feat(s3-publishing): Add S3 static publishing support for vanity URLs

[dsilvam]

Summary

This PR carries the same changes as #35643 (originally authored by @riccardoruocco), opened under a different account so CI checks can run.

Proposed Changes

• Add a feature flag, STATIC_PUSH_S3_VANITY_ALIAS_ENABLED, to enable Vanity URL handling for AWS S3 static publishing. When the flag is false, dotCMS behaves exactly as it does today and no Vanity URL alias is generated.
• When the flag is true, publishing a Vanity URL to a static S3 endpoint makes dotCMS resolve the target content, identify the live resource, render or copy it, and write the static clone to the S3 path represented by the Vanity URL.
• This behavior is backed by the s3_vanity_alias table, which acts as an operational snapshot of the Vanity URL state on S3 and stores the aliases that have actually been materialized.
• When a canonical content is republished, dotCMS checks the alias table and refreshes the existing Vanity URL clone if one is already tracked. If no Vanity URL alias exists yet, nothing changes.
• When content is unpublished or removed, dotCMS uses the alias table to remove the corresponding static alias from S3 and keep the bucket aligned with the current state.
• When a Vanity URL is unpublished or updated, dotCMS updates the tracked alias accordingly, so stale S3 keys are not left behind.

Additional Info

The goal of this change is to make Vanity URLs work on static S3 publishing in the same way they already work at runtime on live dotCMS.

The implementation is intentionally opt-in and does not affect existing installations unless STATIC_PUSH_S3_VANITY_ALIAS_ENABLED=true is set.

The s3_vanity_alias table is used as the source of truth for what was actually written to S3, so publish, republish, unpublish, and delete can all behave consistently without depending only on the current live content state.

Closes #35663

[claude]

Claude finished @dsilvam's task in 4m 40s —— View job

---

✅ dotCMS Backend Review Complete

• Load dotCMS conventions
• Get Java diff (3263 lines)
• Spawn 4 specialized sub-agents (Security, Database, Java Standards, REST API)
• Consolidate findings
• Post review comment (#issuecomment-4519434664)
• Submit formal approval review — blocked: PR approvals are disabled for this bot. The findings live in the review comment above; no formal approve/request-changes was submitted.

Summary

Reviewer	Findings
Security	2 × 🟡 Medium
Database	NO_FINDINGS
Java Standards	NO_FINDINGS
REST API	NO_FINDINGS (no REST resources touched)

Findings (full detail in the review comment):

1. 🟡 S3VanityAliasSupport.java — path normalization does not reject .. segments or control chars; content-authored vanity URIs flow into S3 object keys.
2. 🟡 AWSS3Publisher.java:446 — Lucene query built via string concatenation on asset.getAsset(); fragile if identifier ever contains Lucene metacharacters.

No 🔴 Critical or 🟠 High issues — nothing here blocks merging on backend-review grounds.
· Branch: s3-static-push-vanity-url-dsilvam

[semgrep-code-dotcms-test]

Semgrep found 16 CUSTOM_INJECTION-2 findings:

• dotCMS/src/main/java/com/dotmarketing/startup/runonce/Task260408CreateS3VanityAliasTable.java
  • L48-64 - Triage
  • L48-63 - Triage
  • L48-62 - Triage
  • L48-61 - Triage
  • L48-60 - Triage
  • L48-59 - Triage
  • L48-58 - Triage
  • L48-57 - Triage
  • L48-56 - Triage
  • L48-55 - Triage
  • 6 more - Triage

The method identified is susceptible to injection. The input should be validated and properly
escaped.

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

[claude]

🔍 dotCMS Backend Review

[🟡 Medium] dotCMS/src/enterprise/java/com/dotcms/enterprise/publishing/staticpublishing/S3VanityAliasSupport.java:99-110

normalizeVanityPath / normalizeCanonicalPath reject regex metacharacters and require a leading /, but they do not reject .. segments or non-printable / control characters. The normalized vanity uri is content-authored and flows directly into S3 object keys (via getCompleteFileKey), so a vanity URL like /../../other-app/index.html produces an S3 key bucketRootPrefix/../../other-app/index.html that, while treated literally by S3, lives logically outside the intended prefix and could clobber files belonging to other applications sharing the bucket. URL-encoded variants (%2e%2e) also bypass the current blocklist.

private static final String UNSUPPORTED_CHARS = "*?[](){}|^$\\+";
...
if (!normalized.startsWith(StringPool.FORWARD_SLASH) || containsUnsupportedChars(normalized)) {
    return Optional.empty();
}
return Optional.of(normalized.replaceAll("/{2,}", "/"));

💡 After normalization, split on / and reject any segment equal to .. or .; also reject control / non-printable characters. Consider URL-decoding before validation so %2e%2e cannot bypass the check.

---

[🟡 Medium] dotCMS/src/enterprise/java/com/dotcms/enterprise/publishing/staticpublishing/AWSS3Publisher.java:446

Lucene/ES search query is built via string concatenation of asset.getAsset(). The value comes from the server-side publishing queue so direct exploitation is limited, but identifiers containing Lucene metacharacters (spaces, colons, parentheses, +/-) would either fail to parse or be interpreted as extra clauses — a fragile pattern that should be tightened.

final List<Contentlet> contentlets = contentletAPI.search("+identifier:" + asset.getAsset() + " +live:true",
        0, 0, null, APILocator.getUserAPI().getSystemUser(), false);

💡 Either Lucene-escape the identifier (QueryParser.escape(asset.getAsset())) or, preferably, use a typed lookup such as contentletAPI.findContentletByIdentifierAnyLanguage(asset.getAsset(), true) to avoid query parsing entirely.

---

Next steps

• 🟡 Review and decide whether to harden these inputs — neither is a hard blocker, but both are easy wins
• You can ask me to handle mechanical fixes inline: @claude fix <issue description> in <File.java>
• Every new push triggers a fresh review automatically

[fabrizzio-dotCMS]

canonicalPath.get() without isPresent might result in a NPE

[fabrizzio-dotCMS]

This does not allow changes on the fly.
If you cache in a lazy wrapper, you will have to restart to see it take effect

[fabrizzio-dotCMS]

we're missing a Thread.currentThread().interrupt(); here

[fabrizzio-dotCMS]

This is never called.
its dead code

[fabrizzio-dotCMS]

italian - must be English