Skip to content

Limit configuration available publicly in config.json #5030

New issue
New issue
Open
Bug
Open
Limit configuration available publicly in config.json#5030
Bug
#5114 (+2)
Assignees
Aryakoste
Labels
affects: 7.xIssue impacts 7.x releasesaffects: 8.xIssue impacts 8.x releasesaffects: 9.xIssue impacts 9.x releasesbugconfigurationhigh priority
@tdonohue

Description

@tdonohue
tdonohue
opened on Jan 22, 2026

Describe the bug

As reported on dspace-tech, the config.json public availability could be flagged as an "information disclosure" vulnerability by security scanners. This was also discussed in today's Developers Meeting.

This config.json is used by the DSpace UI for runtime configuration of the user interface. The purpose of this configuration is to tell the DSpace UI which features are enabled on specific pages. The config.json should not include secure or private information.

The config.json is initially loaded via SSR (Server Side Rendering) which does not require it to be publicly available. However, the config.json must be publicly available in CSR (Client Side Rendering) mode, unless the application state has been transferred from SSR mode (see code in main.browser.ts).

This means that, if you block access to the config.json, then CSR mode may not function properly in all situations. This is especially true if your initial access to the site is a page that doesn't undergo SSR (e.g. search pages or similar). If you block access to the config.json, then any paths/pages included in your ssr > excludePathPatterns settings will not function properly.

Overall, this means that we should limit the configurations available in the config.json to only those configurations which are required by CSR or pose no "information disclosure" threat.

Possible configurations to move out of the config.json include:

  • Any configuration that is specific to SSR (e.g. rest.ssrBaseUrl and the serverSide cache settings)\
  • Potentially configurations that are better off moved to the backend.

Settings that may need to remain in the config.json include:

  • ui settings - These tell Node.js where to start the UI. However, they should always reference blocked/private ports in production scenarios because the UI is run behind a proxy in production mode.
  • Other rest settings - These tell the UI where the public REST API is. So they always point to a public, findable server.
  • Other settings used by the UI to change behavior (includes things like configuring results per page, languages, etc.). All of these are discoverable from the UI anyways.

To Reproduce

Steps to reproduce the behavior:

  1. See that the config.json is publicly available on the demo site: https://demo.dspace.org/assets/config.json

Expected behavior

The config.json likely needs to remain public. But, we can do a better job of limiting the configs available in that file to only those configs required by CSR mode. Any SSR specific configs should be moved to a private configuration file which is only available on the server itself.

Metadata

Metadata

Assignees

Labels

affects: 7.xIssue impacts 7.x releasesaffects: 8.xIssue impacts 8.x releasesaffects: 9.xIssue impacts 9.x releasesbugconfigurationhigh priority

Type

Bug

Projects

DSpace Maintenance (9.x, 8.x, 7.6.x)

Status

📋 To Do

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions