This is an automated email from the ASF dual-hosted git repository. pkarwasz pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
commit 266bab6cb47c18c1047b0cbd11aa095029267464 Author: Piotr P. Karwasz <[email protected]> AuthorDate: Thu Nov 2 19:11:55 2023 +0100 Remove PATH_TRAVERSAL_IN/OUT and URLCONNECTION_SSRF_FD warnings --- log4j-api/pom.xml | 2 -- .../logging/log4j/core/appender/package-info.java | 2 +- .../appender/rolling/DefaultRolloverStrategy.java | 13 ++++++++++ .../rolling/DirectWriteRolloverStrategy.java | 5 ++++ .../log4j/core/appender/rolling/FileExtension.java | 9 +++++++ .../core/appender/rolling/RollingFileManager.java | 6 ++++- .../rolling/RollingRandomAccessFileManager.java | 13 ++++++++++ .../rolling/action/AbstractPathAction.java | 5 ++++ .../appender/rolling/action/FileRenameAction.java | 6 +++++ .../core/appender/rolling/action/package-info.java | 2 +- .../log4j/core/appender/rolling/package-info.java | 2 +- .../log4j/core/config/ConfigurationSource.java | 5 ++++ .../core/config/builder/impl/package-info.java | 2 +- .../config/plugins/convert/CoreTypeConverters.java | 9 +++++++ .../core/config/plugins/convert/package-info.java | 2 +- .../core/config/plugins/util/package-info.java | 2 +- .../log4j/core/config/xml/package-info.java | 2 +- .../core/filter/MutableThreadContextMapFilter.java | 5 ++++ .../logging/log4j/core/jmx/LoggerContextAdmin.java | 8 +++++++ .../logging/log4j/core/jmx/package-info.java | 2 +- .../log4j/core/net/UrlConnectionFactory.java | 9 +++++++ .../logging/log4j/core/net/package-info.java | 2 +- .../log4j/core/net/ssl/FilePasswordProvider.java | 6 +++++ .../logging/log4j/core/net/ssl/package-info.java | 2 +- .../apache/logging/log4j/core/package-info.java | 2 +- .../logging/log4j/core/script/package-info.java | 2 +- .../log4j/core/tools/picocli/CommandLine.java | 3 +++ .../logging/log4j/core/util/package-info.java | 2 +- .../logging/log4j/plugins/util/ResolverUtil.java | 9 +++++++ .../apache/logging/log4j/script/ScriptFile.java | 5 ++++ pom.xml | 10 +++++++- spotbugs-exclude.xml | 28 ++++++++++++++++++++++ 32 files changed, 165 insertions(+), 17 deletions(-) diff --git a/log4j-api/pom.xml b/log4j-api/pom.xml index f198d90168..1885edaf9e 100644 --- a/log4j-api/pom.xml +++ b/log4j-api/pom.xml @@ -43,8 +43,6 @@ java.sql;static=true </bnd-extra-module-options> - <!-- FIXME: temporary --> - <spotbugs.skip>true</spotbugs.skip> </properties> <dependencies> <dependency> diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/package-info.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/package-info.java index f8fa17bc9e..7213a145a0 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/package-info.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/package-info.java @@ -18,7 +18,7 @@ * Log4j 2 Appenders. */ @Export -@Version("2.20.1") +@Version("2.20.2") package org.apache.logging.log4j.core.appender; import org.osgi.annotation.bundle.Export; diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/DefaultRolloverStrategy.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/DefaultRolloverStrategy.java index 93021eab68..ab7f47392a 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/DefaultRolloverStrategy.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/DefaultRolloverStrategy.java @@ -28,6 +28,7 @@ import java.util.SortedMap; import java.util.concurrent.TimeUnit; import java.util.zip.Deflater; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.appender.rolling.action.Action; import org.apache.logging.log4j.core.appender.rolling.action.CompositeAction; import org.apache.logging.log4j.core.appender.rolling.action.FileRenameAction; @@ -358,6 +359,10 @@ public class DefaultRolloverStrategy extends AbstractRolloverStrategy { * @param manager The RollingFileManager * @return true if purge was successful and rollover should be attempted. */ + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The name of the accessed files is based on a configuration value." + ) private int purgeAscending(final int lowIndex, final int highIndex, final RollingFileManager manager) { final SortedMap<Integer, Path> eligibleFiles = getEligibleFiles(manager); final int maxFiles = highIndex - lowIndex + 1; @@ -415,6 +420,10 @@ public class DefaultRolloverStrategy extends AbstractRolloverStrategy { * @param manager The RollingFileManager * @return true if purge was successful and rollover should be attempted. */ + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The name of the accessed files is based on a configuration value." + ) private int purgeDescending(final int lowIndex, final int highIndex, final RollingFileManager manager) { // Retrieve the files in descending order, so the highest key will be first. final SortedMap<Integer, Path> eligibleFiles = getEligibleFiles(manager, false); @@ -466,6 +475,10 @@ public class DefaultRolloverStrategy extends AbstractRolloverStrategy { * @throws SecurityException if an error occurs. */ @Override + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The name of the accessed files is based on a configuration value." + ) public RolloverDescription rollover(final RollingFileManager manager) throws SecurityException { final int fileIndex; final StringBuilder buf = new StringBuilder(255); diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/DirectWriteRolloverStrategy.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/DirectWriteRolloverStrategy.java index 389ba809b7..fa40696b19 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/DirectWriteRolloverStrategy.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/DirectWriteRolloverStrategy.java @@ -27,6 +27,7 @@ import java.util.SortedMap; import java.util.concurrent.TimeUnit; import java.util.zip.Deflater; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.appender.rolling.action.Action; import org.apache.logging.log4j.core.appender.rolling.action.CompositeAction; import org.apache.logging.log4j.core.appender.rolling.action.FileRenameAction; @@ -293,6 +294,10 @@ public class DirectWriteRolloverStrategy extends AbstractRolloverStrategy implem * @throws SecurityException if an error occurs. */ @Override + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The name of the accessed files is based on a configuration value." + ) public RolloverDescription rollover(final RollingFileManager manager) throws SecurityException { LOGGER.debug("Rolling " + currentFileName); if (maxFiles < 0) { diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/FileExtension.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/FileExtension.java index 2e5b096e93..0cb2c8ab54 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/FileExtension.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/FileExtension.java @@ -19,6 +19,7 @@ package org.apache.logging.log4j.core.appender.rolling; import java.io.File; import java.util.Objects; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.appender.rolling.action.Action; import org.apache.logging.log4j.core.appender.rolling.action.CommonsCompressAction; import org.apache.logging.log4j.core.appender.rolling.action.GzCompressAction; @@ -115,10 +116,18 @@ public enum FileExtension { return extension.length(); } + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The name of the accessed files is based on a configuration value." + ) File source(final String fileName) { return new File(fileName); } + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The name of the accessed files is based on a configuration value." + ) File target(final String fileName) { return new File(fileName); } diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/RollingFileManager.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/RollingFileManager.java index 8cf45f910a..345a00cb2f 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/RollingFileManager.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/RollingFileManager.java @@ -107,6 +107,10 @@ public class RollingFileManager extends FileManager { this.directWrite = rolloverStrategy instanceof DirectFileRolloverStrategy; } + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The name of the accessed files is based on a configuration value." + ) public void initialize() { if (!initialized) { @@ -684,7 +688,7 @@ public class RollingFileManager extends FileManager { */ @Override @SuppressFBWarnings( - value = "PATH_TRAVERSAL_IN", + value = {"PATH_TRAVERSAL_IN", "PATH_TRAVERSAL_OUT"}, justification = "The destination file should be specified in the configuration file." ) public RollingFileManager createManager(final String name, final FactoryData data) { diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/RollingRandomAccessFileManager.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/RollingRandomAccessFileManager.java index f0d719e050..38ac430e8d 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/RollingRandomAccessFileManager.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/RollingRandomAccessFileManager.java @@ -23,6 +23,7 @@ import java.io.RandomAccessFile; import java.nio.ByteBuffer; import java.nio.file.Paths; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.Layout; import org.apache.logging.log4j.core.LoggerContext; import org.apache.logging.log4j.core.appender.AppenderLoggingException; @@ -145,10 +146,18 @@ public class RollingRandomAccessFileManager extends RollingFileManager { } @Override + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The name of the accessed files is based on a configuration value." + ) protected void createFileAfterRollover() throws IOException { createFileAfterRollover(getFileName()); } + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The name of the accessed files is based on a configuration value." + ) private void createFileAfterRollover(final String fileName) throws IOException { this.randomAccessFile = new RandomAccessFile(fileName, "rw"); if (isAttributeViewEnabled()) { @@ -214,6 +223,10 @@ public class RollingRandomAccessFileManager extends RollingFileManager { * @return a RollingFileManager. */ @Override + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The name of the accessed files is based on a configuration value." + ) public RollingRandomAccessFileManager createManager(final String name, final FactoryData data) { File file = null; long size = 0; diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/action/AbstractPathAction.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/action/AbstractPathAction.java index 247da93107..402cf29d1a 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/action/AbstractPathAction.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/action/AbstractPathAction.java @@ -29,6 +29,7 @@ import java.util.List; import java.util.Set; import java.util.concurrent.TimeUnit; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.lookup.StrSubstitutor; /** @@ -101,6 +102,10 @@ public abstract class AbstractPathAction extends AbstractAction { * * @return the base path (all lookups resolved) */ + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The name of the accessed files is based on a configuration value." + ) public Path getBasePath() { return Paths.get(subst.replace(getBasePathString())); } diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/action/FileRenameAction.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/action/FileRenameAction.java index 86f0bf206e..6cdfa997eb 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/action/FileRenameAction.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/action/FileRenameAction.java @@ -25,6 +25,8 @@ import java.nio.file.Path; import java.nio.file.Paths; import java.nio.file.StandardCopyOption; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; + /** * File rename action. */ @@ -103,6 +105,10 @@ public class FileRenameAction extends AbstractAction { * @param renameEmptyFiles if true, rename file even if empty, otherwise delete empty files. * @return true if successfully renamed. */ + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The name of the accessed files is based on a configuration value." + ) public static boolean execute(final File source, final File destination, final boolean renameEmptyFiles) { if (renameEmptyFiles || (source.length() > 0)) { final File parent = destination.getParentFile(); diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/action/package-info.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/action/package-info.java index df9c341d7e..7605459736 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/action/package-info.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/action/package-info.java @@ -18,7 +18,7 @@ * Support classes for the Rolling File Appender. */ @Export -@Version("2.20.1") +@Version("2.20.2") package org.apache.logging.log4j.core.appender.rolling.action; import org.osgi.annotation.bundle.Export; diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/package-info.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/package-info.java index 094ddc03a5..4c94140c90 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/package-info.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/package-info.java @@ -18,7 +18,7 @@ * Rolling File Appender and support classes. */ @Export -@Version("2.20.1") +@Version("2.20.2") package org.apache.logging.log4j.core.appender.rolling; import org.osgi.annotation.bundle.Export; diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/config/ConfigurationSource.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/config/ConfigurationSource.java index 75e1c05295..bc613980a3 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/config/ConfigurationSource.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/config/ConfigurationSource.java @@ -34,6 +34,7 @@ import java.util.Objects; import javax.net.ssl.HttpsURLConnection; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.net.ssl.LaxHostnameVerifier; import org.apache.logging.log4j.core.net.ssl.SslConfiguration; import org.apache.logging.log4j.core.net.ssl.SslConfigurationFactory; @@ -324,6 +325,10 @@ public class ConfigurationSource { return getConfigurationSource(url); } + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The name of the accessed files is based on a configuration value." + ) private static ConfigurationSource getConfigurationSource(final URL url) { try { final URLConnection urlConnection = url.openConnection(); diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/config/builder/impl/package-info.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/config/builder/impl/package-info.java index 9eacd9d0b7..c56f92230f 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/config/builder/impl/package-info.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/config/builder/impl/package-info.java @@ -20,7 +20,7 @@ * @since 2.4 */ @Export -@Version("2.20.1") +@Version("2.20.2") package org.apache.logging.log4j.core.config.builder.impl; import org.osgi.annotation.bundle.Export; diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/convert/CoreTypeConverters.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/convert/CoreTypeConverters.java index fdace9dfb1..1214c1014d 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/convert/CoreTypeConverters.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/convert/CoreTypeConverters.java @@ -34,6 +34,7 @@ import java.util.Base64; import java.util.UUID; import java.util.regex.Pattern; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.Level; import org.apache.logging.log4j.core.appender.rolling.action.Duration; import org.apache.logging.log4j.core.util.CronExpression; @@ -200,6 +201,10 @@ public final class CoreTypeConverters { @Plugin public static class FileConverter implements TypeConverter<File> { @Override + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The name of the accessed file is based on a configuration value." + ) public File convert(final String s) { return new File(s); } @@ -238,6 +243,10 @@ public final class CoreTypeConverters { @Plugin public static class PathConverter implements TypeConverter<Path> { @Override + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The name of the accessed file is based on a configuration value." + ) public Path convert(final String s) throws Exception { return Paths.get(s); } diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/convert/package-info.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/convert/package-info.java index 22632e1998..59da1e88bc 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/convert/package-info.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/convert/package-info.java @@ -20,7 +20,7 @@ * attributes in plugin factory methods. */ @Export -@Version("2.20.1") +@Version("2.20.2") package org.apache.logging.log4j.core.config.plugins.convert; import org.osgi.annotation.bundle.Export; diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/util/package-info.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/util/package-info.java index 49657032f1..c2c42b8d5b 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/util/package-info.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/config/plugins/util/package-info.java @@ -19,7 +19,7 @@ * Utility and manager classes for Log4j 2 plugins. */ @Export -@Version("2.20.1") +@Version("2.20.2") package org.apache.logging.log4j.core.config.plugins.util; import org.osgi.annotation.bundle.Export; diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/config/xml/package-info.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/config/xml/package-info.java index caf38c6281..f0a6c9d7e4 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/config/xml/package-info.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/config/xml/package-info.java @@ -18,7 +18,7 @@ * Classes and interfaces supporting configuration of Log4j 2 with XML. */ @Export -@Version("2.20.1") +@Version("2.20.2") package org.apache.logging.log4j.core.config.xml; import org.osgi.annotation.bundle.Export; diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/filter/MutableThreadContextMapFilter.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/filter/MutableThreadContextMapFilter.java index 18dd235010..741e05e71d 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/filter/MutableThreadContextMapFilter.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/filter/MutableThreadContextMapFilter.java @@ -28,6 +28,7 @@ import java.util.concurrent.TimeUnit; import com.fasterxml.jackson.databind.DeserializationFeature; import com.fasterxml.jackson.databind.ObjectMapper; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.Level; import org.apache.logging.log4j.Marker; import org.apache.logging.log4j.core.ContextDataInjector; @@ -321,6 +322,10 @@ public class MutableThreadContextMapFilter extends AbstractFilter { } } + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The location of the file comes from a configuration value." + ) private static LastModifiedSource getSource(final String configLocation) { LastModifiedSource source = null; try { diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/jmx/LoggerContextAdmin.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/jmx/LoggerContextAdmin.java index 657c748073..7ea5319fd0 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/jmx/LoggerContextAdmin.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/jmx/LoggerContextAdmin.java @@ -107,6 +107,10 @@ public class LoggerContextAdmin extends NotificationBroadcasterSupport implement } @Override + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The location of the configuration comes from a running configuration." + ) public String getConfigLocationUri() { if (loggerContext.getConfigLocation() != null) { return String.valueOf(loggerContext.getConfigLocation()); @@ -118,6 +122,10 @@ public class LoggerContextAdmin extends NotificationBroadcasterSupport implement } @Override + @SuppressFBWarnings( + value = {"URLCONNECTION_SSRF_FD", "PATH_TRAVERSAL_IN"}, + justification = "This method should only be called by a secure JMX connection." + ) public void setConfigLocationUri(final String configLocation) throws URISyntaxException, IOException { if (configLocation == null || configLocation.isEmpty()) { throw new IllegalArgumentException("Missing configuration location"); diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/jmx/package-info.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/jmx/package-info.java index ec3945d302..07c55a1e0b 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/jmx/package-info.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/jmx/package-info.java @@ -18,7 +18,7 @@ * Log4j 2 JMX support. */ @Export -@Version("2.20.1") +@Version("2.20.2") package org.apache.logging.log4j.core.jmx; import org.osgi.annotation.bundle.Export; diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/UrlConnectionFactory.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/UrlConnectionFactory.java index bb5a448086..1d21f6c478 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/UrlConnectionFactory.