From 3d82e03432188085d73e43356cefa515a6cf4245 Mon Sep 17 00:00:00 2001 From: xeraph Date: Thu, 23 Dec 2021 12:38:51 +0900 Subject: [PATCH] Support --report-dir option with --report-json option. No error report for broken symlink except explicitly specified input path. v2.6.1 --- README.md | 16 ++++++++-------- pom.xml | 2 +- .../com/logpresso/scanner/Configuration.java | 5 +++-- .../java/com/logpresso/scanner/Detector.java | 18 +++++++++++------- .../com/logpresso/scanner/Log4j2Scanner.java | 4 ++-- .../scanner/utils/ZipFileIterator.java | 5 +++-- 6 files changed, 28 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 3013699..5919d23 100644 --- a/README.md +++ b/README.md @@ -3,16 +3,16 @@ log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch. It also detects CVE-2021-45046 (log4j 2.15.0), CVE-2021-45105 (log4j 2.16.0), CVE-2021-4104 (log4j 1.x), and CVE-2021-42550 (logback 0.9-1.2.7) vulnerabilities. ### Download -* [log4j2-scan 2.6.0 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.0/logpresso-log4j2-scan-2.6.0-win64.7z) -* [log4j2-scan 2.6.0 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.0/logpresso-log4j2-scan-2.6.0-win64.zip) +* [log4j2-scan 2.6.1 (Windows x64, 7z)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.1/logpresso-log4j2-scan-2.6.1-win64.7z) +* [log4j2-scan 2.6.1 (Windows x64, zip)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.1/logpresso-log4j2-scan-2.6.1-win64.zip) * If you get `VCRUNTIME140.dll not found` error, install [Visual C++ Redistributable](https://docs.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-170). * If native executable doesn't work, use the JAR instead. 32bit is not supported. * 7zip is available from www.7zip.org, and is open source and free. -* [log4j2-scan 2.6.0 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.0/logpresso-log4j2-scan-2.6.0-linux.tar.gz) -* [log4j2-scan 2.6.0 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.0/logpresso-log4j2-scan-2.6.0-linux-aarch64.tar.gz) +* [log4j2-scan 2.6.1 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.1/logpresso-log4j2-scan-2.6.1-linux.tar.gz) +* [log4j2-scan 2.6.1 (Linux aarch64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.1/logpresso-log4j2-scan-2.6.1-linux-aarch64.tar.gz) * If native executable doesn't work, use the JAR instead. 32bit is not supported. -* [log4j2-scan 2.6.0 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.0/logpresso-log4j2-scan-2.6.0-darwin.zip) -* [log4j2-scan 2.6.0 (Any OS, 620KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.0/logpresso-log4j2-scan-2.6.0.jar) +* [log4j2-scan 2.6.1 (Mac OS)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.1/logpresso-log4j2-scan-2.6.1-darwin.zip) +* [log4j2-scan 2.6.1 (Any OS, 620KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v2.6.1/logpresso-log4j2-scan-2.6.1.jar) ### Build * [How to build Native Image](https://github.com/logpresso/CVE-2021-44228-Scanner/wiki/FAQ#how-to-build-native-image) @@ -22,7 +22,7 @@ Just run log4j2-scan.exe or log4j2-scan with target directory path. The logpress Usage ``` -Logpresso CVE-2021-44228 Vulnerability Scanner 2.6.0 (2021-12-23) +Logpresso CVE-2021-44228 Vulnerability Scanner 2.6.1 (2021-12-23) Usage: log4j2-scan [--scan-log4j1] [--fix] target_path1 target_path2 -f [config_file_path] @@ -104,7 +104,7 @@ On Linux ``` On UNIX (AIX, Solaris, and so on) ``` -java -jar logpresso-log4j2-scan-2.6.0.jar [--fix] target_path +java -jar logpresso-log4j2-scan-2.6.1.jar [--fix] target_path ``` If you add `--fix` option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry. All .bak files are archived into the single zip file which is named by `log4j2_scan_backup_yyyyMMdd_HHmmss.zip`, then deleted safely. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. You can easily restore original vulnerable JAR files using `--restore` option. diff --git a/pom.xml b/pom.xml index d3f0e4d..cd88e6b 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ 4.0.0 com.logpresso log4j2-scanner - 2.6.0 + 2.6.1 jar Logpresso Log4j2 Scanner diff --git a/src/main/java/com/logpresso/scanner/Configuration.java b/src/main/java/com/logpresso/scanner/Configuration.java index 2131fa4..297d9b5 100644 --- a/src/main/java/com/logpresso/scanner/Configuration.java +++ b/src/main/java/com/logpresso/scanner/Configuration.java @@ -283,8 +283,6 @@ public static Configuration parseArguments(String[] args) throws Exception { i++; } else if (args[i].equals("--report-dir")) { - c.reportCsv = true; - if (args.length > i + 1) { String pattern = args[i + 1]; if (pattern.startsWith("--")) @@ -330,6 +328,9 @@ else if (!reportFile.isDirectory()) if (c.reportPath != null && (!c.reportCsv && !c.reportJson)) c.reportCsv = true; + if (c.reportDir != null && (!c.reportCsv && !c.reportJson)) + c.reportCsv = true; + // verify drive letters c.verifyDriveLetters(); diff --git a/src/main/java/com/logpresso/scanner/Detector.java b/src/main/java/com/logpresso/scanner/Detector.java index eeca2c2..15b7559 100644 --- a/src/main/java/com/logpresso/scanner/Detector.java +++ b/src/main/java/com/logpresso/scanner/Detector.java @@ -116,6 +116,10 @@ public List getReportEntries(File f) { } protected void scanJarFile(File jarFile, boolean fix) { + scanJarFile(jarFile, fix, Charset.forName("utf-8")); + } + + protected void scanJarFile(File jarFile, boolean fix, Charset charset) { InputStream is = null; Charset altCharset = null; @@ -125,8 +129,8 @@ protected void scanJarFile(File jarFile, boolean fix) { DetectResult result = null; try { - it = openZipFileIterator(jarFile, is, 0); - result = scanStream(jarFile, it, new ArrayList(), Charset.forName("cp437"), 0); + it = openZipFileIterator(jarFile, is, charset, 0); + result = scanStream(jarFile, it, new ArrayList(), Charset.forName("utf-8"), 0); } catch (IllegalArgumentException e) { // second try with system encoding or alternative encoding altCharset = Charset.defaultCharset(); @@ -137,7 +141,7 @@ protected void scanJarFile(File jarFile, boolean fix) { IoUtils.ensureClose(is); is = new FileInputStream(jarFile); - it = openZipFileIterator(jarFile, is, 0); + it = openZipFileIterator(jarFile, is, charset, 0); result = scanStream(jarFile, it, new ArrayList(), altCharset, 0); } @@ -174,16 +178,16 @@ else if (result.isPotentiallyVulnerable()) } } - private ZipFileIterator openZipFileIterator(File jarFile, InputStream is, int depth) throws IOException { + private ZipFileIterator openZipFileIterator(File jarFile, InputStream is, Charset charset, int depth) throws IOException { // Try to avoid 'only DEFLATED entries can have EXT descriptor' error // See https://bugs.openjdk.java.net/browse/JDK-8143613 try { return new ZipFileIterator(new ZipArchiveInputStream(new DummyInputStream(is))); } catch (Exception e) { if (depth == 0) - return new ZipFileIterator(jarFile); + return new ZipFileIterator(jarFile, charset); - return new ZipFileIterator(new ZipInputStream(new DummyInputStream(is))); + return new ZipFileIterator(new ZipInputStream(new DummyInputStream(is), charset)); } } @@ -244,7 +248,7 @@ private DetectResult scanStream(File jarFile, ZipFileIterator it, List p if (ZipUtils.isScanTarget(entry.getName(), config.isScanZip())) { ZipFileIterator nestedIt = null; try { - nestedIt = openZipFileIterator(jarFile, is, depth + 1); + nestedIt = openZipFileIterator(jarFile, is, charset, depth + 1); pathChain.add(entry.getName()); DetectResult nestedResult = scanStream(jarFile, nestedIt, pathChain, charset, depth + 1); diff --git a/src/main/java/com/logpresso/scanner/Log4j2Scanner.java b/src/main/java/com/logpresso/scanner/Log4j2Scanner.java index 1d42921..d590d39 100644 --- a/src/main/java/com/logpresso/scanner/Log4j2Scanner.java +++ b/src/main/java/com/logpresso/scanner/Log4j2Scanner.java @@ -23,7 +23,7 @@ import com.logpresso.scanner.utils.ZipUtils; public class Log4j2Scanner { - public static final String VERSION = "2.6.0"; + public static final String VERSION = "2.6.1"; public static final String RELEASE_DATE = "2021-12-23"; public static final String BANNER = "Logpresso CVE-2021-44228 Vulnerability Scanner " + VERSION + " (" + RELEASE_DATE + ")"; @@ -428,7 +428,7 @@ private void traverse(File f, int depth) { String path = f.getAbsolutePath(); - if (!f.exists()) { + if (depth == 0 && !f.exists()) { reportError(f, "File not found"); return; } diff --git a/src/main/java/com/logpresso/scanner/utils/ZipFileIterator.java b/src/main/java/com/logpresso/scanner/utils/ZipFileIterator.java index ac25da5..5082751 100644 --- a/src/main/java/com/logpresso/scanner/utils/ZipFileIterator.java +++ b/src/main/java/com/logpresso/scanner/utils/ZipFileIterator.java @@ -4,6 +4,7 @@ import java.io.File; import java.io.IOException; import java.io.InputStream; +import java.nio.charset.Charset; import java.util.Enumeration; import java.util.zip.ZipEntry; import java.util.zip.ZipFile; @@ -21,8 +22,8 @@ public class ZipFileIterator implements Closeable { private ZipEntry firstEntry; private ZipEntry nextEntry; - public ZipFileIterator(File file) throws IOException { - this.zipFile = new ZipFile(file); + public ZipFileIterator(File file, Charset charset) throws IOException { + this.zipFile = new ZipFile(file, charset); e = zipFile.entries(); if (e.hasMoreElements()) { firstEntry = e.nextElement();