Merged in UXP-98-2023_02_x (pull request DSpace#1144)

Fixes security issue with ProxyResourceController

Author: atarix83

src/app/core/submission/models/workspaceitem-section-unpaywall-object.ts

@@ -25,11 +25,6 @@ export interface WorkspaceitemSectionUnpaywallObject {
    */
   status: UnpaywallSectionStatus;
 
-  /**
-   * Item json record.
-   */
-  jsonRecord: string;
-
   /**
    * Timestamp created.
    */

src/app/item-page/edit-item-page/edit-item-page.module.ts

@@ -1,7 +1,7 @@
 import { NgModule } from '@angular/core';
 import { CommonModule } from '@angular/common';
 
-import { NgbTooltipModule, NgbModule } from '@ng-bootstrap/ng-bootstrap';
+import { NgbModule, NgbTooltipModule } from '@ng-bootstrap/ng-bootstrap';
 
 import { SharedModule } from '../../shared/shared.module';
 import { EditItemPageRoutingModule } from './edit-item-page.routing.module';
@@ -20,14 +20,22 @@ import { SearchPageModule } from '../../search-page/search-page.module';
 import { ItemCollectionMapperComponent } from './item-collection-mapper/item-collection-mapper.component';
 import { ItemRelationshipsComponent } from './item-relationships/item-relationships.component';
 import { EditRelationshipComponent } from './item-relationships/edit-relationship/edit-relationship.component';
-import { EditRelationshipListComponent } from './item-relationships/edit-relationship-list/edit-relationship-list.component';
+import {
+  EditRelationshipListComponent
+} from './item-relationships/edit-relationship-list/edit-relationship-list.component';
 import { AbstractItemUpdateComponent } from './abstract-item-update/abstract-item-update.component';
 import { ItemMoveComponent } from './item-move/item-move.component';
-import { ItemEditBitstreamBundleComponent } from './item-bitstreams/item-edit-bitstream-bundle/item-edit-bitstream-bundle.component';
+import {
+  ItemEditBitstreamBundleComponent
+} from './item-bitstreams/item-edit-bitstream-bundle/item-edit-bitstream-bundle.component';
 import { BundleDataService } from '../../core/data/bundle-data.service';
 import { DragDropModule } from '@angular/cdk/drag-drop';
-import { ItemEditBitstreamDragHandleComponent } from './item-bitstreams/item-edit-bitstream-drag-handle/item-edit-bitstream-drag-handle.component';
-import { PaginatedDragAndDropBitstreamListComponent } from './item-bitstreams/item-edit-bitstream-bundle/paginated-drag-and-drop-bitstream-list/paginated-drag-and-drop-bitstream-list.component';
+import {
+  ItemEditBitstreamDragHandleComponent
+} from './item-bitstreams/item-edit-bitstream-drag-handle/item-edit-bitstream-drag-handle.component';
+import {
+  PaginatedDragAndDropBitstreamListComponent
+} from './item-bitstreams/item-edit-bitstream-bundle/paginated-drag-and-drop-bitstream-list/paginated-drag-and-drop-bitstream-list.component';
 import { VirtualMetadataComponent } from './virtual-metadata/virtual-metadata.component';
 import { ItemVersionHistoryComponent } from './item-version-history/item-version-history.component';
 import { ItemAuthorizationsComponent } from './item-authorizations/item-authorizations.component';
@@ -43,9 +51,7 @@ import { ThemedItemStatusComponent } from './item-status/themed-item-status.comp
 
 import { ItemAccessControlComponent } from './item-access-control/item-access-control.component';
 import { ResultsBackButtonModule } from '../../shared/results-back-button/results-back-button.module';
-import {
-  AccessControlFormModule
-} from '../../shared/access-control-form-container/access-control-form.module';
+import { AccessControlFormModule } from '../../shared/access-control-form-container/access-control-form.module';
 import { ItemUnlinkOrcidComponent } from './item-unlink-orcid/item-unlink-orcid.component';
 import { EditMetadataSecurityComponent } from './edit-metadata-security/edit-metadata-security.component';
 import { EditItemResolver } from '../../core/shared/resolvers/edit-item.resolver';
@@ -108,6 +114,7 @@ import { EditItemResolver } from '../../core/shared/resolvers/edit-item.resolver
   exports: [
     EditMetadataSecurityComponent,
     ItemOperationComponent,
+    ItemVersionHistoryComponent,
   ]
 })
 export class EditItemPageModule {

src/app/submission/objects/submission-objects.reducer.ts

@@ -47,7 +47,9 @@ import {
   UpdateSectionVisibilityAction
 } from './submission-objects.actions';
 import { WorkspaceitemSectionUploadObject } from '../../core/submission/models/workspaceitem-section-upload.model';
-import { WorkspaceitemSectionDetectDuplicateObject } from '../../core/submission/models/workspaceitem-section-deduplication.model';
+import {
+  WorkspaceitemSectionDetectDuplicateObject
+} from '../../core/submission/models/workspaceitem-section-deduplication.model';
 import { SubmissionSectionObject } from './submission-section-object.model';
 import { MetadataSecurityConfiguration } from '../../core/submission/models/metadata-security-configuration';
 
@@ -889,8 +891,7 @@ function newFile(state: SubmissionObjectState, action: NewUploadedFileAction): S
       files: [action.payload.data]
     };
   } else {
-    newData = filesData;
-    newData.files.push(action.payload.data);
+    newData = { ...filesData, files: [].concat(...filesData.files, action.payload.data) };
   }
 
   return Object.assign({}, state, {

src/app/submission/sections/unpaywall/models/unpaywall-section-status.ts

@@ -2,5 +2,6 @@ export enum UnpaywallSectionStatus {
   PENDING = 'PENDING',
   NOT_FOUND = 'NOT_FOUND',
   SUCCESSFUL = 'SUCCESSFUL',
-  NO_FILE = 'NO_FILE'
+  NO_FILE = 'NO_FILE',
+  IMPORTED = 'IMPORTED',
 }

src/app/submission/sections/unpaywall/submission-section-unpaywall.component.html

