chore: update reva to latest edge

changelog/unreleased/bump-reva.md

@@ -2,6 +2,7 @@ Enhancement: Bump Reva
 
 bumps reva version
 
+https://github.com/owncloud/ocis/pull/9330
 https://github.com/owncloud/ocis/pull/9318
 https://github.com/owncloud/ocis/pull/9269
 https://github.com/owncloud/ocis/pull/9236

go.mod

@@ -15,7 +15,7 @@ require (
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/coreos/go-oidc/v3 v3.10.0
 	github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781
-	github.com/cs3org/reva/v2 v2.19.2-0.20240604132648-408bb6433068
+	github.com/cs3org/reva/v2 v2.19.2-0.20240606075653-a7a1d2d2dace
 	github.com/dhowden/tag v0.0.0-20230630033851-978a0926ee25
 	github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e
 	github.com/egirna/icap-client v0.1.1

go.sum

@@ -1027,6 +1027,8 @@ github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 h1:BUdwkIlf8IS2F
 github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY=
 github.com/cs3org/reva/v2 v2.19.2-0.20240604132648-408bb6433068 h1:DAmvibMtV7HxsQoG3jfwm78XftA/js0ECuv1pelSON8=
 github.com/cs3org/reva/v2 v2.19.2-0.20240604132648-408bb6433068/go.mod h1:lKqw0VuP1NcZbhj0e6tGoAGq3tgWO/pLafVJyDK0yVI=
+github.com/cs3org/reva/v2 v2.19.2-0.20240606075653-a7a1d2d2dace h1:zK+0QyrqRBwdRthUbXTyDhxZIMZlNJPzGr0+bmyU++0=
+github.com/cs3org/reva/v2 v2.19.2-0.20240606075653-a7a1d2d2dace/go.mod h1:lKqw0VuP1NcZbhj0e6tGoAGq3tgWO/pLafVJyDK0yVI=
 github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4=
 github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
 github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=

vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/get.go

@@ -131,7 +131,19 @@ func (s *svc) handleGet(ctx context.Context, w http.ResponseWriter, r *http.Requ
 	}
 	defer httpRes.Body.Close()
 
-	copyHeader(w.Header(), httpRes.Header)
+	// copy only the headers relevant for the content served by the datagateway
+	// more headers are already present from the GET request
+	copyHeader(w.Header(), httpRes.Header, net.HeaderContentType)
+	copyHeader(w.Header(), httpRes.Header, net.HeaderContentLength)
+	copyHeader(w.Header(), httpRes.Header, net.HeaderContentRange)
+	copyHeader(w.Header(), httpRes.Header, net.HeaderOCFileID)
+	copyHeader(w.Header(), httpRes.Header, net.HeaderOCETag)
+	copyHeader(w.Header(), httpRes.Header, net.HeaderOCChecksum)
+	copyHeader(w.Header(), httpRes.Header, net.HeaderETag)
+	copyHeader(w.Header(), httpRes.Header, net.HeaderLastModified)
+	copyHeader(w.Header(), httpRes.Header, net.HeaderAcceptRanges)
+	copyHeader(w.Header(), httpRes.Header, net.HeaderContentDisposistion)
+
 	w.WriteHeader(httpRes.StatusCode)
 
 	if httpRes.StatusCode != http.StatusOK && httpRes.StatusCode != http.StatusPartialContent {
@@ -156,11 +168,9 @@ func (s *svc) handleGet(ctx context.Context, w http.ResponseWriter, r *http.Requ
 	// TODO we need to send the If-Match etag in the GET to the datagateway to prevent race conditions between stating and reading the file
 }
 
-func copyHeader(dst, src http.Header) {
-	for key, values := range src {
-		for i := range values {
-			dst.Add(key, values[i])
-		}
+func copyHeader(dist, src http.Header, header string) {
+	if src.Get(header) != "" {
+		dist.Set(header, src.Get(header))
 	}
 }
 

vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/ocdav.go

@@ -165,8 +165,6 @@ func (s *svc) Handler() http.Handler {
 		ctx := r.Context()
 		log := appctx.GetLogger(ctx)
 
-		addAccessHeaders(w, r)
-
 		// TODO(jfd): do we need this?
 		// fake litmus testing for empty namespace: see https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/webdav/litmus_test_server.go#L58-L89
 		if r.Header.Get(net.HeaderLitmus) == "props: 3 (propfind_invalid2)" {
@@ -284,28 +282,6 @@ func (s *svc) ApplyLayout(ctx context.Context, ns string, useLoggedInUserNS bool
 	return templates.WithUser(u, ns), requestPath, nil
 }
 
-func addAccessHeaders(w http.ResponseWriter, r *http.Request) {
-	headers := w.Header()
-	// all resources served via the DAV endpoint should have the strictest possible as default
-	headers.Set("Content-Security-Policy", "default-src 'none';")
-	// disable sniffing the content type for IE
-	headers.Set("X-Content-Type-Options", "nosniff")
-	// https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx
-	headers.Set("X-Download-Options", "noopen")
-	// Disallow iFraming from other domains
-	headers.Set("X-Frame-Options", "SAMEORIGIN")
-	// https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
-	headers.Set("X-Permitted-Cross-Domain-Policies", "none")
-	// https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
-	headers.Set("X-Robots-Tag", "none")
-	// enforce browser based XSS filters
-	headers.Set("X-XSS-Protection", "1; mode=block")
-
-	if r.TLS != nil {
-		headers.Set("Strict-Transport-Security", "max-age=63072000")
-	}
-}
-
 func authContextForUser(client gateway.GatewayAPIClient, userID *userpb.UserId, machineAuthAPIKey string) (context.Context, error) {
 	if machineAuthAPIKey == "" {
 		return nil, errtypes.NotSupported("machine auth not configured")

vendor/modules.txt

@@ -366,7 +366,7 @@ github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1
 github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1
 github.com/cs3org/go-cs3apis/cs3/tx/v1beta1
 github.com/cs3org/go-cs3apis/cs3/types/v1beta1
-# github.com/cs3org/reva/v2 v2.19.2-0.20240604132648-408bb6433068
+# github.com/cs3org/reva/v2 v2.19.2-0.20240606075653-a7a1d2d2dace
 ## explicit; go 1.21
 github.com/cs3org/reva/v2/cmd/revad/internal/grace
 github.com/cs3org/reva/v2/cmd/revad/runtime