Thorn Tech Marketing Ad
Skip to main content
Version: 1.2.0

Release Notes

TLDR

Current Version: 1.2.0

Latest Updates (v1.2.0):

  • Transfer jobs for copying, moving, and renaming files and folder trees
  • Full bilingual support (English and French) across the entire application
  • Tracking metadata written to cloud object metadata on upload
  • API rate limiting per authenticated user
  • Security hardening: CSP, Referrer-Policy, configurable CORS, exception message sanitization

Recent Major Features:

  • v1.1.6: Security fix for CVE-2025-55754, syslog overflow prevention on Azure
  • v1.1.5: Improved transaction management, Ubuntu 24.04
  • v1.1.4: Download multiple files/folders as ZIP, PostgreSQL 16 support
  • v1.1.3: Azure File Share support, file/folder renaming

Product: StorageLink by Thorn Technologies — cloud storage gateway for secure file sharing

Version 1.2.0

Summary

StorageLink 1.2.0 introduces transfer jobs for copying and moving files between folders, adds full bilingual (English/French) support throughout the application, and includes new admin tools for managing identity providers and improved visual indicators for cloud-connected folders.

New Features

  • Transfer jobs (copy and move) — Users can now copy, move, or rename files and entire folder trees directly within the StorageLink portal. Jobs run in the background so users can continue working while transfers complete. A new Jobs page shows all submitted jobs with real-time progress tracking, transfer rates, and status updates. For directory operations, each file is tracked individually as a child job. Jobs can be canceled at any time, and failed operations are automatically retried up to three times before reporting an error. Completed job records are retained for one year before being automatically cleaned up.
  • Bilingual support — Full English and French language support across the admin portal, end-user file browser, and help documentation. The application automatically detects the user's browser language, and users can switch languages manually at any time.
  • Admin language settings — Administrators can configure which languages are available to users and set a default language for the application. When only one language is configured, the language selector is hidden automatically.
  • Configurable OIDC prompt parameter — Administrators can configure the OIDC prompt parameter on each identity provider to control SSO login behavior (e.g., force re-authentication or account selection). The recommended value is auto-suggested for known providers like Google and Microsoft.
  • Identity provider credential error alerts — When SSO credentials expire or become invalid, administrators now see an error indicator on the Identity Provider list and a detailed message on the edit form. End users see a clear error message instead of a generic login failure.
  • Cloud provider folder badges — Cloud-connected folders now display a small provider icon (AWS, Azure, or GCP) on the folder badge, with a tooltip showing the connection name on hover.
  • Tracking metadata — Uploaded files can now carry tracking metadata (correlation ID, username, and remote address) written directly to cloud object metadata on S3, Azure Blob, Azure File Share, and GCP. This enables tracing individual file operations back to the user and session that performed them. Tracking metadata is preserved through copy/move operations and is visible to admin users in the file detail API response. Each metadata field can be independently enabled via application properties. Correlation IDs are also propagated to audit log entries.
  • API rate limiting — Per-user API rate limiting protects against abuse and runaway automation. Authenticated users are limited to a configurable number of requests per second. Exceeding the limit returns HTTP 429 with a Retry-After header. Unauthenticated requests are not rate-limited. Set to 0 to disable.

Improvements to existing features

  • Contextual help documentation is now automatically displayed on form pages at larger screen sizes
  • Backup import now supports single-click import and drag-and-drop for backup files
  • An audit log entry is now recorded when a file upload begins, in addition to the existing entry when it completes
  • File sizes, dates, and content type descriptions are now displayed in the user's selected language
  • SSO error messages are now displayed in the user's configured language instead of the server's locale
  • Improved retry handling for Google Cloud Storage operations
  • Improved cloud storage connection pool management for higher throughput during concurrent transfers
  • AWS S3 connectivity test now validates KMS key accessibility and enabled status when SSE-KMS encryption is configured, and verifies kms:GenerateDataKey and kms:Decrypt permissions via a write-then-read test
  • File upload success and error messages are now translated into all supported languages

Security hardening

  • Content Security Policy — Added a CSP meta tag to the admin UI restricting script sources, frame ancestors, and other resource origins
  • Referrer-Policy header — Added Strict-Origin-When-Cross-Origin referrer policy to API responses
  • Configurable CORS origin — CORS allowed origin is now configurable via application properties instead of permitting all origins unconditionally
  • Exception message sanitization — API error responses no longer expose raw exception messages for DataIntegrityViolationException, BadCredentialsException, JwtException, IOException, and NotFoundException. Messages are replaced with generic i18n-safe strings to prevent leaking database schema or internal details
  • Internationalized error messages — Hardcoded English exception messages throughout the backend are replaced with MessageService calls, supporting English and French locales
  • Azure connectivity validation — Azure Blob and File Share connectivity tests now validate container/share names before attempting a connection
  • Landing page script removal — Replaced Vue.js CDN dependency in the landing page with vanilla JavaScript, eliminating an external script dependency
  • Dependency vulnerability fixes — Upgraded flatted to 3.4.2 (CVE-2026-32141, CVE-2026-33228) and cloud-sql-proxy now auto-upgrades to the latest v2.x at image build time (CVE-2026-33186)

Bug fixes

  • Fixed an issue where password validation requirements were not displayed when the application is deployed behind a Web Application Firewall (WAF)
  • Fixed an issue where the root folder's cloud provider could not be changed after the initial automatic selection
  • Fixed Google Cloud Operations logging severity levels and timestamp formatting
  • Fixed Azure container name validation to allow names that start with numbers
  • Fixed a connection leak in S3 cloud storage clients during transfer operations
  • Fixed a streaming deadlock that could occur during large S3 file transfers
  • Fixed optimistic lock contention when multiple transfer jobs updated progress simultaneously
  • Suppressed the web server version from HTTP response headers
  • Fixed OIDC login failure when identity providers return custom numeric claims (e.g., auth_time as Long) that were rejected by the Jackson deserialization allowlist
  • Fixed leading and trailing whitespace in cloud connection base prefix being silently accepted, which caused path resolution failures
  • Fixed a console error triggered by an expected 404 response when checking the admin configuration endpoint during authentication
  • Fixed Select N+1 query performance issues in user and folder domain queries by adding @EntityGraph annotations and scalar queries
  • Upgraded Spring Boot from 3.5.7 to 3.5.11 and aligned Jackson dependency versions to resolve CVE findings
  • Fixed unclosed streams in backup import, theme upload, and Azure blob paging
  • Fixed HttpURLConnection leak in Azure IMDS metadata queries
  • Fixed GCP Storage clients not being closed on application shutdown — clients are now cached per connection and properly closed by factory shutdown
  • Fixed uncached GCP Storage clients leaking during test-connectivity flow
  • Fixed GCP cache eviction race condition on connection delete
  • Fixed S3 batch delete errors being silently ignored — now logged at WARN level

New Application Properties

API (features.api.*)

PropertyDefaultDescription
cors-allowed-origin-pattern*CORS allowed origin pattern. Restrict to a specific origin for security-conscious deployments.
api-rate-limit-per-second200Maximum API requests per second per authenticated user. Set to 0 to disable.

Tracking Metadata (features.file-system.metadata.*)

PropertyDefaultDescription
enable-correlation-idfalseWrite a unique correlation ID (UUID) to each uploaded file's cloud metadata.
enable-usernamefalseWrite the authenticated username to each uploaded file's cloud metadata.
enable-remote-addressfalseWrite the client's remote IP address to each uploaded file's cloud metadata.

Transfer Jobs (features.transfer-jobs.*)

PropertyDefaultDescription
worker-thread-count10Number of Quartz worker threads for executing transfer jobs concurrently. Also controls the default cloud client HTTP connection pool size (20 × this value). Requires restart.
cleanup-interval-hours6How often the cleanup job runs to remove expired job records.
completed-job-retention-days365Number of days to retain completed job records before automatic cleanup.
orphaned-job-retention-days1Number of days to retain orphaned (stalled) jobs in PENDING or RUNNING status before cleanup.
max-retry-count3Maximum number of automatic retry attempts for failed transfer operations.
retry-backoff-millis25Delay in milliseconds before each retry attempt.
transfer-operation-max-retries2Maximum retries for individual file transfer operations (copy/move).
progress-min-bytes-delta262144Minimum bytes transferred before a progress update is emitted (256 KiB).
progress-min-interval-nanos250000000Minimum time between progress updates in nanoseconds (250 ms).

