Skip to content

Commit 19f8704

Browse files
xeraphxeraph
committed
Fixed some mitigated files not detected. #197 
1 parent 7427988 commit 19f8704

File tree

1 file changed

+58
-27
lines changed

1 file changed

+58
-27
lines changed

src/main/java/com/logpresso/scanner/Detector.java

+58-27
Original file line numberDiff line numberDiff line change
@@ -37,11 +37,14 @@ public class Detector {
3737
private static final String LOG4J_12_CORE_POM_PROPS = "META-INF/maven/log4j/log4j/pom.properties";
3838
private static final String LOG4J_12_JMSAPPENDER = "org/apache/log4j/net/JMSAppender.class";
3939
private static final String LOG4J_12_JMSAPPENDER_SHADE_PATH = "/log4j/net/JMSAppender.class";
40+
private static final String LOG4J_12_JMSSINK = "org/apache/log4j/net/JMSSink.class";
41+
private static final String LOG4J_12_JMSSINK_SHADE_PATH = "/log4j/net/JMSSink.class";
4042

4143
// CVE-2021-42550 (published at 2021-12-16): vulnerable if version <= 1.2.7
4244
// logback 1.2.9 moved JNDIUtil.class to core package
4345
private static final String LOGBACK_CLASSIC_POM_PROPS = "META-INF/maven/ch.qos.logback/logback-classic/pom.properties";
4446
private static final String LOGBACK_JNDI_CLASS_PATH = "ch/qos/logback/classic/util/JNDIUtil.class";
47+
private static final String LOGBACK_ENV_CLASS_PATH = "ch/qos/logback/classic/util/EnvUtil.class";
4548

4649
private Configuration config;
4750

@@ -202,9 +205,11 @@ private DetectResult scanStream(File jarFile, ZipFileIterator it, List<String> p
202205

203206
// log4j1 class
204207
boolean foundJmsAppender = false;
208+
boolean foundJmsSink = false;
205209

206210
// logback class
207211
boolean foundJndiUtil = false;
212+
boolean foundEnvUtil = false;
208213

209214
// shade class
210215
Set<String> shadedJndiLookupPaths = new TreeSet<String>();
@@ -218,7 +223,7 @@ private DetectResult scanStream(File jarFile, ZipFileIterator it, List<String> p
218223

219224
InputStream is = it.getNextInputStream();
220225
if (entry.getName().equals(LOG4J_CORE_POM_PROPS))
221-
log4j2Version = loadVulnerableLog4jVersion(is);
226+
log4j2Version = loadLog4j2Version(is);
222227

223228
if (entry.getName().equals(JNDI_LOOKUP_CLASS_PATH))
224229
log4j2Mitigated = false;
@@ -228,21 +233,30 @@ private DetectResult scanStream(File jarFile, ZipFileIterator it, List<String> p
228233

229234
if (config.isScanForLog4j1()) {
230235
if (entry.getName().equals(LOG4J_12_CORE_POM_PROPS))
231-
log4j1Version = loadVulnerableLog4j1(is);
236+
log4j1Version = loadLog4j1Version(is);
232237

233238
if (entry.getName().equals(LOG4J_12_JMSAPPENDER))
234239
foundJmsAppender = true;
235240

241+
if (entry.getName().equals(LOG4J_12_JMSSINK))
242+
foundJmsSink = true;
243+
236244
if (entry.getName().endsWith(LOG4J_12_JMSAPPENDER_SHADE_PATH))
237245
shadedJmsAppenderPaths.add(entry.getName());
246+
247+
if (entry.getName().endsWith(LOG4J_12_JMSSINK_SHADE_PATH))
248+
foundJmsSink = true;
238249
}
239250

240251
if (config.isScanForLogback()) {
241252
if (entry.getName().equals(LOGBACK_CLASSIC_POM_PROPS))
242-
logbackVersion = loadVulnerableLogback(is);
253+
logbackVersion = loadLogbackVersion(is);
243254

244255
if (entry.getName().equals(LOGBACK_JNDI_CLASS_PATH))
245256
foundJndiUtil = true;
257+
258+
if (entry.getName().equals(LOGBACK_ENV_CLASS_PATH))
259+
foundEnvUtil = true;
246260
}
247261

248262
if (ZipUtils.isScanTarget(entry.getName(), config.isScanZip())) {
@@ -275,26 +289,36 @@ private DetectResult scanStream(File jarFile, ZipFileIterator it, List<String> p
275289
result.setPotentiallyVulnerableLog4j2();
276290
}
277291

278-
if (log4j1Version != null) {
279-
printDetectionForLog4j1(jarFile, pathChain, log4j1Version, !foundJmsAppender);
280-
if (foundJmsAppender)
281-
result.setPotentiallyVulnerableLog4j1();
292+
boolean log4j1Found = log4j1Version != null || foundJmsAppender || foundJmsSink;
293+
boolean log4j1Mitigated = !foundJmsAppender;
294+
log4j1Mitigated &= shadedJmsAppenderPaths.isEmpty();
295+
296+
if (log4j1Found) {
297+
if (log4j1Version != null)
298+
printDetectionForLog4j1(jarFile, pathChain, log4j1Version, log4j1Mitigated);
282299
else
300+
printDetectionForLog4j1(jarFile, pathChain, POTENTIALLY_VULNERABLE, log4j1Mitigated);
301+
302+
if (log4j1Mitigated)
283303
result.setMitigated();
284-
} else if (foundJmsAppender) {
285-
printDetectionForLog4j1(jarFile, pathChain, POTENTIALLY_VULNERABLE, false);
286-
result.setPotentiallyVulnerableLog4j1();
304+
else
305+
result.setPotentiallyVulnerableLog4j1();
287306
}
288307

289-
if (logbackVersion != null) {
290-
printDetectionForLogback(jarFile, pathChain, logbackVersion, !foundJndiUtil);
291-
if (foundJndiUtil)
292-
result.setPotentiallyVulnerableLogback();
293-
else
308+
boolean logbackFound = isVulnerableLogback(logbackVersion, foundJndiUtil, foundEnvUtil);
309+
boolean logbackMitigated = !foundJndiUtil;
310+
311+
if (logbackFound) {
312+
if (logbackVersion != null) {
313+
printDetectionForLogback(jarFile, pathChain, logbackVersion, logbackMitigated);
314+
} else {
315+
printDetectionForLogback(jarFile, pathChain, POTENTIALLY_VULNERABLE, logbackMitigated);
316+
}
317+
318+
if (logbackMitigated)
294319
result.setMitigated();
295-
} else if (foundJndiUtil) {
296-
printDetectionForLogback(jarFile, pathChain, POTENTIALLY_VULNERABLE, false);
297-
result.setPotentiallyVulnerableLogback();
320+
else
321+
result.setPotentiallyVulnerableLogback();
298322
}
299323

300324
return result;
@@ -307,6 +331,17 @@ private DetectResult scanStream(File jarFile, ZipFileIterator it, List<String> p
307331
}
308332
}
309333

334+
private boolean isVulnerableLogback(String logbackVersion, boolean foundJndiUtil, boolean foundEnvUtil) {
335+
boolean logbackFound = false;
336+
if (logbackVersion != null) {
337+
if (isVulnerableLogback(Version.parse(logbackVersion)))
338+
logbackFound = true;
339+
} else {
340+
logbackFound = foundJndiUtil || foundEnvUtil;
341+
}
342+
return logbackFound;
343+
}
344+
310345
private boolean isWinRarFile(File jarFile, List<String> pathChain) {
311346
String fileName = null;
312347
if (pathChain.isEmpty())
@@ -317,7 +352,7 @@ private boolean isWinRarFile(File jarFile, List<String> pathChain) {
317352
return fileName.toLowerCase().endsWith(".rar");
318353
}
319354

320-
private String loadVulnerableLog4jVersion(InputStream is) throws IOException {
355+
private String loadLog4j2Version(InputStream is) throws IOException {
321356
Properties props = new Properties();
322357
props.load(is);
323358

@@ -331,26 +366,22 @@ private String loadVulnerableLog4jVersion(InputStream is) throws IOException {
331366
return null;
332367
}
333368

334-
private String loadVulnerableLog4j1(InputStream is) throws IOException {
369+
private String loadLog4j1Version(InputStream is) throws IOException {
335370
Properties props = new Properties();
336371
props.load(is);
337-
338372
return props.getProperty("version");
339373
}
340374

341-
private String loadVulnerableLogback(InputStream is) throws IOException {
375+
private String loadLogbackVersion(InputStream is) throws IOException {
342376
Properties props = new Properties();
343377
props.load(is);
344378

345379
String groupId = props.getProperty("groupId");
346380
String artifactId = props.getProperty("artifactId");
347381
String version = props.getProperty("version");
348382

349-
if (groupId.equals("ch.qos.logback") && artifactId.equals("logback-classic")) {
350-
Version v = Version.parse(version);
351-
if (isVulnerableLogback(v))
352-
return version;
353-
}
383+
if (groupId.equals("ch.qos.logback") && artifactId.equals("logback-classic"))
384+
return version;
354385

355386
return null;
356387
}

0 commit comments

Comments
 (0)