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/UrlConnectionFactory.java @@ -27,6 +27,7 @@ import java.util.List; import javax.net.ssl.HttpsURLConnection; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.net.ssl.LaxHostnameVerifier; import org.apache.logging.log4j.core.net.ssl.SslConfiguration; import org.apache.logging.log4j.core.net.ssl.SslConfigurationFactory; @@ -57,6 +58,10 @@ public class UrlConnectionFactory { private static final String NO_PROTOCOLS = "_none"; public static final String ALLOWED_PROTOCOLS = "log4j2.Configuration.allowedProtocols"; + @SuppressFBWarnings( + value = "URLCONNECTION_SSRF_FD", + justification = "The URL parameter originates only from secure sources." + ) public static <T extends URLConnection> T createConnection(final URL url, final long lastModifiedMillis, final SslConfiguration sslConfiguration, final AuthorizationProvider authorizationProvider, @@ -113,6 +118,10 @@ public class UrlConnectionFactory { return Cast.cast(urlConnection); } + @SuppressFBWarnings( + value = "URLCONNECTION_SSRF_FD", + justification = "This method sanitizes the usage of the provided URL." + ) public static URLConnection createConnection(final URL url) throws IOException { final URLConnection urlConnection; if (url.getProtocol().equals(HTTPS) || url.getProtocol().equals(HTTP)) { diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/package-info.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/package-info.java index 28e4e9575c..5bc2e4b5cd 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/package-info.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/package-info.java @@ -25,7 +25,7 @@ * </ul> */ @Export -@Version("2.20.1") +@Version("2.20.2") package org.apache.logging.log4j.core.net; import org.osgi.annotation.bundle.Export; diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/FilePasswordProvider.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/FilePasswordProvider.java index 1351a7feab..28f024a1d8 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/FilePasswordProvider.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/FilePasswordProvider.java @@ -26,6 +26,8 @@ import java.nio.file.Path; import java.nio.file.Paths; import java.util.Arrays; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; + /** * PasswordProvider that reads password from a file. * <p> @@ -53,6 +55,10 @@ class FilePasswordProvider implements PasswordProvider { * @param passwordFile the path to the password file * @throws NoSuchFileException if the password file does not exist when this FilePasswordProvider is constructed */ + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The file name comes from a configuration option." + ) public FilePasswordProvider(final String passwordFile) throws NoSuchFileException { this.passwordPath = Paths.get(passwordFile); if (!Files.exists(passwordPath)) { diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/package-info.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/package-info.java index 6f29c65481..db4860c1ff 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/package-info.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/package-info.java @@ -18,7 +18,7 @@ * Log4j 2 SSL support */ @Export -@Version("2.20.1") +@Version("2.20.2") package org.apache.logging.log4j.core.net.ssl; import org.osgi.annotation.bundle.Export; diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/package-info.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/package-info.java index 60748c1e65..a11875eea4 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/package-info.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/package-info.java @@ -18,7 +18,7 @@ * Implementation of Log4j 2. */ @Export -@Version("2.20.1") +@Version("2.20.2") package org.apache.logging.log4j.core; import org.osgi.annotation.bundle.Export; diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/script/package-info.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/script/package-info.java index d905a95c59..d973435b64 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/script/package-info.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/script/package-info.java @@ -18,7 +18,7 @@ * Log4j 2 Script support. */ @Export -@Version("2.20.1") +@Version("2.20.2") package org.apache.logging.log4j.core.script; import org.osgi.annotation.bundle.Export; diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/tools/picocli/CommandLine.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/tools/picocli/CommandLine.java index be3d141a57..1706fa406f 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/tools/picocli/CommandLine.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/tools/picocli/CommandLine.java @@ -64,6 +64,7 @@ import java.util.UUID; import java.util.concurrent.Callable; import java.util.regex.Pattern; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.tools.picocli.CommandLine.Help.Ansi.IStyle; import org.apache.logging.log4j.core.tools.picocli.CommandLine.Help.Ansi.Style; import org.apache.logging.log4j.core.tools.picocli.CommandLine.Help.Ansi.Text; @@ -2637,6 +2638,7 @@ public class CommandLine { * Inner class to group the built-in {@link ITypeConverter} implementations. */ private static final class BuiltIn { + @SuppressFBWarnings("PATH_TRAVERSAL_IN") static class PathConverter implements ITypeConverter<Path> { @Override public Path convert(final String value) { return Paths.get(value); } } @@ -2712,6 +2714,7 @@ public class CommandLine { public Double convert(final String value) { return Double.valueOf(value); } } + @SuppressFBWarnings("PATH_TRAVERSAL_IN") static class FileConverter implements ITypeConverter<File> { @Override public File convert(final String value) { return new File(value); } diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/util/package-info.