Cloud Storage Concurrency (features.file-system.*)

PropertyDefaultDescription
s3-max-concurrency20 × worker-thread-count (minimum 500)Maximum concurrent HTTP connections in the S3 async client pool. Values below the minimum are automatically raised with a warning.
azure.max-concurrency20 × worker-thread-count (minimum 500)Maximum concurrent HTTP connections for Azure Blob Storage operations. Values below the minimum are automatically raised with a warning.

Version 1.1.5

Summary

StorageLink 1.1.5 improves transaction management and error handling to improve the user experience, especially in higher volume environments.

Improvements to existing features

  • A database connection is no longer held during api requests, so concurrent downloads or uploads are no longer limited by the number of connections available in the database connection pool.
  • The Upload Progress card has improved performance when there are many simultaneous uploads.
  • The Upload progress card better indicates an individual file upload completion or failure immediately instead of waiting for entire upload to complete.
  • When a user’s role is changed to or from an admin, that user is forced to log back in.
  • Error messages and logging when a file cannot be uploaded or downloaded are improved.
  • Error messages and logging when a user form fails to save are improved.
  • Updates the Ubuntu OS to version 24.04.

Version 1.1.4

Summary

StorageLink v1.1.4 introduces the ability to download multiple files or folders as compressed zip files and enhanced Identity Provider control by optionally restricting OIDC login to pre-created StorageLink users. This release adds support for PostgreSQL 16 and includes several bug fixes.

New Features

  • Multiple files can be downloaded as a single zip file.
  • Entire folders including subfolders can be downloaded as zip files.
  • PostgreSQL 16 is now supported.
  • The launch_config.env file has newly supported variables to better support deployments into existing environments and using existing databases.

Improvements to existing features

  • Upload error notification lists are now truncated when long and provide a link to view the full list of files.
  • Identity Provider login can be restricted to users that already exist in StorageLink.
  • File downloads no longer use iframes, providing a better experience across browsers.

Bug fixes

  • Audit log now shows which roles are assigned to a created or updated user.
  • Database passwords with special characters like single-quote are now properly supported.
  • Supplying special characters like / in Azure Cloud Connection storage account names will no longer reset the cloud connection fields.
  • Numbers in the container name field for Blob Storage Connections are supported again.

Version 1.001.03

Summary

StorageLink v1.1.3 introduces the Azure File Share connection, improvements to password policy configuration, better handling of special characters in files and folders, and the ability to rename files and folders.

New Features

  • Azure File Shares are now available for mapping to folders.
  • Folders can be "disconnected" from a cloud storage mapping. Disconnecting a folder will not delete the objects in that cloud storage location.
  • Files and folders can be renamed.

Improvements to existing features

  • Login access token lifetime can now be configured in application properties, with a default of 8 hours:
features.api.access-token-time-to-live-seconds=28800
  • Password policy can be customized in the application properties. Can now set a required number of characters per class, prevent previously used passwords, and prevent usage of passwords from a word file:
password.policy.word-file=classpath:100k-most-used-passwords-NCSC.txt
password.policy.required-upper-count=1
password.policy.required-digit-count=1
password.policy.required-lower-count=1
password.policy.required-special-count=1
password.policy.require-digit=false
password.policy.require-lower=false
password.policy.require-special=false
password.policy.require-upper=false
password.policy.prevent-previously-used-password-count=5
  • Importing users with pbkdf2 encoded passwords is now supported. Can be configured with application properties:
password.encoder.pbkdf2.salt-length=16
password.encoder.pbkdf2.iterations=5000
password.encoder.pbkdf2.secret=
  • Preservation of timestamps for uploaded files can be disabled via application properties
features.api.preserve-file-timestamp-on-upload-enabled=true
  • Success and error icons added to the Uploaded Files list to make it easier to see which uploads have failed.
  • Folder names can now have any cloud-storage supported character in them.

Bug fixes

  • Folders with "+" and other special characters are now navigable.
  • Deleting all items in a folder will no longer show an error that the folder no longer exists.
  • Paging on the users list now changes the page correctly.
  • Database connection properties tuned to prevent stale database connections.
  • Http Client interactions with cloud storage tuned to prevent stale cloud storage connections.

