Added --zip-charset option. v2.3.3

Author: xeraph

README.md

@@ -3,16 +3,16 @@
 log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch. It also detects CVE-2021-45046 (log4j 2.15.0), CVE-2021-45105 (log4j 2.16.0), CVE-2021-4104 (log4j 1.x), and CVE-2021-42550 (logback 0.9-1.2.7) vulnerabilities.
 
 ### Download
-* [log4j2-scan 2.3.2 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.2/logpresso-log4j2-scan-2.3.2-win64.7z)
-* [log4j2-scan 2.3.2 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.2/logpresso-log4j2-scan-2.3.2-win64.zip)
+* [log4j2-scan 2.3.3 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.3/logpresso-log4j2-scan-2.3.3-win64.7z)
+* [log4j2-scan 2.3.3 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.3/logpresso-log4j2-scan-2.3.3-win64.zip)
   * If you get `VCRUNTIME140.dll not found` error, install [Visual C++ Redistributable](https://docs.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-170).
   * If native executable doesn't work, use the JAR instead. 32bit is not supported.  
   * 7zip is available from www.7zip.org, and is open source and free.
-* [log4j2-scan 2.3.2 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.2/logpresso-log4j2-scan-2.3.2-linux.tar.gz)
-* [log4j2-scan 2.3.2 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.2/logpresso-log4j2-scan-2.3.2-linux-aarch64.tar.gz)
+* [log4j2-scan 2.3.3 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.3/logpresso-log4j2-scan-2.3.3-linux.tar.gz)
+* [log4j2-scan 2.3.3 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.3/logpresso-log4j2-scan-2.3.3-linux-aarch64.tar.gz)
   * If native executable doesn't work, use the JAR instead. 32bit is not supported.
-* [log4j2-scan 2.3.2 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.2/logpresso-log4j2-scan-2.3.2-darwin.tar.gz)
-* [log4j2-scan 2.3.2 (Any OS, 20KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.2/logpresso-log4j2-scan-2.3.2.jar)
+* [log4j2-scan 2.3.3 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.3/logpresso-log4j2-scan-2.3.3-darwin.tar.gz)
+* [log4j2-scan 2.3.3 (Any OS, 20KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.3.3/logpresso-log4j2-scan-2.3.3.jar)
 
 ### Build
 * [How to build Native Image](https://github.com/logpresso/CVE-2021-44228-Scanner/wiki/FAQ#how-to-build-native-image)
@@ -22,7 +22,7 @@ Just run log4j2-scan.exe or log4j2-scan with target directory path. The logpress
 
 Usage
 ```
-Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.2 (2021-12-19)
+Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.3 (2021-12-19)
 Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2
 
 -f [config_file_path]
@@ -34,6 +34,8 @@ Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2
         Enables scanning for logback CVE-2021-42550.
 --scan-zip
         Scan also .zip extension files. This option may slow down scanning.
+--zip-charset
+        Specify an alternate zip encoding other than utf-8. System default charset is used if not specified.
 --fix
         Backup original file and remove JndiLookup.class from JAR recursively.
         With --scan-log4j1 option, it also removes JMSAppender.class, SocketServer.class, SMTPAppender.class, SMTPAppender$1.class
@@ -83,7 +85,7 @@ On Linux
 ```
 On UNIX (AIX, Solaris, and so on)
 ```
-java -jar logpresso-log4j2-scan-2.3.2.jar [--fix] target_path
+java -jar logpresso-log4j2-scan-2.3.3.jar [--fix] target_path
 ```
 
