You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Static code analysis has been run locally and issues have been fixed
Relevant unit and integration tests have been added/updated
Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.
I confirm that there is no impact on the docs due to the code changes in this PR.
The pull request focuses on improving the security of the ServerUtil class in the Jans Auth Server application by enhancing the prepareForLogs() method to mask sensitive information, such as client_secret and password, and adding a new test case to verify the behavior of the method when dealing with the "password" parameter.
Expand for full summary
Summary:
The code changes in this pull request focus on improving the security of the ServerUtil class in the Jans Auth Server application. The key changes include:
Enhancing the prepareForLogs() method to mask sensitive information, such as client_secret and password, by replacing the values with asterisks (*****) before logging or displaying them. This is a positive security practice that helps prevent the inadvertent exposure of sensitive data.
Adding a new test case to the ServerUtilTest class to verify the behavior of the prepareForLogs() method when dealing with the "password" parameter. This ensures that the security-critical functionality of the method is thoroughly tested and validated, which helps maintain the overall security posture of the application.
Overall, these changes demonstrate a security-conscious approach to application development and are a good step towards improving the security of the Jans Auth Server application.
The prepareForLogs() method has been updated to mask sensitive information, such as client_secret and password, by replacing the values with asterisks (*****) before logging or displaying them.
This change helps prevent the inadvertent exposure of sensitive data, which is an important security measure.
A new test case prepareForLogs_whenCalled_shouldNotHaveClearTextPassword() has been added to verify that the prepareForLogs() method correctly masks the "password" parameter.
This new test case, along with the existing test case for the "client_secret" parameter, helps ensure the security-critical functionality of the prepareForLogs() method is thoroughly tested and validated.
Code Analysis
We ran 9 analyzers against 2 files and 1 analyzer had findings. 8 analyzers had no findings.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
mo-auto
added
comp-jans-auth-server
Description
fix(jans-auth): plaintext passwords logged from TokenRestWebServiceImpl with DEBUG log level
Target issue
closes #8959
Test and Document the changes
Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with
docs:to indicate documentation changes or if the below checklist is not selected.