This is an automated email from the ASF dual-hosted git repository. pkarwasz pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
commit 4c9c576b14858f6cdac0c2a0fe565fefa51b8125 Author: Piotr P. Karwasz <[email protected]> AuthorDate: Mon Nov 6 15:20:05 2023 +0100 Check reported security bugs in `log4j-1.2-api` --- .../src/main/java/org/apache/log4j/DefaultThrowableRenderer.java | 5 +++++ log4j-1.2-api/src/main/java/org/apache/log4j/FileAppender.java | 5 +++++ .../src/main/java/org/apache/log4j/PropertyConfigurator.java | 5 +++++ .../src/main/java/org/apache/log4j/RollingFileAppender.java | 9 +++++++++ .../src/main/java/org/apache/log4j/helpers/FileWatchdog.java | 6 ++++++ .../src/main/java/org/apache/log4j/helpers/package-info.java | 2 +- .../src/main/java/org/apache/log4j/layout/Log4j1XmlLayout.java | 5 +++++ log4j-1.2-api/src/main/java/org/apache/log4j/package-info.java | 2 +- .../src/main/java/org/apache/log4j/xml/DOMConfigurator.java | 5 +++++ .../src/main/java/org/apache/log4j/xml/XmlConfiguration.java | 5 +++++ .../src/main/java/org/apache/log4j/xml/package-info.java | 2 +- log4j-api-test/pom.xml | 5 ++--- log4j-core-test/pom.xml | 8 +++++--- 13 files changed, 55 insertions(+), 9 deletions(-) diff --git a/log4j-1.2-api/src/main/java/org/apache/log4j/DefaultThrowableRenderer.java b/log4j-1.2-api/src/main/java/org/apache/log4j/DefaultThrowableRenderer.java index 53ab6cb385..8bcdbf61ac 100644 --- a/log4j-1.2-api/src/main/java/org/apache/log4j/DefaultThrowableRenderer.java +++ b/log4j-1.2-api/src/main/java/org/apache/log4j/DefaultThrowableRenderer.java @@ -24,6 +24,7 @@ import java.io.StringReader; import java.io.StringWriter; import java.util.ArrayList; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.log4j.spi.ThrowableRenderer; /** @@ -39,6 +40,10 @@ public final class DefaultThrowableRenderer implements ThrowableRenderer { * @param throwable throwable, may not be null. * @return string representation. */ + @SuppressFBWarnings( + value = "INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE", + justification = "The throwable is formatted into a log file, which should be private." + ) public static String[] render(final Throwable throwable) { final StringWriter sw = new StringWriter(); final PrintWriter pw = new PrintWriter(sw); diff --git a/log4j-1.2-api/src/main/java/org/apache/log4j/FileAppender.java b/log4j-1.2-api/src/main/java/org/apache/log4j/FileAppender.java index b3d7742cf8..f7d91a8c8a 100644 --- a/log4j-1.2-api/src/main/java/org/apache/log4j/FileAppender.java +++ b/log4j-1.2-api/src/main/java/org/apache/log4j/FileAppender.java @@ -24,6 +24,7 @@ import java.io.IOException; import java.io.InterruptedIOException; import java.io.Writer; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.log4j.helpers.LogLog; import org.apache.log4j.helpers.QuietWriter; import org.apache.log4j.spi.ErrorCode; @@ -248,6 +249,10 @@ public class FileAppender extends WriterAppender { * @param fileName The path to the log file. * @param append If true will append to fileName. Otherwise will truncate fileName. */ + @SuppressFBWarnings( + value = {"PATH_TRAVERSAL_IN", "PATH_TRAVERSAL_OUT"}, + justification = "The file name comes from a configuration file." + ) public synchronized void setFile(String fileName, boolean append, boolean bufferedIO, int bufferSize) throws IOException { LogLog.debug("setFile called: " + fileName + ", " + append); diff --git a/log4j-1.2-api/src/main/java/org/apache/log4j/PropertyConfigurator.java b/log4j-1.2-api/src/main/java/org/apache/log4j/PropertyConfigurator.java index 555877ac34..9119b54227 100644 --- a/log4j-1.2-api/src/main/java/org/apache/log4j/PropertyConfigurator.java +++ b/log4j-1.2-api/src/main/java/org/apache/log4j/PropertyConfigurator.java @@ -30,6 +30,7 @@ import java.util.Properties; import