Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(jans-core): store file_name and file_path in separate columns #9398

Merged
merged 6 commits into from
Sep 6, 2024
Merged

feat(jans-core): store file_name and file_path in separate columns #9398

merged 6 commits into from
Sep 6, 2024

Conversation

yurem
Copy link
Contributor

@yurem yurem commented Sep 6, 2024

closes #9345

  • I confirm that there is no impact on the docs due to the code changes in this PR.

@yurem yurem requested a review from yuremm September 6, 2024 10:25
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Sep 6, 2024
edited
Loading

DryRun Security Summary

The pull request covers various changes to the Jans application, including improvements to asset management, document store management, and schema updates, with a focus on enhancing security and reliability.

Expand for full summary

Summary:

The code changes in this pull request cover various aspects of the Jans application, including asset management, document store management, and schema updates. The changes focus on improving the handling of file names, file paths, and asset metadata, as well as enhancing the security and reliability of the document store functionality.

Key security-relevant observations include:

  1. Asset Management: The changes in the AssetResource and AssetService classes focus on using the file name as the unique identifier for assets, rather than the display name. This helps to prevent potential issues related to asset name conflicts, which could be a security concern if not properly handled.

  2. Document Store Management: The changes in the DocumentStoreManager and DocumentStore classes introduce improvements to file path handling, secure file operations, and input validation. These changes help to mitigate potential security vulnerabilities, such as directory traversal attacks and race conditions.

  3. Schema Updates: The addition of the jansFilePath attribute in the schema changes could potentially be used to store the path to sensitive files or configuration files. It's important to ensure that access to this attribute and the referenced files is properly controlled and secured.

Overall, the code changes appear to be focused on improving the functionality and security of the Jans application. However, it's essential to thoroughly review the implementation details and ensure that all potential security implications are addressed, such as input validation, access control, error handling, and secure file operations.

Files Changed:

  1. jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AssetResource.java: The changes focus on using the file name as the unique identifier for assets, which helps to prevent potential asset name conflicts.
  2. jans-core/document-store/src/main/java/io/jans/service/document/store/manager/DocumentStoreManager.java: The changes introduce improvements to file path handling, secure file operations, and input validation to mitigate potential security vulnerabilities.
  3. jans-config-api/server/src/main/java/io/jans/configapi/service/auth/AssetService.java: The changes include various input validation checks, such as file extension validation and service module validation, to enhance the security of the asset management functionality.
  4. jans-core/document-store/src/main/java/io/jans/service/document/store/provider/DocumentStore.java: The changes are minor and do not introduce any obvious security concerns, but the overall security of the application depends on the implementation and usage of the DocumentStore interface.
  5. jans-core/document-store/src/main/java/io/jans/service/document/store/model/Document.java: The changes include the addition of a filePath field, which is an important piece of information from a security perspective and should be properly handled and validated.
  6. jans-core/document-store/src/main/java/io/jans/service/document/store/provider/DBDocumentStoreProvider.java: The changes focus on improving the file path management and document renaming functionality, which are essential for the proper operation of the document store.
  7. jans-config-api/docs/jans-config-api-swagger.yaml: The changes update the Swagger documentation, including updates to the Document and SessionId objects, which could potentially impact security-related aspects of the application.
  8. jans-linux-setup/jans_setup/schema/jans_schema.json: The addition of the jansFilePath attribute in the schema changes could potentially be used to store the path to sensitive files or configuration files, and it's important to ensure that access to this attribute and the referenced files is properly controlled and secured.

Code Analysis

We ran 9 analyzers against 8 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@yuremm yuremm enabled auto-merge (squash) September 6, 2024 10:26
@mo-auto mo-auto added comp-jans-config-api Component affected by issue or PR comp-jans-core Component affected by issue or PR comp-jans-linux-setup Component affected by issue or PR kind-feature Issue or PR is a new feature request labels Sep 6, 2024
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Sep 6, 2024

Quality Gate Passed Quality Gate passed for 'jans-core'

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
3.8% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Sep 6, 2024

Quality Gate Passed Quality Gate passed for 'jans-pycloudlib'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@yuremm yuremm merged commit b645f0b into main Sep 6, 2024
11 checks passed
@yuremm yuremm deleted the doc_store_add_path branch September 6, 2024 12:46
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Sep 6, 2024

Quality Gate Passed Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@devrimyatar devrimyatar mentioned this pull request Sep 9, 2024
Closed
yuriyz pushed a commit that referenced this pull request Nov 7, 2024
@yurem @pujavs
feat(jans-core): store file_name and file_path in separate columns (#…
de0a7f8 
…9398)

* feat(jans-core): add jansFilePath to document store

Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>

* feat(jans-core): set filePath and fileName from imput path

* feat(config-api): asset mgt changes to store filePath in separate field

Signed-off-by: pujavs <pujas.works@gmail.com>

---------

Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
Co-authored-by: pujavs <pujas.works@gmail.com>
Former-commit-id: b645f0b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuriyz yuriyz yuriyz approved these changes

@devrimyatar devrimyatar devrimyatar approved these changes

@pujavs pujavs pujavs approved these changes

@yuriyzz yuriyzz yuriyzz approved these changes

@yuremm yuremm yuremm approved these changes

Assignees
No one assigned
Labels
comp-jans-config-api Component affected by issue or PR comp-jans-core Component affected by issue or PR comp-jans-linux-setup Component affected by issue or PR kind-feature Issue or PR is a new feature request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat(jans-core): store file_name and file_path in separate columns
7 participants
@yurem @yuriyz @devrimyatar @pujavs @yuriyzz @yuremm @mo-auto