Limit configuration available publicly in config.json#5045
Open
Aryakoste wants to merge 2 commits intoDSpace:mainfrom
Open
Limit configuration available publicly in config.json#5045Aryakoste wants to merge 2 commits intoDSpace:mainfrom
Aryakoste wants to merge 2 commits intoDSpace:mainfrom
Conversation
tdonohue
added
bug
high priority
configuration
1 APPROVAL
tdonohue
reviewed
Jan 27, 2026
| ].join(''); | ||
| }; | ||
|
|
||
| const removeServerSideConfig = (config: AppConfig): any => { |
Member
There was a problem hiding this comment.
@Aryakoste : Please add an inline comment above this to describe why we're doing this. It could be something like this:
/**
* Removes all server-side specific settings from the application configuration.
* This method is used to ensure the "assets/config.json" that provides runtime
* configuration to CSR (client side rendering) excludes these server-side keys.
*
* @param config the application configuration
*/
Comment on lines
+173
to
+180
| const clientConfig = JSON.parse(JSON.stringify(config)); | ||
| delete clientConfig.rest.ssrBaseUrl; | ||
| delete clientConfig.rest.hasSsrBaseUrl; | ||
| delete clientConfig.cache.serverSide; | ||
| delete clientConfig.ui.rateLimiter; | ||
| delete clientConfig.ui.useProxies; | ||
| return clientConfig; | ||
| }; |
Contributor
There was a problem hiding this comment.
Could this be inverted to only return client config properties (instead of deleting server properties)? In the case that a config property is added in the future without someone knowing about this vulnerability, it should default to not being in the client config.
9 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
References
config.json#5030Description
Successfully split the configuration. config.server.ts now filters sensitive keys (rest.ssrBaseUrl, cache.serverSide, ui.rateLimiter, ui.useProxies) before writing to assets/config.json. The server process retains the full configuration via the return value of buildAppConfig
Checklist
This checklist provides a reminder of what we are going to look for when reviewing your PR. You do not need to complete this checklist prior creating your PR (draft PRs are always welcome).
However, reviewers may request that you complete any actions in this list if you have not done so. If you are unsure about an item in the checklist, don't hesitate to ask. We're here to help!
mainbranch of code (unless it is a backport or is fixing an issue specific to an older branch).npm run lintnpm run check-circ-deps)package.json), I've made sure their licenses align with the DSpace BSD License based on the Licensing of Contributions documentation.