could contain null elements, which caused an NPE
downstream (e.g. SpecialGroupClaimProvider.getValue maps group.getID()
while generating the JWT sg claim on token refresh). Filter nulls once
here so every caller is covered. Follow-up to ufal#1373/ufal#1378.

---------


(cherry picked from commit 4c294b2)

Co-authored-by: Milan Kuchtiak <kuchtiak@ufal.mff.cuni.cz>

* UFAL/fix: DOI Organizer creates duplicate dc.identifier.doi metadata (ufal#1368) (#1350)

* Issue 1361 fix: DOI Organizer creates duplicate dc.identifier.doi metadata

* copilot comments

* Issue 1361: make DOI metadata save additive, report duplicates via QA

saveDOIToObject now adds dc.identifier.doi only when that exact value is
not already present, and no longer deletes metadata. The previous fix
cleared existing values when more than one was found or when a different
DOI was present; since this method runs after the DOI has already been
registered with the external agency, silently dropping a (possibly
legacy/citable) identifier is lossy and irreversible. The operation stays
idempotent, so re-registration no longer creates duplicate values.

Items that legitimately end up with more than one dc.identifier.doi value
are now surfaced for manual review by adding dc.identifier.doi to the
ItemMetadataQAChecker noDuplicate list (metadataqa curation task) rather
than being cleaned up silently in the write path.

Tests: flip the replace test to assert a pre-existing different DOI is
preserved alongside the new one, keep the idempotency test, and add a QA
checker IT asserting an item with two DOIs fails curation.

* local field renaming

---------


(cherry picked from commit 3b7db4c)

Co-authored-by: Milan Kuchtiak <kuchtiak@ufal.mff.cuni.cz>

---------

Co-authored-by: Ondřej Košarko <ko_ok@centrum.cz>
Co-authored-by: Milan Kuchtiak <kuchtiak@ufal.mff.cuni.cz>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: kosarko <1842385+kosarko@users.noreply.github.com>
Co-authored-by: Paurikova2 <michaela.paurikova@dataquest.sk>
Co-authored-by: Kasinhou <129340513+Kasinhou@users.noreply.github.com>
Co-authored-by: Matus Kasak <matus.kasak@dataquest.sk>
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Co-authored-by: Kim Shepherd <kim@shepherd.nz>
Co-authored-by: jurinecko <juraj.roka@dataquest.sk>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants