8000 feat(jans-auth): fix schema endpoint by yurem · Pull Request #8687 · JanssenProject/jans · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

feat(jans-auth): fix schema endpoint #8687

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 10, 2024
Merged

feat(jans-auth): fix schema endpoint #8687

merged 1 commit into from
Jun 10, 2024

Conversation

yurem
Copy link
Contributor
@yurem yurem commented Jun 10, 2024
edited by mo-auto
Loading

closes #8671

Closes #8688,

@yurem
feat(jans-auth): fix schema endpoint
7daa3f3 
Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
@yurem yurem requested a review from yuremm June 10, 2024 13:53
@dryrunsecurity DryRunSecurity
Copy link
dryrunsecurity bot commented Jun 10, 2024
edited
Loading

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
AppSec Analyzer 0 findings
Configured Codepaths Analyzer 0 findings
Secrets Analyzer 0 findings
IDOR Analyzer 0 findings
Sensitive Files Analyzer 0 findings
Authn/Authz Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request appear to be focused on improving the clarity and consistency of the responses from the ConfigRestWebServiceImpl and ConfigRestWebService classes, which handle various REST API requests related to configuration, issuers, schemas, and policies. The changes do not introduce any obvious security vulnerabilities, and the code is following good security practices, such as setting appropriate cache control headers and using standard Java EE annotations and context parameters.

While the changes seem to be primarily focused on enhancing the API responses, it's important to review the actual implementation of these endpoints to ensure that proper input validation, access control, and other security best practices are followed. As an application security engineer, I would recommend reviewing the rest of the codebase and the overall security architecture to identify any potential vulnerabilities or areas for improvement.

Files Changed:

  1. jans-lock/lock-master/service/src/main/java/io/jans/lock/service/ws/rs/config/ConfigRestWebServiceImpl.java:

    • The response entities for different request types have been updated to include more descriptive status values.
    • The order of the processSchemaRequest and processPolicyRequest methods has been rearranged.
    • The code is using the ServerUtil.cacheControlWithNoStoreTransformAndPrivate() method and setting the PRAGMA header to NO_CACHE to prevent caching of sensitive information in the responses.

  2. jans-lock/lock-master/service/src/main/java/io/jans/lock/service/ws/rs/config/ConfigRestWebService.java:

    • The order of the /config/policy and /config/schema endpoints has been swapped.
    • The code is using standard Java EE annotations to define the REST API endpoints, which is a secure and recommended approach.
    • The endpoints are using the GET HTTP method, which is appropriate for read-only operations, and returning JSON responses, which is a common and secure format for API communication.
    • The method signatures are using standard Java EE context parameters, which allows the implementation to access relevant request and security information.

Powered by DryRun Security

@mo-auto mo-auto added the kind-feature Issue or PR is a new feature request label Jun 10, 2024
@mo-auto
Copy link
Member
mo-auto commented Jun 10, 2024

Error: Hi @yurem, You did not reference an open issue in your PR. I attempted to create an issue for you.
Please update that issues' title and body and make sure I correctly referenced it in the above PRs body.

@mo-auto mo-auto mentioned this pull request Jun 10, 2024
Closed
@yuremm yuremm enabled auto-merge (squash) June 10, 2024 13:54
@yuremm yuremm merged commit f4aca13 into main Jun 10, 2024
8 checks passed
@yuremm yuremm deleted the issue_8671 branch June 10, 2024 14:02
yuriyz pushed a commit that referenced this pull request Nov 7, 2024
@yurem
feat(jans-auth): fix schema endpoint (#8687)
fd73d9e 
Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
Former-commit-id: f4aca13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuriyz yuriyz yuriyz approved these changes

@yuremm yuremm yuremm approved these changes

Assignees
No one assigned
Labels
kind-feature Issue or PR is a new feature request
Projects
None yet
Milestone
No milestone
4 participants
@yurem @mo-auto @yuriyz @yuremm
0