Skip to content

Security/docs: audit log rotation disabled by default; CONFIG.md contradicts the actual default (SUF-06) #332

Description

@devondragon

Summary

Audit logging is enabled by default, but log rotation ships disabled (user.audit.maxFileSizeMb=0), so the audit file can grow without bound. An anonymous, record-generating endpoint amplifies this. Separately, CONFIG.md documents the opposite of the actual default.

Severity: Medium (arguably Low-Medium for disk exhaustion; the doc contradiction should be fixed regardless)

Affected code

  • src/main/resources/config/dsspringuserconfig.properties:32user.audit.maxFileSizeMb=0 (rotation disabled by default).
  • src/main/java/com/digitalsanctuary/spring/user/audit/AuditConfig.java:74 — field default 0.
  • src/main/java/com/digitalsanctuary/spring/user/audit/FileAuditLogWriter.java:298rotateIfNeeded() early-returns when maxFileSizeBytes <= 0, so rotation never runs.
  • src/main/java/com/digitalsanctuary/spring/user/controller/UserActionController.java:79 — publishes an audit event before the token-validity branch (invalid tokens still log) and calls request.getSession() (mints an HttpSession per anonymous request).
  • CONFIG.md:43 — states rotation "Defaults to 10" and is "enabled by default", contradicting the actual 0/disabled default (which the properties file and AuditConfig Javadoc document correctly).

Details

With rotation off by default and audit on by default, a sustained stream of anonymous requests to a record-generating endpoint grows the audit file until disk/quota exhaustion (CWE-400). The per-anonymous-request getSession() also accumulates server-side session state. Records are small, so disk exhaustion requires high volume — but there is no rate limiting on the path, and the CONFIG.md claim actively misleads operators into believing a rotation safety net is active.

Recommended fix

  • Ship a positive bounded default for maxFileSizeMb with a bounded archive count (or, at minimum, correct the documentation to match the real default).
  • Avoid creating a new HttpSession solely to audit an anonymous invalid-token request.
  • Consider rate-limiting anonymous invalid-token probes and other anonymous account-lifecycle endpoints.
  • Correct CONFIG.md:43 regardless of the rotation-default decision.
  • If retention limits are enabled, ensure GDPR/audit queries still span archived files (or use an external append-only sink).

Identified during a code-first security assessment of the current main branch.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingdocumentationImprovements or additions to documentationsecurity

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions