Summary
Audit logging is enabled by default, but log rotation ships disabled (user.audit.maxFileSizeMb=0), so the audit file can grow without bound. An anonymous, record-generating endpoint amplifies this. Separately, CONFIG.md documents the opposite of the actual default.
Severity: Medium (arguably Low-Medium for disk exhaustion; the doc contradiction should be fixed regardless)
Affected code
src/main/resources/config/dsspringuserconfig.properties:32 — user.audit.maxFileSizeMb=0 (rotation disabled by default).
src/main/java/com/digitalsanctuary/spring/user/audit/AuditConfig.java:74 — field default 0.
src/main/java/com/digitalsanctuary/spring/user/audit/FileAuditLogWriter.java:298 — rotateIfNeeded() early-returns when maxFileSizeBytes <= 0, so rotation never runs.
src/main/java/com/digitalsanctuary/spring/user/controller/UserActionController.java:79 — publishes an audit event before the token-validity branch (invalid tokens still log) and calls request.getSession() (mints an HttpSession per anonymous request).
CONFIG.md:43 — states rotation "Defaults to 10" and is "enabled by default", contradicting the actual 0/disabled default (which the properties file and AuditConfig Javadoc document correctly).
Details
With rotation off by default and audit on by default, a sustained stream of anonymous requests to a record-generating endpoint grows the audit file until disk/quota exhaustion (CWE-400). The per-anonymous-request getSession() also accumulates server-side session state. Records are small, so disk exhaustion requires high volume — but there is no rate limiting on the path, and the CONFIG.md claim actively misleads operators into believing a rotation safety net is active.
Recommended fix
- Ship a positive bounded default for
maxFileSizeMb with a bounded archive count (or, at minimum, correct the documentation to match the real default).
- Avoid creating a new
HttpSession solely to audit an anonymous invalid-token request.
- Consider rate-limiting anonymous invalid-token probes and other anonymous account-lifecycle endpoints.
- Correct
CONFIG.md:43 regardless of the rotation-default decision.
- If retention limits are enabled, ensure GDPR/audit queries still span archived files (or use an external append-only sink).
Identified during a code-first security assessment of the current main branch.
Summary
Audit logging is enabled by default, but log rotation ships disabled (
user.audit.maxFileSizeMb=0), so the audit file can grow without bound. An anonymous, record-generating endpoint amplifies this. Separately,CONFIG.mddocuments the opposite of the actual default.Severity: Medium (arguably Low-Medium for disk exhaustion; the doc contradiction should be fixed regardless)
Affected code
src/main/resources/config/dsspringuserconfig.properties:32—user.audit.maxFileSizeMb=0(rotation disabled by default).src/main/java/com/digitalsanctuary/spring/user/audit/AuditConfig.java:74— field default0.src/main/java/com/digitalsanctuary/spring/user/audit/FileAuditLogWriter.java:298—rotateIfNeeded()early-returns whenmaxFileSizeBytes <= 0, so rotation never runs.src/main/java/com/digitalsanctuary/spring/user/controller/UserActionController.java:79— publishes an audit event before the token-validity branch (invalid tokens still log) and callsrequest.getSession()(mints anHttpSessionper anonymous request).CONFIG.md:43— states rotation "Defaults to10" and is "enabled by default", contradicting the actual0/disabled default (which the properties file andAuditConfigJavadoc document correctly).Details
With rotation off by default and audit on by default, a sustained stream of anonymous requests to a record-generating endpoint grows the audit file until disk/quota exhaustion (CWE-400). The per-anonymous-request
getSession()also accumulates server-side session state. Records are small, so disk exhaustion requires high volume — but there is no rate limiting on the path, and theCONFIG.mdclaim actively misleads operators into believing a rotation safety net is active.Recommended fix
maxFileSizeMbwith a bounded archive count (or, at minimum, correct the documentation to match the real default).HttpSessionsolely to audit an anonymous invalid-token request.CONFIG.md:43regardless of the rotation-default decision.Identified during a code-first security assessment of the current
mainbranch.