@@ -1,33 +1,45 @@
-<div class="d-flex justify-content-center">
-  <button (click)="refreshApiCheck()" [disabled]="(loading$ | async)" type="button" class="btn btn-secondary mr-2"
-          aria-label="refresh">
-    <span aria-hidden="true">{{'submission.sections.unpaywall.refresh' | translate}}</span>
-  </button>
-  <button [disabled]="(status$ | async) !== UnpaywallSectionStatus.SUCCESSFUL || (loading$ | async)" type="button"
-          (click)="uploadFileIfNeeded()" class="btn btn-success" aria-label="import from unpaywall">
-    <span aria-hidden="true">{{'submission.sections.unpaywall.import' | translate}}</span>
-  </button>
-</div>
-<br>
-<div class="d-flex justify-content-center">
-  <ds-themed-loading *ngIf="(loading$ | async)" class="ds-themed-loading"></ds-themed-loading>
-</div>
-<div class="d-flex justify-content-center">
-  <div [ngSwitch]="(status$ | async)" *ngIf="!(loading$ | async)">
-    <div *ngSwitchCase="UnpaywallSectionStatus.SUCCESSFUL">
-      {{'submission.sections.unpaywall.status.successful' | translate}}
-    </div>
-    <div *ngSwitchCase="UnpaywallSectionStatus.NOT_FOUND">
-      {{'submission.sections.unpaywall.status.not-found' | translate}}
+<div class="container-fluid">
+  <div class="row justify-content-center">
+    <div class="col-12">
+      <div [ngSwitch]="(status$ | async)" *ngIf="!(loading$ | async)">
+        <ng-container *ngSwitchCase="UnpaywallSectionStatus.SUCCESSFUL">
+          <ds-alert [type]="AlertType.Info"
+                    [content]="'submission.sections.unpaywall.status.successful' | translate"></ds-alert>
+        </ng-container>
+        <ng-container *ngSwitchCase="UnpaywallSectionStatus.IMPORTED">
+          <ds-alert [type]="AlertType.Success"
+                    [content]="'submission.sections.unpaywall.status.imported' | translate"></ds-alert>
+        </ng-container>
+        <ng-container *ngSwitchCase="UnpaywallSectionStatus.PENDING">
+          <ds-alert [type]="AlertType.Info"
+                    [content]="'submission.sections.unpaywall.status.pending' | translate"></ds-alert>
+        </ng-container>
+        <ng-container *ngSwitchCase="UnpaywallSectionStatus.NO_FILE">
+          <ds-alert [type]="AlertType.Warning"
+                    [content]="'submission.sections.unpaywall.status.no-file' | translate"></ds-alert>
+        </ng-container>
+        <ng-container *ngSwitchCase="UnpaywallSectionStatus.NOT_FOUND">
+          <ds-alert [type]="AlertType.Error"
+                    [content]="'submission.sections.unpaywall.status.not-found' | translate"></ds-alert>
+        </ng-container>
+      </div>
     </div>
-    <div *ngSwitchCase="UnpaywallSectionStatus.PENDING">
-      {{'submission.sections.unpaywall.status.pending' | translate}}
-    </div>
-    <div *ngSwitchCase="UnpaywallSectionStatus.NO_FILE">
-      {{'submission.sections.unpaywall.status.no-file' | translate}}
+  </div>
+  <div class="row justify-content-center">
+    <div class="col-12 d-flex justify-content-center">
+      <ng-container [ngSwitch]="(loading$ | async)">
+        <ds-themed-loading *ngSwitchCase="true" class="ds-themed-loading"></ds-themed-loading>
+        <ng-container *ngSwitchCase="false">
+          <button type="button" class="btn btn-secondary mr-2" aria-label="refresh"
+                  (click)="refreshApiCheck()">
+            <span aria-hidden="true">{{'submission.sections.unpaywall.refresh' | translate}}</span>
+          </button>
+          <button type="button" class="btn btn-success" aria-label="import from unpaywall"
+                  (click)="confirmImport()" [disabled]="(status$ | async) !== UnpaywallSectionStatus.SUCCESSFUL">
+            <span aria-hidden="true">{{'submission.sections.unpaywall.import' | translate}}</span>
+          </button>
+        </ng-container>
+      </ng-container>
     </div>
   </div>
-
 </div>
-
-

src/app/submission/sections/unpaywall/submission-section-unpaywall.component.spec.ts

@@ -48,12 +48,9 @@ import {
   WorkspaceitemSectionUnpaywallObject
 } from '../../../core/submission/models/workspaceitem-section-unpaywall-object';
 import { UnpaywallSectionStatus } from './models/unpaywall-section-status';
-import { UnpaywallApi } from './models/unpaywall-api';
-import { ResourceService } from '../../../core/services/resource.service';
 import { of } from 'rxjs';
 import { AuthTokenInfo } from '../../../core/auth/models/auth-token-info.model';
 import { provideMockStore } from '@ngrx/store/testing';
-import { FileItem } from 'ng2-file-upload';
 import { SubmissionObject } from '../../../core/submission/models/submission-object.model';
 import { SectionsType } from '../sections-type';
 import { WorkspaceitemSectionUploadObject } from '../../../core/submission/models/workspaceitem-section-upload.model';
@@ -62,12 +59,13 @@ import {
 } from '../../../core/submission/models/workspaceitem-section-upload-file.model';
 import { RawRestResponse } from '../../../core/dspace-rest/raw-rest-response.model';
 import { SubmissionState } from '../../submission.reducers';
+import { SectionUploadService } from '../upload/section-upload.service';
+import { getMockSectionUploadService } from '../../../shared/mocks/section-upload.service.mock';
 
 describe('SubmissionSectionUnpaywallComponentComponent', () => {
   let component: SubmissionSectionUnpaywallComponent;
   let fixture: ComponentFixture<SubmissionSectionUnpaywallComponent>;
   let httpMock: HttpTestingController;
-  let resourceService: ResourceService;
   let submissionService: SubmissionService;
   let halService: HALEndpointService;
   let tokenExtractor: HttpXsrfTokenExtractor;
@@ -76,6 +74,7 @@ describe('SubmissionSectionUnpaywallComponentComponent', () => {
   let translate: TranslateService;
   let restApi: DspaceRestService;
   let store: Store<SubmissionState>;
+    let sectionUploadService: SectionUploadService;
   const xsrfToken = 'mock-token';
 
