feat(jans-core): do log4j reconfigure only on log level change #8802

yurem · 2024-06-27T17:57:20Z

Closes #8803,

Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>

dryrunsecurity · 2024-06-27T17:57:29Z

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request are related to the LoggerService class in the jans-core module.
The primary purpose of this class is to manage the logging configuration and update the log levels of the
application's loggers. The changes introduce several key features, including injected dependencies,
initialization and timer setup, logging configuration updates, handling of configuration updates,
disabling the JDK logger, and the ability to use an external logger configuration.

From an application security perspective, the most notable aspect of these changes is the handling of
the logging configuration. Proper logging configuration is crucial for security monitoring and incident
response, and the ability to dynamically update the logging configuration can be a valuable feature.
However, it's important to ensure that the logging configuration is properly validated and secured to
prevent potential security issues, such as log injection attacks or sensitive data leakage through the logs.

Files Changed:

jans-core/service/src/main/java/io/jans/service/logger/LoggerService.java: This file contains the
changes related to the LoggerService class. The key changes include:
- Injected dependencies, such as a Logger, TimerEvent event, and LoggerUpdateEvent event.
- Initialization and timer setup to periodically update the logging configuration.
- Methods for updating the logging configuration, handling configuration updates, disabling the JDK logger,
  and setting an external logger configuration.
- Proper handling of the logging configuration to ensure security and flexibility in managing the application's
  logging behavior.

Powered by DryRun Security

mo-auto · 2024-06-27T18:25:45Z

Error: Hi @yurem, You did not reference an open issue in your PR. I attempted to create an issue for you.
Please update that issues' title and body and make sure I correctly referenced it in the above PRs body.