 If you add `--fix` option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. Depending the Operating System:

pom.xml

@@ -6,7 +6,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.logpresso</groupId>
 	<artifactId>log4j2-scanner</artifactId>
-	<version>2.3.2</version>
+	<version>2.3.3</version>
 	<packaging>jar</packaging>
 	<name>Logpresso Log4j2 Scanner</name>
 

src/main/java/com/logpresso/scanner/Configuration.java

@@ -5,6 +5,7 @@
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStreamReader;
+import java.nio.charset.Charset;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.LinkedList;
@@ -31,6 +32,7 @@ public class Configuration {
 	private boolean scanForLogback = false;
 	private boolean noEmptyReport = false;
 	private boolean oldExitCode = false;
+	private Charset zipCharset = null;
 
 	private String reportPath = null;
 	private String reportDir = null;
@@ -52,6 +54,9 @@ public static void pringUsage() {
 		System.out.println("\tEnables scanning for logback CVE-2021-42550.");
 		System.out.println("--scan-zip");
 		System.out.println("\tScan also .zip extension files. This option may slow down scanning.");
+		System.out.println("--zip-charset");
+		System.out.println(
+				"\tSpecify an alternate zip encoding other than utf-8. System default charset is used if not specified.");
 		System.out.println("--fix");
 		System.out.println("\tBackup original file and remove JndiLookup.class from JAR recursively.");
 		System.out.println(
@@ -113,6 +118,10 @@ public static Configuration parseArguments(String[] args) throws Exception {
 				c.silent = true;
 			} else if (args[i].equals("--scan-zip")) {
 				c.scanZip = true;
+			} else if (args[i].equals("--zip-charset")) {
+				verifyArgument(args, i, "ZIP Charset", "Specify zip entry encoding.");
+				c.zipCharset = Charset.forName(args[i + 1]);
+				i++;
 			} else if (args[i].equals("--no-symlink")) {
 				c.noSymlink = true;
 			} else if (args[i].equals("--scan-log4j1")) {
@@ -123,10 +132,8 @@ public static Configuration parseArguments(String[] args) throws Exception {
 				pringUsage();
 				System.exit(-1);
 			} else if (args[i].equals("-f")) {
-				verifyArgument(args, i, "Tarqget file path", "Specify target file path.");
+				verifyArgument(args, i, "Input config file", "Specify input config file path.");
 				c.includeFilePath = args[i + 1];
-				if (c.includeFilePath.startsWith("--"))
-					throw new IllegalArgumentException("Path should not starts with `--`. Specify include file path.");
 
 				File f = new File(c.includeFilePath);
 				if (!f.exists())
@@ -376,6 +383,10 @@ public boolean isScanZip() {
 		return scanZip;
 	}
 
+	public Charset getZipCharset() {
+		return zipCharset;
+	}
+
 	public boolean isNoSymlink() {
 		return noSymlink;
 	}

src/main/java/com/logpresso/scanner/Detector.java

@@ -4,6 +4,7 @@
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.nio.charset.Charset;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashSet;
@@ -107,9 +108,21 @@ public List<ReportEntry> getReportEntries(File f) {
 	protected void scanJarFile(File jarFile, boolean fix) {
 		InputStream is = null;
 
+		Charset altCharset = null;
 		try {
 			is = new FileInputStream(jarFile);
-			DetectResult result = scanStream(jarFile, is, new ArrayList<String>());
+			DetectResult result = null;
+
+			try {
+				result = scanStream(jarFile, is, new ArrayList<String>(), Charset.forName("utf-8"));
+			} catch (IllegalArgumentException e) {
+				// second try with system encoding or alternative encoding
+				altCharset = Charset.defaultCharset();
+				if (config.getZipCharset() != null)
+					altCharset = config.getZipCharset();
+
+				result = scanStream(jarFile, is, new ArrayList<String>(), altCharset);
+			}
 
 			if (result.isVulnerable())
 				vulnerableFileCount++;
@@ -119,7 +132,7 @@ else if (result.isPotentiallyVulnerable())
 				potentiallyVulnerableFileCount++;
 
 			if (fix && result.isFixRequired())
-				vulnerableFiles.add(new VulnerableFile(jarFile, result.hasNestedJar()));
+				vulnerableFiles.add(new VulnerableFile(jarFile, result.hasNestedJar(), altCharset));
 
