Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: high CPU usage on opening tarp #9390 #9391

Merged
merged 4 commits into from
Sep 9, 2024
Merged

fix: high CPU usage on opening tarp #9390 #9391

merged 4 commits into from
Sep 9, 2024

Conversation

duttarnab
Copy link
Contributor

closes #9390

@duttarnab
fix: high CPU usage on opening tarp #9390
163d69c 
Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Sep 5, 2024
edited
Loading

DryRun Security Summary

The pull request focuses on improving the handling of data changes and updating the UI based on the data retrieved from the browser's local storage, with a review of potential security vulnerabilities, such as data validation, secure storage, and privilege escalation.

Expand for full summary

Summary:

The code changes in this pull request are focused on improving the handling of data changes and updating the UI based on the data retrieved from the browser's local storage. The changes include introducing state variables to track data changes, conditional rendering of UI components, and notification mechanisms to inform the parent component about data modifications.

From an application security perspective, the changes do not introduce any obvious security vulnerabilities. However, there are a few areas that should be reviewed to ensure the overall security of the application:

  1. Data Validation: Ensure that the data retrieved from the local storage is properly validated and sanitized before being used in the UI components to prevent potential injection attacks, such as Cross-Site Scripting (XSS).
  2. Secure Storage: Verify that the sensitive information stored in the browser's local storage, such as login details, is stored securely and that appropriate access controls are in place to prevent unauthorized access or modification.
  3. Privilege Escalation: Ensure that the extension has the necessary permissions to interact with the browser's local storage and that the data access is limited to only what is required for the application's functionality.

Additionally, the changes in the AuthFlowInputs, RegisterClient, OIDCClients, and UserDetails components also introduce security-relevant aspects that should be reviewed, such as handling of additional parameters, ACR values, token storage, and sensitive data display.

Files Changed:

  1. demos/jans-tarp/src/options/options.tsx: The changes focus on improving the handling of data changes and updating the UI based on the data retrieved from the browser's local storage.
  2. demos/jans-tarp/src/options/authFlowInputs.tsx: The changes introduce a new prop notifyOnDataChange and handle the OAuth 2.0 authorization code grant type, which should be reviewed for potential security issues.
  3. demos/jans-tarp/src/options/registerClient.tsx: The changes focus on the OIDC client registration process, including logging, issuer validation, and storing client information, which are critical for the application's security.
  4. demos/jans-tarp/src/options/oidcClients.tsx: The changes are related to the OIDC Clients functionality, including deleting OIDC clients and triggering the authentication flow, which should be reviewed for security implications.
  5. demos/jans-tarp/src/options/userDetails.tsx: The changes handle the display of sensitive user data, such as access tokens and ID tokens, which should be reviewed to ensure proper data handling and security.

Code Analysis

We ran 9 analyzers against 5 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@mo-auto mo-auto added the kind-bug Issue or PR is a bug in existing functionality label Sep 5, 2024
@mjatin-dev mjatin-dev self-requested a review September 6, 2024 02:42
mjatin-dev
mjatin-dev reviewed Sep 6, 2024
View reviewed changes
@duttarnab
feat: resolving review comments
2b6bc83 
Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>
@duttarnab
feat: correct comments
0dd943f 
Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>
@duttarnab duttarnab requested a review from mjatin-dev September 6, 2024 07:55
@moabu moabu merged commit c49be90 into main Sep 9, 2024
11 checks passed
@moabu moabu deleted the jans-tarp-issue-9390 branch September 9, 2024 03:28
yuriyz pushed a commit that referenced this pull request Nov 7, 2024
@duttarnab
fix: high CPU usage on opening tarp #9390 (#9391)
b3e56bd 
* fix: high CPU usage on opening tarp #9390

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>

* feat: resolving review comments

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>

* feat: correct comments

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>

---------

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>
Former-commit-id: c49be90
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mjatin-dev mjatin-dev mjatin-dev approved these changes

@moabu moabu moabu approved these changes

Assignees
No one assigned
Labels
kind-bug Issue or PR is a bug in existing functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fix(jans-tarp): high CPU usage on opening tarp
4 participants
@duttarnab @mjatin-dev @moabu @mo-auto