   const initialState = {
@@ -140,6 +139,7 @@ describe('SubmissionSectionUnpaywallComponentComponent', () => {
         { provide: 'collectionIdProvider', useValue: mockSubmissionCollectionId },
         { provide: 'sectionDataProvider', useValue: {} },
         { provide: 'submissionIdProvider', useValue: mockSubmissionId },
+          { provide: SectionUploadService, useValue: getMockSectionUploadService() },
       ],
       declarations: [SubmissionSectionUnpaywallComponent],
       schemas: [NO_ERRORS_SCHEMA]
@@ -149,7 +149,6 @@ describe('SubmissionSectionUnpaywallComponentComponent', () => {
 
   beforeEach(() => {
     fixture = TestBed.createComponent(SubmissionSectionUnpaywallComponent);
-    resourceService = TestBed.inject(ResourceService);
     submissionService = TestBed.inject(SubmissionService);
     halService = TestBed.inject(HALEndpointService);
     httpMock = TestBed.inject(HttpTestingController);
@@ -159,6 +158,7 @@ describe('SubmissionSectionUnpaywallComponentComponent', () => {
     translate = TestBed.inject(TranslateService);
     restApi = TestBed.inject(DspaceRestService);
     store = TestBed.inject(Store);
+      sectionUploadService = TestBed.inject(SectionUploadService);
     component = fixture.componentInstance;
     fixture.detectChanges();
   });
@@ -171,19 +171,24 @@ describe('SubmissionSectionUnpaywallComponentComponent', () => {
     expect(component).toBeTruthy();
   });
 
-  describe('uploadFileIfNeeded', () => {
-    it('should upload file if needed', () => {
-      const resourceUrl = 'http://resourse-url/test.txt';
-      const resource = new Blob(['Test data'], { type: 'text/plain' });
+  describe('import file', () => {
+    it('should import the linked resource if needed', () => {
       const submissionObjectName = 'workspaceitems';
       const testEndpoint = 'http://test-endpoint';
       const successLabel = of('success-label');
-      const unpaywallApiResp = { best_oa_location: { url: resourceUrl } } as UnpaywallApi;
-      const submissionObject = {
+      const uploadSection: WorkspaceitemSectionUploadObject = { files: [] };
+      const successfulSection: WorkspaceitemSectionUnpaywallObject = {
+        id: 1,
+        status: UnpaywallSectionStatus.SUCCESSFUL,
+        doi: 'test-doi',
+        itemId: 'test-item-id',
+        timestampCreated: new Date(),
+        timestampLastModified: new Date()
+      };
+      const importedResource = {
         sections: {
           [SectionsType.Unpaywall]: {
-            status: UnpaywallSectionStatus.SUCCESSFUL,
-            jsonRecord: JSON.stringify(unpaywallApiResp),
+            status: UnpaywallSectionStatus.IMPORTED,
             doi: 'test-doi',
             itemId: 'test-item-id',
             timestampCreated: new Date(),
@@ -196,27 +201,32 @@ describe('SubmissionSectionUnpaywallComponentComponent', () => {
           } as WorkspaceitemSectionUploadObject
         }
       } as unknown as SubmissionObject;
-      component.section$.next(<WorkspaceitemSectionUnpaywallObject>submissionObject.sections.unpaywall);
+      component.unpaywallSection$.next(successfulSection);
+      component.uploadSection$.next({ [SectionsType.Upload]: uploadSection });
+      const requestResponse = { payload: importedResource } as unknown as RawRestResponse;
+      jasmine.clock().install();
 