 		} catch (ZipException e) {
 			// ignore broken zip file
@@ -145,7 +158,7 @@ else if (result.isPotentiallyVulnerable())
 		}
 	}
 
-	private DetectResult scanStream(File jarFile, InputStream is, List<String> pathChain) throws IOException {
+	private DetectResult scanStream(File jarFile, InputStream is, List<String> pathChain, Charset charset) throws IOException {
 		ZipInputStream zis = null;
 		DetectResult result = new DetectResult();
 		String log4j2Version = null;
@@ -203,7 +216,7 @@ private DetectResult scanStream(File jarFile, InputStream is, List<String> pathC
 				if (ZipUtils.isScanTarget(entry.getName(), config.isScanZip())) {
 					pathChain.add(entry.getName());
 
-					DetectResult nestedResult = scanStream(jarFile, zis, pathChain);
+					DetectResult nestedResult = scanStream(jarFile, zis, pathChain, charset);
 					result.merge(nestedResult);
 
 					pathChain.remove(pathChain.size() - 1);
@@ -247,8 +260,7 @@ private DetectResult scanStream(File jarFile, InputStream is, List<String> pathC
 			return result;
 		} catch (IOException e) {
 			// ignore WinRAR
-			String entryName = pathChain.get(pathChain.size() - 1);
-			if (entryName.toLowerCase().endsWith(".rar"))
+			if (isWinRarFile(jarFile, pathChain))
 				return result;
 
 			throw e;
@@ -257,6 +269,16 @@ private DetectResult scanStream(File jarFile, InputStream is, List<String> pathC
 		}
 	}
 
+	private boolean isWinRarFile(File jarFile, List<String> pathChain) {
+		String fileName = null;
+		if (pathChain.isEmpty())
+			fileName = jarFile.getName();
+		else
+			pathChain.get(pathChain.size() - 1);
+
+		return fileName.toLowerCase().endsWith(".rar");
+	}
+
 	private String loadVulnerableLog4jVersion(InputStream is) throws IOException {
 		Properties props = new Properties();
 		props.load(is);

src/main/java/com/logpresso/scanner/Log4j2Scanner.java

@@ -15,7 +15,7 @@
 import com.logpresso.scanner.utils.ZipUtils;
 
 public class Log4j2Scanner {
-	private static final String BANNER = "Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.2 (2021-12-19)";
+	private static final String BANNER = "Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.3 (2021-12-19)";
 
 	private static final boolean isWindows = File.separatorChar == '\\';
 
@@ -222,7 +222,7 @@ private void fix() {
 				Set<String> shadePatterns = detector.getShadePatterns();
 
 				if (ZipUtils.repackage(backupFile, f, removeTargets, shadePatterns, config.isScanZip(), vf.isNestedJar(),
-						config.isDebug())) {
+						config.isDebug(), vf.getAltCharset())) {
 					metrics.addFixedFileCount();
 
 					System.out.printf("Fixed: %s%s%n", f.getAbsolutePath(), symlinkMsg);

src/main/java/com/logpresso/scanner/VulnerableFile.java

@@ -1,17 +1,20 @@
 package com.logpresso.scanner;
 
 import java.io.File;
+import java.nio.charset.Charset;
 
 public class VulnerableFile implements Comparable<VulnerableFile> {
 	private File file;
 	private boolean nestedJar;
+	private Charset altCharset;
 
-	public VulnerableFile(File file, boolean nestedJar) {
+	public VulnerableFile(File file, boolean nestedJar, Charset altCharset) {
 		if (file == null)
 			throw new IllegalArgumentException("file should be not null");
 
 		this.file = file;
 		this.nestedJar = nestedJar;
+		this.altCharset = altCharset;
 	}
 