Version 1.001.02

Security Updates

  • Upgrades installed version of OpenSSH to overcome regression in CVE-2024-6387

Version 1.001.01

Feature Updates

  • Add configuration to disable admin login and access on a server. This can be used to create a public-facing server that has no admin access. defaults to:
features.api.admin-enabled=true
  • AWS base image updated from Amazon Linux 2 to Amazon Linux 2023.
  • AWS IMDSv2 now enabled, supported, and required.
  • Improved Load Balancer support to get and act on actual Client IP behind a load balancer.
  • Uploading a file with an extension and then uploading a file with the same name without an extension is now allowed.

Bug Fixes

  • Fixes access to some restricted apis.

Version 1.001.00

Breaking API Changes

  • The /token/revoke endpoint is replaced with /logout, which does not need the token as a parameter
  • The /login endpoint no longer needs to specify a 'scope' value
  • The OIDC login process now delivers a Single-use token to the front-end when OIDC login completes. The single use token is posted to the /login endpoint as a code parameter with a grant_type of 'urn:ietf:params:oauth:grant-type:single-use-auth' which returns a usable hybrid token. This change was made to ensure possibly leaked token values through query string parameters would not give an attacker access to an account.

Feature Updates

  • Pre-calculate user permissions and cloud connections to improve SFTP user connection speed
  • Add field to Azure Cloud Connections to configure if HNS is enabled or not
  • Increase max memory size for backend Java jar based on memory size of instance
  • Upgrade Google Cloud SQL Proxy to v2 to support PSC to connect to database
  • Remove network calls from instance boot to support starting instances in networks with no egress

Bug Fixes

  • Fix issue with failing to upload files larger than 50GB to AWS
  • Limit OIDC “prompt” query string parameter to Google Identity Providers (fixes OIDC to providers like Ping that do not support that parameter)
  • Correct encoding of slashes in the base prefix for the Resolved Cloud Path for Azure Cloud Connections
  • Ensure no connection errors when uploading more than 500 simultaneous files
  • Pre-calculate user permissions and cloud connections to address bug where having many cloud connections could result in a database timeout
  • Disable password expiration after a year on Linux root account
  • Show and allow navigation to folders that have a blank name
  • Removes automatic determination of HNS enablement on Azure Storage Accounts because it failed when using a System Assigned Identity. HNS is now specified when creating/editing Azure Cloud Connection.
  • Importing a backup file with unsupported characters will now show errors with the line numbers of the unsupported characters

Other

  • Update Java version from 11 to 17
  • Update Spring Security from 5 to 6
  • Update Spring Boot from 2 to 3

Version 1.000.03

Bugs

  • Corrects the code that was preventing the deletion of folders.
  • Conditionally utilize the select_account parameter when interacting with identity providers to enable support for Ping

Version 1.000.02

Security

  • Update SnakeYaml to v2.x to resolve CVE-2022-1471

Features

  • Users that were automatically provisioned by OIDC login will now have a note indicating the provisioning
  • Responsive sizing for file list and buttons to display well on small screens

Bugs

  • Downloading a file name with spaces will no longer replace spaces with +
  • Users that signed in via an Identity Provider will not be presented with the option to change their password
  • Long folder and file names will no longer cause a horizontal scrollbar

Version 1.000.00

Files and Folders

  • Read and write directly to Cloud Storage, using the HTTPS protocol
  • Configure folder permissions with List, Download, Upload and Delete/Overwrite
  • Map an Web User Home Folder to an Cloud Storage location
  • Folder mapping lets you configure a common scenario where an internal Web user has read/write access to external Web users' data, while external users cannot see each other's data

Web accounts

  • Authenticate Web users with passwords or Identity Providers such as Cognito, Azure Active Directory or Google
  • Adds password complexity requirements

Web administration

  • Supports multiple Web Admin accounts
  • Authenticate Web Admins with passwords or Identity Providers such as Cognito, Azure Active Directory or Google
  • Simplifies first-time setup, which can be done entirely from the Web Admin Interface (no command line required)
  • Imports Folders, Users and Settings via a migration process

Security

  • Use instance profile permissions or configure credentials for each Cloud Storage location.

Performance and maintenance

  • Improves performance and scalability through the use of the AWS/Azure/GCS SDK for Java
  • Uses Postgres instead of LDAP, for easier maintenance

Cost

  • Software charge of 8 cents USD per hour
  • 30-day free trial