-      spyOn(resourceService, 'download').withArgs(resourceUrl).and.returnValue(of(resource));
       spyOn(submissionService, 'getSubmissionObjectLinkName').and.returnValue(submissionObjectName);
       spyOn(halService, 'getEndpoint').withArgs(submissionObjectName).and.returnValue(of(testEndpoint));
       spyOn(tokenExtractor, 'getToken').and.returnValue(xsrfToken);
-      spyOn(component.uploader, 'uploadAll').and.callFake(() =>
-        (component.uploader as  any)._onSuccessItem(new FileItem(component.uploader, new File([resource], 'test.txt'), {}), JSON.stringify(submissionObject), null, null));
+      spyOn(restApi, 'request').and.returnValue(of(requestResponse));
       spyOn(sectionService, 'isSectionType')
         .withArgs(mockSubmissionId, SectionsType.Unpaywall, SectionsType.Upload).and.returnValue(of(false))
         .withArgs(mockSubmissionId, SectionsType.Upload, SectionsType.Upload).and.returnValue(of(true));
-      spyOn(translate, 'get').withArgs('submission.sections.upload.upload-successful').and.returnValue(successLabel);
+      spyOn(translate, 'get').withArgs('submission.sections.unpaywall.status.imported').and.returnValue(successLabel);
+      spyOn(component.loading$, 'next');
+      spyOn(component.status$, 'next');
+      spyOn(component.unpaywallSection$, 'next');
       spyOn(notificationsService, 'success').withArgs(null, successLabel);
       spyOn(notificationsService, 'error');
-      spyOn(sectionService, 'updateSectionData').withArgs(mockSubmissionId, SectionsType.Upload, submissionObject.sections[SectionsType.Upload], undefined, undefined);
 
-      component.uploadFileIfNeeded();
+      component.confirmImport();
 
-      expect(component.uploader.uploadAll).toHaveBeenCalledTimes(1);
-      expect(notificationsService.success).toHaveBeenCalledTimes(1);
-      expect(notificationsService.error).not.toHaveBeenCalled();
+      expect(component.loading$.next).toHaveBeenCalledWith(false);
+      expect(component.status$.next).toHaveBeenCalledOnceWith((importedResource.sections[SectionsType.Unpaywall] as WorkspaceitemSectionUnpaywallObject).status);
+      expect(component.unpaywallSection$.next).toHaveBeenCalledWith(importedResource.sections[SectionsType.Unpaywall] as WorkspaceitemSectionUnpaywallObject);
+      expect(sectionUploadService.addUploadedFile).toHaveBeenCalledTimes(1);
+      jasmine.clock().uninstall();
     });
   });
 
@@ -228,7 +238,6 @@ describe('SubmissionSectionUnpaywallComponentComponent', () => {
         sections: {
           [SectionsType.Unpaywall]: {
             status: UnpaywallSectionStatus.SUCCESSFUL,
-            jsonRecord: '',
             doi: 'test-doi',
             itemId: 'test-item-id',
             timestampCreated: new Date(),
@@ -245,15 +254,15 @@ describe('SubmissionSectionUnpaywallComponentComponent', () => {
       spyOn(component.loading$, 'next');
       spyOn(component.status$, 'next')
         .withArgs((submissionObject.sections[SectionsType.Unpaywall] as WorkspaceitemSectionUnpaywallObject).status);
-      spyOn(component.section$, 'next')
+        spyOn(component.unpaywallSection$, 'next')
         .withArgs(submissionObject.sections[SectionsType.Unpaywall] as WorkspaceitemSectionUnpaywallObject);
 
       component.refreshApiCheck();
       jasmine.clock().tick(3010);
 
       expect(component.loading$.next).toHaveBeenCalledWith(false);
       expect(component.status$.next).toHaveBeenCalledOnceWith((submissionObject.sections[SectionsType.Unpaywall] as WorkspaceitemSectionUnpaywallObject).status);
-      expect(component.section$.next).toHaveBeenCalledOnceWith(submissionObject.sections[SectionsType.Unpaywall] as WorkspaceitemSectionUnpaywallObject);
+        expect(component.unpaywallSection$.next).toHaveBeenCalledOnceWith(submissionObject.sections[SectionsType.Unpaywall] as WorkspaceitemSectionUnpaywallObject);
       jasmine.clock().uninstall();
     });
   });