From 186ff5c8b3bad0707fa122e164c4ba2a0206936b Mon Sep 17 00:00:00 2001 From: bmvermeer Date: Thu, 6 Jan 2022 14:56:26 +0100 Subject: [PATCH] Changed logger to lo4j, log invalid login with username (log4shell input). Added commons-collection to do a deserialization RCE on newer java version based on log4shell. --- .../todolist/core/repository/impl/TodoRepositoryImpl.java | 5 +++-- todolist-goof/todolist-web-common/pom.xml | 7 +++++++ .../benas/todolist/web/common/util/TodoListUtils.java | 1 + .../benas/todolist/web/action/user/AccountAction.java | 6 +++--- .../benas/todolist/web/action/user/SessionAction.java | 7 ++++--- 5 files changed, 18 insertions(+), 8 deletions(-) diff --git a/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/TodoRepositoryImpl.java b/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/TodoRepositoryImpl.java index 714d9442c7..02621ccd9f 100644 --- a/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/TodoRepositoryImpl.java +++ b/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/TodoRepositoryImpl.java @@ -26,6 +26,7 @@ import io.github.todolist.core.domain.Todo; import io.github.todolist.core.repository.api.TodoRepository; +import org.apache.commons.collections.list.UnmodifiableList; import org.springframework.stereotype.Repository; import javax.persistence.EntityManager; @@ -57,7 +58,7 @@ public Todo getTodoById(final long id) { public List getTodoListByUser(final long userId) { TypedQuery query = entityManager.createNamedQuery("findTodosByUser", Todo.class); query.setParameter(1, userId); - return query.getResultList(); + return UnmodifiableList.decorate(query.getResultList()); } /** @@ -67,7 +68,7 @@ public List getTodoListByUserAndTitle(final long userId, final String titl TypedQuery query = entityManager.createNamedQuery("findTodosByTitle", Todo.class); query.setParameter(1, userId); query.setParameter(2, "%" + title.toUpperCase() + "%"); - return query.getResultList(); + return UnmodifiableList.decorate(query.getResultList()); } /** diff --git a/todolist-goof/todolist-web-common/pom.xml b/todolist-goof/todolist-web-common/pom.xml index 59b055ec94..1e45357265 100644 --- a/todolist-goof/todolist-web-common/pom.xml +++ b/todolist-goof/todolist-web-common/pom.xml @@ -62,5 +62,12 @@ 4.3.1.Final + + + commons-collections + commons-collections + 3.1 + + diff --git a/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/util/TodoListUtils.java b/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/util/TodoListUtils.java index 2ea5810269..8717958287 100644 --- a/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/util/TodoListUtils.java +++ b/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/util/TodoListUtils.java @@ -94,6 +94,7 @@ public static String getStatusLabel(boolean status) { * @param input text to which apply the style for each matched pattern * @param pattern the pattern to highlight * @return the transformed text + * */ public static String highlight(final String input, final String pattern) { diff --git a/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java b/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java index cc82b1e35e..8f0cdee23e 100644 --- a/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java +++ b/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java @@ -26,8 +26,8 @@ import com.opensymphony.xwork2.Action; import com.opensymphony.xwork2.ActionSupport; -import com.opensymphony.xwork2.util.logging.Logger; -import com.opensymphony.xwork2.util.logging.LoggerFactory; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import io.github.benas.todolist.web.action.BaseAction; import io.github.benas.todolist.web.common.form.ChangePasswordForm; import io.github.benas.todolist.web.common.form.RegistrationForm; @@ -45,7 +45,7 @@ */ public class AccountAction extends BaseAction { - private static final Logger LOGGER = LoggerFactory.getLogger(AccountAction.class.getName()); + private static final Logger LOGGER = LogManager.getLogger(AccountAction.class.getName()); private ChangePasswordForm changePasswordForm; diff --git a/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/SessionAction.java b/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/SessionAction.java index 119581a2ae..e658e9b67f 100644 --- a/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/SessionAction.java +++ b/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/SessionAction.java @@ -25,8 +25,8 @@ package io.github.benas.todolist.web.action.user; import com.opensymphony.xwork2.Action; -import com.opensymphony.xwork2.util.logging.Logger; -import com.opensymphony.xwork2.util.logging.LoggerFactory; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import io.github.benas.todolist.web.action.BaseAction; import io.github.benas.todolist.web.common.form.LoginForm; import io.github.benas.todolist.web.common.util.TodoListUtils; @@ -39,7 +39,7 @@ */ public class SessionAction extends BaseAction { - private static final Logger LOGGER = LoggerFactory.getLogger(SessionAction.class.getName()); + private static final Logger LOGGER = LogManager.getLogger(SessionAction.class.getName()); private LoginForm loginForm; @@ -61,6 +61,7 @@ public String doLogin() { session.put(TodoListUtils.SESSION_USER, user); return Action.SUCCESS; } else { + LOGGER.error("Login failed for email: " + loginForm.getEmail()); error = getText("login.error.global.invalid"); return Action.INPUT; }