From df63835e461a3ad2e61360fda04217ab3c34943a Mon Sep 17 00:00:00 2001 From: Markus Strehle <11627201+strehle@users.noreply.github.com> Date: Thu, 18 Jul 2024 19:16:44 +0200 Subject: [PATCH 1/6] Update Gemfile.lock fix for ttps://github.com/cloudfoundry/uaa/security/dependabot/68 --- uaa/slate/Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/uaa/slate/Gemfile.lock b/uaa/slate/Gemfile.lock index 5689b74be00..58c79e5e39d 100644 --- a/uaa/slate/Gemfile.lock +++ b/uaa/slate/Gemfile.lock @@ -102,7 +102,7 @@ GEM rb-inotify (0.10.1) ffi (~> 1.0) redcarpet (3.6.0) - rexml (3.2.8) + rexml (3.3.2) strscan (>= 3.0.9) rouge (3.30.0) sass (3.7.4) From 92044ec1781fe5135d103ba8d1b669ad7e08f248 Mon Sep 17 00:00:00 2001 From: d036670 Date: Thu, 18 Jul 2024 19:27:23 +0200 Subject: [PATCH 2/6] fixed with bundle update rexml --- uaa/slate/Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/uaa/slate/Gemfile.lock b/uaa/slate/Gemfile.lock index 58c79e5e39d..79c725bbd23 100644 --- a/uaa/slate/Gemfile.lock +++ b/uaa/slate/Gemfile.lock @@ -103,7 +103,7 @@ GEM ffi (~> 1.0) redcarpet (3.6.0) rexml (3.3.2) - strscan (>= 3.0.9) + strscan rouge (3.30.0) sass (3.7.4) sass-listen (~> 4.0.0) From 0a28b5c5aa33c68a5cdb20f23812d5187135b4a8 Mon Sep 17 00:00:00 2001 From: Markus Strehle <11627201+strehle@users.noreply.github.com> Date: Fri, 19 Jul 2024 23:50:22 +0200 Subject: [PATCH 3/6] Sonar fix (#2954) https://sonarcloud.io/project/issues?issueStatuses=OPEN%2CCONFIRMED&types=VULNERABILITY&severities=BLOCKER%2CCRITICAL%2CMAJOR%2CMINOR&inNewCodePeriod=true&sinceLeakPeriod=true&id=cloudfoundry-identity-parent Change this code to not log user-controlled data. --- .../identity/uaa/logging/SanitizedLogFactory.java | 6 ++++++ .../identity/uaa/zone/IdentityZoneEndpoints.java | 5 ++--- .../identity/uaa/logging/SanitizedLogFactoryTest.java | 2 ++ 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/logging/SanitizedLogFactory.java b/server/src/main/java/org/cloudfoundry/identity/uaa/logging/SanitizedLogFactory.java index 509d7482f9c..054f818fe2b 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/logging/SanitizedLogFactory.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/logging/SanitizedLogFactory.java @@ -55,6 +55,12 @@ public void debug(String message) { } } + public void debug(String message, Object... params) { + if (fallback.isDebugEnabled()) { + fallback.debug(LogSanitizerUtil.sanitize(message), params); + } + } + public void debug(String message, Throwable t) { if (fallback.isDebugEnabled()) { fallback.debug(LogSanitizerUtil.sanitize(message), t); diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/zone/IdentityZoneEndpoints.java b/server/src/main/java/org/cloudfoundry/identity/uaa/zone/IdentityZoneEndpoints.java index 21ebc8ada1f..212380547d9 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/zone/IdentityZoneEndpoints.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/zone/IdentityZoneEndpoints.java @@ -5,6 +5,7 @@ import org.cloudfoundry.identity.uaa.client.UaaClientDetails; import org.cloudfoundry.identity.uaa.constants.OriginKeys; import org.cloudfoundry.identity.uaa.error.UaaException; +import org.cloudfoundry.identity.uaa.logging.SanitizedLogFactory; import org.cloudfoundry.identity.uaa.provider.ClientAlreadyExistsException; import org.cloudfoundry.identity.uaa.provider.IdentityProvider; import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning; @@ -14,8 +15,6 @@ import org.cloudfoundry.identity.uaa.scim.ScimGroup; import org.cloudfoundry.identity.uaa.scim.ScimGroupProvisioning; import org.cloudfoundry.identity.uaa.util.UaaStringUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.context.ApplicationEventPublisher; import org.springframework.context.ApplicationEventPublisherAware; @@ -64,7 +63,7 @@ @RequestMapping("/identity-zones") public class IdentityZoneEndpoints implements ApplicationEventPublisherAware { - private static final