feat: add flag to disable logger timer #8789

jgomer2001 · 2024-06-26T13:41:49Z

Prepare

Read PR guidelines
Read license information

Description

Target issue

closes #8788

Implementation Details

Test and Document the changes

Static code analysis has been run locally and issues have been fixed
Relevant unit and integration tests have been added/updated
Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Signed-off-by: jgomer2001 <bonustrack310@gmail.com>

dryrunsecurity · 2024-06-26T13:42:01Z

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request are focused on the initialization and configuration of the SCIM (System for Cross-domain Identity Management) service in the Janssen Project application. The changes introduce several new configuration options that can have security implications, such as disabling the LoggerService timer, managing custom scripts, and configuring the use of local caching and password validation.

From a security perspective, the changes appear to be mostly security-conscious, with measures taken to protect sensitive configuration data and improve the overall reliability and robustness of the application. However, it's important to ensure that the custom scripts, caching implementation, and password validation process are thoroughly reviewed and monitored to mitigate any potential security risks.

Files Changed:

jans-scim/server/src/main/java/io/jans/scim/service/init/AppInitializer.java:
- The changes introduce a new configuration option to disable the LoggerService timer, which can help reduce the attack surface and potential information leakage.
- The code initializes the CustomScriptManager, which manages custom scripts that can introduce potential security risks if not properly validated and sandboxed.
- The code creates a PersistenceEntryManager instance, which includes decrypting the backend properties to protect sensitive configuration data.
- The code includes error handling and retry logic when creating the PersistenceEntryManager instance, improving the overall reliability and robustness of the application.
jans-scim/model/src/main/java/io/jans/scim/model/conf/AppConfiguration.java:
- A new boolean property, disableLoggerTimer, has been added to the AppConfiguration class, allowing the application to disable the logger refresh timer, which may have implications for log management and monitoring.
- The existing disableJdkLogger property has been modified to allow the application to disable the use of JDK loggers, which may impact the application's logging capabilities and integration with external logging systems.
- The useLocalCache property has been added, which can introduce potential vulnerabilities related to data caching, such as the risk of sensitive data being stored in the cache or the potential for cache poisoning attacks.
- The skipDefinedPasswordValidation property has been added, which can be a security concern as it may allow users to set weak or insecure passwords, increasing the risk of password-related attacks.