Skip to content

fix(config-api): date filter fix #10075

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 7, 2024
Merged

fix(config-api): date filter fix #10075

merged 1 commit into from
Nov 7, 2024

Conversation

pujavs
Copy link
Contributor

@pujavs pujavs commented Nov 7, 2024

Prepare

Description

Target issue

closes #9896

Implementation Details

Test and Document the changes

  • Static code analysis has been run locally and issues have been fixed
  • Relevant unit and integration tests have been added/updated
  • Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

  • I confirm that there is no impact on the docs due to the code changes in this PR.

@pujavs
fix(config-api): date filter fix
4fb5e8b 
Signed-off-by: pujavs <pujas.works@gmail.com>
@pujavs pujavs requested a review from devrimyatar November 7, 2024 06:31
@pujavs pujavs requested review from yuriyz and yurem as code owners November 7, 2024 06:31
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Nov 7, 2024

DryRun Security Summary

The pull request focuses on improving date/time parsing and filtering in the DataUtil class, while also modifying the access control permissions for the PatchRequest schema, which raises security concerns related to potential privilege escalation vulnerabilities.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the date/time parsing and filtering functionality in the DataUtil class, as well as modifying the access control permissions for the PatchRequest schema.

The changes to the DataUtil class enhance the getIso8601Date() method to handle a wider range of date/time formats more robustly, and the createDateFilter() method has been updated to better handle date-only filters. These improvements help ensure the reliable and secure handling of date/time data, which is crucial for preventing potential security vulnerabilities.

The changes to the PatchRequest schema, however, raise some security concerns. Allowing admin users to edit a resource they cannot view could potentially lead to privilege escalation vulnerabilities, which would violate the principle of least privilege. Additionally, it is important to ensure that any changes made to the resource, especially by privileged users, are properly logged and audited to detect and investigate any unauthorized or malicious activities.

Files Changed:

  1. jans-config-api/shared/src/main/java/io/jans/configapi/core/util/DataUtil.java:

    • The getIso8601Date() method has been enhanced to handle a wider range of date/time formats, including various ISO 8601 formats.
    • The createDateFilter() method has been updated to better handle date-only filters, creating an AND filter that checks for the date range from the start of the day to the end of the day.
    • The getIso8601Date() method now throws an InvalidAttributeException if the input date/time string does not match the expected formats.

  2. jans-config-api/docs/jans-config-api-swagger.yaml:

    • The adminCanEdit property in the PatchRequest schema is being changed to true.
    • The adminCanView property in the PatchRequest schema is being changed to false.
    • This change could potentially lead to privilege escalation vulnerabilities and violate the principle of least privilege. It is important to ensure that proper logging and auditing mechanisms are in place to detect and investigate any unauthorized or malicious activities.

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@mo-auto mo-auto added comp-docs Touching folder /docs comp-jans-config-api Component affected by issue or PR kind-bug Issue or PR is a bug in existing functionality labels Nov 7, 2024
@pujavs pujavs mentioned this pull request Nov 7, 2024
Closed
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Nov 7, 2024

Quality Gate Passed Quality Gate passed for 'jans-config-api-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@yuriyz yuriyz merged commit 32ad035 into main Nov 7, 2024
12 checks passed
@yuriyz yuriyz deleted the jans-config-api-9896 branch November 7, 2024 08:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuriyz yuriyz yuriyz approved these changes

@devrimyatar devrimyatar devrimyatar approved these changes

@yurem yurem Awaiting requested review from yurem yurem is a code owner

Assignees
No one assigned
Labels
comp-docs Touching folder /docs comp-jans-config-api Component affected by issue or PR kind-bug Issue or PR is a bug in existing functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fix(config-api): date filter issue
4 participants
@pujavs @yuriyz @devrimyatar @mo-auto