Logger logger = LoggerFactory.getLogger(IdentityZoneEndpoints.class); + private static final SanitizedLogFactory.SanitizedLog logger = SanitizedLogFactory.getLog(IdentityZoneEndpoints.class); private static final String ID_SUBDOMAIN_LOGGING = "[{}] subdomain [{}]"; private final IdentityZoneProvisioning zoneDao; diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/logging/SanitizedLogFactoryTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/logging/SanitizedLogFactoryTest.java index f464c56f936..f1729c03559 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/logging/SanitizedLogFactoryTest.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/logging/SanitizedLogFactoryTest.java @@ -57,6 +57,8 @@ public void testSanitizeDebug() { when(mockLog.isDebugEnabled()).thenReturn(true); log.debug(dirtyMessage); verify(mockLog).debug(sanitizedMsg); + log.debug(dirtyMessage, true); + verify(mockLog).debug(sanitizedMsg); log.debug(dirtyMessage, ex); verify(mockLog).debug(sanitizedMsg, ex); } From e96fac76e47b2208f1fef39108dfa3d862e3f356 Mon Sep 17 00:00:00 2001 From: Peter Chen Date: Tue, 23 Jul 2024 13:10:50 -0700 Subject: [PATCH 4/6] fix: ErrorRoutingIT test (#2977) * fix: ErrorRoutingIT test failure message - correct the order of actual vs. expected, such that the test failure message is correct - before this commit, the failure message is: ``` java.lang.AssertionError: Check status code from /error429 is 200 expected:<429> but was:<200> ``` which is not correct * fix: ErrorRoutingIT - the test is intended to access /error429 as a browser would and expects a 200 response (due to this request mapping: https://github.com/cloudfoundry/uaa/blob/0a28b5c5aa33c68a5cdb20f23812d5187135b4a8/server/src/main/java/org/cloudfoundry/identity/uaa/home/HomeController.java#L155 and NOT https://github.com/cloudfoundry/uaa/blob/0a28b5c5aa33c68a5cdb20f23812d5187135b4a8/server/src/main/java/org/cloudfoundry/identity/uaa/home/HomeController.java#L144) - however, in some environments where this test is run, the test does not access the /error429 like a browser would (e.g. does not have the request header "Accept: text/html" by default), so explictly adding this header to the test setup to better emulate a browser request --- .../identity/uaa/integration/feature/ErrorRoutingIT.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/ErrorRoutingIT.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/ErrorRoutingIT.java index d687599fb2f..3b55d065033 100644 --- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/ErrorRoutingIT.java +++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/ErrorRoutingIT.java @@ -69,9 +69,10 @@ public void testRequestRejectedExceptionErrorPage() throws IOException { private String CallErrorPageAndCheckHttpStatusCode(String errorPath, String method, int codeExpected) throws IOException { HttpURLConnection cn = (HttpURLConnection)new URL(baseUrl + errorPath).openConnection(); cn.setRequestMethod(method); + cn.setRequestProperty("Accept", "text/html"); // connection initiate cn.connect(); - Assert.assertEquals("Check status code from " + errorPath + " is " + codeExpected, cn.getResponseCode(), codeExpected); + Assert.assertEquals("Check status code from " + errorPath + " is " + codeExpected, codeExpected, cn.getResponseCode()); return getResponseBody(cn); } From 686a8b2c9ff38d9f54027c28bab21029f01e489d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Jul 2024 22:11:27 +0200 Subject: [PATCH 5/6] build(deps): bump jasmine-core from 5.1.2 to 5.2.0 in /uaa (#2975) Bumps [jasmine-core](https://github.com/jasmine/jasmine) from 5.1.2 to 5.2.0. - [Release notes](https://github.com/jasmine/jasmine/releases) - [Changelog](https://github.com/jasmine/jasmine/blob/main/RELEASE.md) - [Commits](https://github.com/jasmine/jasmine/compare/v5.1.2...v5.2.0) --- updated-dependencies: - dependency-name: jasmine-core dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- uaa/package-lock.json | 13 ++++++++++--- uaa/package.json | 2 +- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/uaa/package-lock.json b/uaa/package-lock.json index df461139952..3baa3c4085c 100644 --- a/uaa/package-lock.json +++ b/uaa/package-lock.json @@ -204,12 +204,19 @@ "requires": { "glob": "^10.2.2", "jasmine-core": "~5.1.0" + }, + "dependencies": { + "jasmine-core": { + "version": "5.1.2", + "resolved": "https://registry.npmjs.org/jasmine-core/-/jasmine-core-5.1.2.tgz", + "integrity": "sha512-2oIUMGn00FdUiqz6epiiJr7xcFyNYj3rDcfmnzfkBnHyBQ3cBQUs4mmyGsOb7TTLb9kxk7dBcmEmqhDKkBoDyA==" + } } }, "jasmine-core": { - "version": "5.1.2", - "resolved": "https://registry.npmjs.org/jasmine-core/-/jasmine-core-5.1.2.tgz", - "integrity": "sha512-2oIUMGn00FdUiqz6epiiJr7xcFyNYj3rDcfmnzfkBnHyBQ3cBQUs4mmyGsOb7TTLb9kxk7dBcmEmqhDKkBoDyA==" + "version": "5.2.0", + "resolved": "https://registry.npmjs.org/jasmine-core/-/jasmine-core-5.2.0.tgz", + "integrity": "sha512-tSAtdrvWybZkQmmaIoDgnvHG8ORUNw5kEVlO5CvrXj02Jjr9TZrmjFq7FUiOUzJiOP2wLGYT6PgrQgQF4R1xiw==" }, "lru-cache": { "version": "10.0.0", diff --git a/uaa/package.json b/uaa/package.json index d46be4b7a78..d22544f2623 100644 --- a/uaa/package.json +++ b/uaa/package.json @@ -14,6 +14,6 @@ "license": "Apache-2.0", "dependencies": { "jasmine": "^5.1.0", - "jasmine-core": "5.1.2" + "jasmine-core": "5.2.0" } } From fb4ec9fe497e1c61b6517aa76e9df3e73fd4cee1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Jul 2024 23:04:49 +0200 Subject: [PATCH 6/6] build(deps): bump jasmine from 5.1.0 to 5.2.0 in /uaa (#2974) Bumps [jasmine](https://github.com/jasmine/jasmine-npm) from 5.1.0 to 5.2.0. - [Release notes](https://github.com/jasmine/jasmine-npm/releases) - [Changelog](https://github.com/jasmine/jasmine-npm/blob/main/RELEASE.md) - [Commits](https://github.com/jasmine/jasmine-npm/compare/v5.1.0...v5.2.0) --- updated-dependencies: - dependency-name: jasmine dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- uaa/package-lock.json | 79 +++++++++++++++++++++---------------------- uaa/package.json | 2 +- 2 files changed, 40 insertions(+), 41 deletions(-) diff --git a/uaa/package-lock.json b/uaa/package-lock.json index 3baa3c4085c..6e9f0148440 100644 --- a/uaa/package-lock.json +++ b/uaa/package-lock.json @@ -158,24 +158,25 @@ "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==" }, "foreground-child": { - "version": "3.1.1", - "resolved": "https://registry.npmjs.org/foreground-child/-/foreground-child-3.1.1.tgz", - "integrity": "sha512-TMKDUnIte6bfb5nWv7V/caI169OHgvwjb7V4WkeUvbQQdjr5rWKqHFiKWb/fcOwB+CzBT+qbWjvj+DVwRskpIg==", + "version": "3.2.1", + "resolved": "https://registry.npmjs.org/foreground-child/-/foreground-child-3.2.1.tgz", + "integrity": "sha512-PXUUyLqrR2XCWICfv6ukppP96sdFwWbNEnfEMt7jNsISjMsvaLNinAHNDYyvkyU+SZG2BTSbT5NjG+vZslfGTA==", "requires": { "cross-spawn": "^7.0.0", "signal-exit": "^4.0.1" } }, "glob": { - "version": "10.3.3", - "resolved": "https://registry.npmjs.org/glob/-/glob-10.3.3.tgz", - "integrity": "sha512-92vPiMb/iqpmEgsOoIDvTjc50wf9CCCvMzsi6W0JLPeUKE8TWP1a73PgqSrqy7iAZxaSD1YdzU7QZR5LF51MJw==", + "version": "10.4.5", + "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz", + "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==", "requires": { "foreground-child": "^3.1.0", - "jackspeak": "^2.0.3", - "minimatch": "^9.0.1", - "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0", - "path-scurry": "^1.10.1" + "jackspeak": "^3.1.2", + "minimatch": "^9.0.4", + "minipass": "^7.1.2", + "package-json-from-dist": "^1.0.0", + "path-scurry": "^1.11.1" } }, "is-fullwidth-code-point": { @@ -189,28 +190,21 @@ "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==" }, "jackspeak": { - "version": "2.2.2", - "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-2.2.2.tgz", - "integrity": "sha512-mgNtVv4vUuaKA97yxUHoA3+FkuhtxkjdXEWOyB/N76fjy0FjezEt34oy3epBtvCvS+7DyKwqCFWx/oJLV5+kCg==", + "version": "3.4.3", + "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz", + "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==", "requires": { "@isaacs/cliui": "^8.0.2", "@pkgjs/parseargs": "^0.11.0" } }, "jasmine": { - "version": "5.1.0", - "resolved": "https://registry.npmjs.org/jasmine/-/jasmine-5.1.0.tgz", - "integrity": "sha512-prmJlC1dbLhti4nE4XAPDWmfJesYO15sjGXVp7Cs7Ym5I9Xtwa/hUHxxJXjnpfLO72+ySttA0Ztf8g/RiVnUKw==", + "version": "5.2.0", + "resolved": "https://registry.npmjs.org/jasmine/-/jasmine-5.2.0.tgz", + "integrity": "sha512-il+noV96N1BGU9/FMmc8QtAMxC8lPnXUiAvgb0o9MDZATRdxglTQe9wo6UdL049ropQL6MopDYwDlludKR6wJQ==", "requires": { "glob": "^10.2.2", - "jasmine-core": "~5.1.0" - }, - "dependencies": { - "jasmine-core": { - "version": "5.1.2", - "resolved": "https://registry.npmjs.org/jasmine-core/-/jasmine-core-5.1.2.tgz", - "integrity": "sha512-2oIUMGn00FdUiqz6epiiJr7xcFyNYj3rDcfmnzfkBnHyBQ3cBQUs4mmyGsOb7TTLb9kxk7dBcmEmqhDKkBoDyA==" - } + "jasmine-core": "~5.2.0" } }, "jasmine-core": { @@ -219,22 +213,27 @@ "integrity": "sha512-tSAtdrvWybZkQmmaIoDgnvHG8ORUNw5kEVlO5CvrXj02Jjr9TZrmjFq7FUiOUzJiOP2wLGYT6PgrQgQF4R1xiw==" }, "lru-cache": { - "version": "10.0.0", - "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.0.0.tgz", - "integrity": "sha512-svTf/fzsKHffP42sujkO/Rjs37BCIsQVRCeNYIm9WN8rgT7ffoUnRtZCqU+6BqcSBdv8gwJeTz8knJpgACeQMw==" + "version": "10.4.3", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz", + "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==" }, "minimatch": { - "version": "9.0.3", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.3.tgz", - "integrity": "sha512-RHiac9mvaRw0x3AYRgDC1CxAP7HTcNrrECeA8YYJeWnpo+2Q5CegtZjaotWTWxDG3UeGA1coE05iH1mPjT/2mg==", + "version": "9.0.5", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz", + "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==", "requires": { "brace-expansion": "^2.0.1" } }, "minipass": { - "version": "7.0.2", - "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.0.2.tgz", - "integrity": "sha512-eL79dXrE1q9dBbDCLg7xfn/vl7MS4F1gvJAgjJrQli/jbQWdUttuVawphqpffoIYfRdq78LHx6GP4bU/EQ2ATA==" + "version": "7.1.2", + "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", + "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==" + }, + "package-json-from-dist": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.0.tgz", + "integrity": "sha512-dATvCeZN/8wQsGywez1mzHtTlP22H8OEfPrVMLNr4/eGa+ijtLn/6M5f0dY8UKNrC2O9UCU6SSoG3qRKnt7STw==" }, "path-key": { "version": "3.1.1", @@ -242,11 +241,11 @@ "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==" }, "path-scurry": { - "version": "1.10.1", - "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.10.1.tgz", - "integrity": "sha512-MkhCqzzBEpPvxxQ71Md0b1Kk51W01lrYvlMzSUaIzNsODdd7mqhiimSZlr+VegAz5Z6Vzt9Xg2ttE//XBhH3EQ==", + "version": "1.11.1", + "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.11.1.tgz", + "integrity": "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==", "requires": { - "lru-cache": "^9.1.1 || ^10.0.0", + "lru-cache": "^10.2.0", "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" } }, @@ -264,9 +263,9 @@ "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==" }, "signal-exit": { - "version": "4.0.2", - "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.0.2.tgz", - "integrity": "sha512-MY2/qGx4enyjprQnFaZsHib3Yadh3IXyV2C321GY0pjGfVBu4un0uDJkwgdxqO+Rdx8JMT8IfJIRwbYVz3Ob3Q==" + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", + "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==" }, "string-width": { "version": "5.1.2", diff --git a/uaa/package.json b/uaa/package.json index d22544f2623..7535247146f 100644 --- a/uaa/package.json +++ b/uaa/package.json @@ -13,7 +13,7 @@ "author": "CloudFoundry", "license": "Apache-2.0", "dependencies": { - "jasmine": "^5.1.0", + "jasmine": "^5.2.0", "jasmine-core": "5.2.0" } }