 	@Override
@@ -47,4 +50,8 @@ public File getFile() {
 	public boolean isNestedJar() {
 		return nestedJar;
 	}
+
+	public Charset getAltCharset() {
+		return altCharset;
+	}
 }

src/main/java/com/logpresso/scanner/utils/ZipUtils.java

@@ -7,6 +7,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.nio.charset.Charset;
 import java.util.Enumeration;
 import java.util.HashSet;
 import java.util.Set;
@@ -49,14 +50,15 @@ private static boolean isShaded(String s, Set<String> shadePatterns) {
 	}
 
 	public static boolean repackage(File srcFile, File dstFile, Set<String> removeTargets, Set<String> shadePatterns,
-			boolean scanZip, boolean nested, boolean debug) {
+			boolean scanZip, boolean nested, boolean debug, Charset altCharset) {
 		Set<String> entryNames = new HashSet<String>();
 		ZipFile srcZipFile = null;
 		ZipOutputStream zos = null;
 
 		try {
-			srcZipFile = new ZipFile(srcFile);
-			zos = new ZipOutputStream(new FileOutputStream(dstFile));
+			Charset charset = altCharset != null ? altCharset : Charset.forName("utf-8");
+			srcZipFile = new ZipFile(srcFile, charset);
+			zos = new ZipOutputStream(new FileOutputStream(dstFile), charset);
 
 			if (nested) {
 				zos.setMethod(ZipOutputStream.STORED);
@@ -91,7 +93,7 @@ public static boolean repackage(File srcFile, File dstFile, Set<String> removeTa
 					continue;
 				}
 
-				copyZipEntry(srcZipFile, entry, zos, removeTargets, scanZip, nested);
+				copyZipEntry(srcZipFile, entry, zos, removeTargets, scanZip, nested, altCharset);
 			}
 
 			return true;
@@ -109,15 +111,15 @@ public static boolean repackage(File srcFile, File dstFile, Set<String> removeTa
 	}
 
 	private static void copyZipEntry(ZipFile srcZipFile, ZipEntry zipEntry, ZipOutputStream zos, Set<String> removeTargets,
-			boolean scanZip, boolean nested) throws IOException {
+			boolean scanZip, boolean nested, Charset altCharset) throws IOException {
 		InputStream is = null;
 		try {
 			is = srcZipFile.getInputStream(zipEntry);
 
 			ByteArrayOutputStream bos = new ByteArrayOutputStream();
 
 			if (isScanTarget(zipEntry.getName(), scanZip)) {
-				copyNestedJar(is, bos, removeTargets, scanZip);
+				copyNestedJar(is, bos, removeTargets, scanZip, altCharset);
 			} else {
 				byte[] buf = new byte[32768];
 				while (true) {
@@ -147,16 +149,17 @@ private static void copyZipEntry(ZipFile srcZipFile, ZipEntry zipEntry, ZipOutpu
 		}
 	}
 
-	private static void copyNestedJar(InputStream is, OutputStream os, Set<String> removeTargets, boolean scanZip)
-			throws IOException {
+	private static void copyNestedJar(InputStream is, OutputStream os, Set<String> removeTargets, boolean scanZip,
+			Charset altCharset) throws IOException {
 		// check duplicated entry exception
 		Set<String> entryNames = new HashSet<String>();
 
 		ZipInputStream zis = null;
 		ZipOutputStream zos = null;
 		try {
-			zis = new ZipInputStream(new DummyInputStream(is));
-			zos = new ZipOutputStream(os);
+			Charset charset = altCharset != null ? altCharset : Charset.forName("utf-8");
+			zis = new ZipInputStream(new DummyInputStream(is), charset);
+			zos = new ZipOutputStream(os, charset);
 
 			while (true) {
 				ZipEntry zipEntry = zis.getNextEntry();
@@ -178,7 +181,7 @@ private static void copyNestedJar(InputStream is, OutputStream os, Set<String> r
 				// fix recursively
 				ByteArrayOutputStream bos = new ByteArrayOutputStream();
 				if (isScanTarget(zipEntry.getName(), scanZip)) {
-					copyNestedJar(zis, bos, removeTargets, scanZip);
+					copyNestedJar(zis, bos, removeTargets, scanZip, altCharset);
 				} else {
 					byte[] buf = new byte[32768];
 					while (true) {