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/util/package-info.java index 7fae142a82..753b7c456b 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/util/package-info.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/util/package-info.java @@ -18,7 +18,7 @@ * Log4j 2 helper classes. */ @Export -@Version("2.20.1") +@Version("2.20.2") package org.apache.logging.log4j.core.util; import org.osgi.annotation.bundle.Export; diff --git a/log4j-plugins/src/main/java/org/apache/logging/log4j/plugins/util/ResolverUtil.java b/log4j-plugins/src/main/java/org/apache/logging/log4j/plugins/util/ResolverUtil.java index f2004a32bc..0710dd5a4a 100644 --- a/log4j-plugins/src/main/java/org/apache/logging/log4j/plugins/util/ResolverUtil.java +++ b/log4j-plugins/src/main/java/org/apache/logging/log4j/plugins/util/ResolverUtil.java @@ -28,6 +28,7 @@ import java.util.jar.JarEntry; import java.util.jar.JarFile; import java.util.jar.JarInputStream; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.status.StatusLogger; import org.apache.logging.log4j.util.LoaderUtil; @@ -164,6 +165,10 @@ public class ResolverUtil { * @param packageName * the name of the package from which to start scanning for classes, e.g. {@code net.sourceforge.stripes} */ + @SuppressFBWarnings( + value = {"URLCONNECTION_SSRF_FD", "PATH_TRAVERSAL_IN"}, + justification = "The URLs used come from the classloader." + ) public void findInPackage(final Test test, String packageName) { packageName = packageName.replace('.', '/'); final ClassLoader loader = getClassLoader(); @@ -236,6 +241,10 @@ public class ResolverUtil { } } + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The URLs used come from the classloader." + ) String extractPath(final URL url) throws UnsupportedEncodingException, URISyntaxException { String urlPath = url.getPath(); // same as getFile but without the Query portion // System.out.println(url.getProtocol() + "->" + urlPath); diff --git a/log4j-script/src/main/java/org/apache/logging/log4j/script/ScriptFile.java b/log4j-script/src/main/java/org/apache/logging/log4j/script/ScriptFile.java index edc42a6f52..0ad60fec56 100644 --- a/log4j-script/src/main/java/org/apache/logging/log4j/script/ScriptFile.java +++ b/log4j-script/src/main/java/org/apache/logging/log4j/script/ScriptFile.java @@ -27,6 +27,7 @@ import java.nio.charset.Charset; import java.nio.file.Path; import java.nio.file.Paths; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.util.ExtensionLanguageMapping; import org.apache.logging.log4j.core.util.FileUtils; import org.apache.logging.log4j.core.util.NetUtils; @@ -61,6 +62,10 @@ public class ScriptFile extends AbstractScript { } @PluginFactory + @SuppressFBWarnings( + value = {"URLCONNECTION_SSRF_FD", "PATH_TRAVERSAL_IN"}, + justification = "The `filePathOrUri` parameter comes from configuration." + ) public static ScriptFile createScript( // @formatter:off @PluginAttribute String name, diff --git a/pom.xml b/pom.xml index 05eca168ee..107eccc629 100644 --- a/pom.xml +++ b/pom.xml @@ -324,7 +324,6 @@ <docLabel>Site Documentation</docLabel> <projectDir /> <module.name /> - <spotbugs.maxRank>14</spotbugs.maxRank> <project.build.outputTimestamp>2023-10-23T19:03:40Z</project.build.outputTimestamp> <!-- ======================== @@ -680,6 +679,15 @@ </configuration> </plugin> + <!-- TODO: Remove after upgrading to `logging-parent` 10.3.0 --> + <plugin> + <groupId>com.github.spotbugs</groupId> + <artifactId>spotbugs-maven-plugin</artifactId> + <configuration> + <excludeFilterFile>${maven.multiModuleProjectDirectory}/spotbugs-exclude.xml</excludeFilterFile> + </configuration> + </plugin> + <!-- ███████ ████████ █████ ██████ ████████ ███████ ██ ████████ ███████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ███████ ██ ███████ ██████ ██ ███████ ██ ██ █████ diff --git a/spotbugs-exclude.xml b/spotbugs-exclude.xml new file mode 100644 index 0000000000..be6759cc45 --- /dev/null +++ b/spotbugs-exclude.xml @@ -0,0 +1,28 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + ~ Licensed to the Apache Software Foundation (ASF) under one or more + ~ contributor license agreements. See the NOTICE file distributed with + ~ this work for additional information regarding copyright ownership. + ~ The ASF licenses this file to you under the Apache License, Version 2.0 + ~ (the "License"); you may not use this file except in compliance with + ~ the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + --> +<FindBugsFilter + xmlns="https://github.com/spotbugs/filter/3.0.0"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd";> + <Match> + <Not> + <Bug category="SECURITY"/> + </Not> + <Rank value="9"/> + </Match> +</FindBugsFilter>