java.util.StringTokenizer; import java.util.Vector; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.log4j.bridge.FilterAdapter; import org.apache.log4j.config.Log4j1Configuration; import org.apache.log4j.config.PropertiesConfiguration; @@ -356,6 +357,10 @@ public class PropertyConfigurator implements Configurator { * @param fileName The configuration file * @param loggerRepository The hierarchy */ + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The filename comes from a system property." + ) Configuration doConfigure(final String fileName, final LoggerRepository loggerRepository, final ClassLoader classLoader) { try (final InputStream inputStream = Files.newInputStream(Paths.get(fileName))) { return doConfigure(inputStream, loggerRepository, classLoader); diff --git a/log4j-1.2-api/src/main/java/org/apache/log4j/RollingFileAppender.java b/log4j-1.2-api/src/main/java/org/apache/log4j/RollingFileAppender.java index a4c3cb3ddb..a03bfdcfb0 100644 --- a/log4j-1.2-api/src/main/java/org/apache/log4j/RollingFileAppender.java +++ b/log4j-1.2-api/src/main/java/org/apache/log4j/RollingFileAppender.java @@ -21,6 +21,7 @@ import java.io.IOException; import java.io.InterruptedIOException; import java.io.Writer; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.log4j.helpers.CountingQuietWriter; import org.apache.log4j.helpers.LogLog; import org.apache.log4j.helpers.OptionConverter; @@ -107,6 +108,10 @@ public class RollingFileAppender extends FileAppender { * created. * </p> */ + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The filename comes from a system property." + ) public // synchronization not necessary since doAppend is alreasy synched void rollOver() { File target; @@ -182,6 +187,10 @@ public class RollingFileAppender extends FileAppender { } } + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The file name comes from a configuration file." + ) public synchronized void setFile(final String fileName, final boolean append, final boolean bufferedIO, final int bufferSize) throws IOException { super.setFile(fileName, append, this.bufferedIO, this.bufferSize); if (append) { diff --git a/log4j-1.2-api/src/main/java/org/apache/log4j/helpers/FileWatchdog.java b/log4j-1.2-api/src/main/java/org/apache/log4j/helpers/FileWatchdog.java index 3db3dd0ddc..83d1ff4a94 100644 --- a/log4j-1.2-api/src/main/java/org/apache/log4j/helpers/FileWatchdog.java +++ b/log4j-1.2-api/src/main/java/org/apache/log4j/helpers/FileWatchdog.java @@ -18,6 +18,8 @@ package org.apache.log4j.helpers; import java.io.File; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; + /** * Checks every now and then that a certain file has not changed. If it has, then call the {@link #doOnChange} method. * @@ -45,6 +47,10 @@ public abstract class FileWatchdog extends Thread { boolean warnedAlready; boolean interrupted; + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The filename comes from a system property." + ) protected FileWatchdog(final String fileName) { super("FileWatchdog"); this.filename = fileName; diff --git a/log4j-1.2-api/src/main/java/org/apache/log4j/helpers/package-info.java b/log4j-1.2-api/src/main/java/org/apache/log4j/helpers/package-info.java index ec9e29e470..c8459cb536 100644 --- a/log4j-1.2-api/src/main/java/org/apache/log4j/helpers/package-info.java +++ b/log4j-1.2-api/src/main/java/org/apache/log4j/helpers/package-info.java @@ -18,7 +18,7 @@ * Log4j 1.x compatibility layer. */ @Export -@Version("2.20.1") +@Version("2.20.2") package org.apache.log4j.helpers; import org.osgi.annotation.bundle.Export; diff --git a/log4j-1.2-api/src/main/java/org/apache/log4j/layout/Log4j1XmlLayout.java b/log4j-1.2-api/src/main/java/org/apache/log4j/layout/Log4j1XmlLayout.java index e7f5452352..66143715ae 100644 --- a/log4j-1.2-api/src/main/java/org/apache/log4j/layout/Log4j1XmlLayout.java +++ b/log4j-1.2-api/src/main/java/org/apache/log4j/layout/Log4j1XmlLayout.java @@ -22,6 +22,7 @@ import java.nio.charset.StandardCharsets; import java.util.List; import java.util.Objects; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.Layout; import org.apache.logging.log4j.core.LogEvent; import org.apache.logging.log4j.core.layout.AbstractStringLayout; @@ -87,6 +88,10 @@ public final class Log4j1XmlLayout extends AbstractStringLayout { return text.toString(); } + @SuppressFBWarnings( + value = "INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE", + justification = "The throwable is formatted into a log file, which should be private." + ) private void formatTo(final LogEvent event, final StringBuilder buf) { buf.append("<log4j:event logger=\""); buf.append(Transform.escapeHtmlTags(event.getLoggerName())); diff --git a/log4j-1.2-api/src/main/java/org/apache/log4j/package-info.java b/log4j-1.2-api/src/main/java/org/apache/log4j/package-info.java index f54ae70fdb..7462396fa7 100644 --- a/log4j-1.2-api/src/main/java/org/apache/log4j/package-info.java +++ b/log4j-1.2-api/src/main/java/org/apache/log4j/package-info.java @@ -18,7 +18,7 @@ * Log4j 1.x compatibility layer. */ @Export -@Version("2.20.1") +@Version("2.20.2") package org.apache.log4j; import org.osgi.annotation.bundle.Export; diff --git a/log4j-1.2-api/src/main/java/org/apache/log4j/xml/DOMConfigurator.java b/log4j-1.2-api/src/main/java/org/apache/log4j/xml/DOMConfigurator.java index fb914fcedb..4d3006d88c 100644 --- a/log4j-1.2-api/src/main/java/org/apache/log4j/xml/DOMConfigurator.java +++ b/log4j-1.2-api/src/main/java/org/apache/log4j/xml/DOMConfigurator.java @@ -32,6 +32,7 @@ import java.util.Properties; import javax.xml.parsers.FactoryConfigurationError; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.log4j.LogManager; import org.apache.log4j.config.PropertySetter; import org.apache.log4j.helpers.OptionConverter; @@ -70,6 +71,10 @@ public class DOMConfigurator { public static void configure(final Element element) { } + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The filename comes from a system property." + ) public static void configure(final String fileName) throws FactoryConfigurationError { final Path path = Paths.get(fileName); try (final InputStream inputStream = Files.newInputStream(path)) { diff --git a/log4j-1.2-api/src/main/java/org/apache/log4j/xml/XmlConfiguration.java b/log4j-1.2-api/src/main/java/org/apache/log4j/xml/XmlConfiguration.java index d6c889d9c7..83a0c57585 100644 --- a/log4j-1.2-api/src/main/java/org/apache/log4j/xml/XmlConfiguration.java +++ b/log4j-1.2-api/src/main/java/org/apache/log4j/xml/XmlConfiguration.java @@ -29,6 +29,7 @@ import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.FactoryConfigurationError; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.log4j.Appender; import org.apache.log4j.Layout; import org.apache.log4j.Level; @@ -130,6 +131,10 @@ public class XmlConfiguration extends Log4j1Configuration { final ConfigurationSource source = getConfigurationSource(); final ParseAction action = new ParseAction() { @Override + @SuppressFBWarnings( + value = "XXE_DOCUMENT", + justification = "The `DocumentBuilder` is configured to not resolve external entities." + ) public Document parse(final DocumentBuilder parser) throws SAXException, IOException { @SuppressWarnings("resource") final // The ConfigurationSource and its caller manages the InputStream. diff --git a/log4j-1.2-api/src/main/java/org/apache/log4j/xml/package-info.java b/log4j-1.2-api/src/main/java/org/apache/log4j/xml/package-info.java index b5d39eff77..b7c3d31598 100644 --- a/log4j-1.2-api/src/main/java/org/apache/log4j/xml/package-info.java +++ b/log4j-1.2-api/src/main/java/org/apache/log4j/xml/package-info.java @@ -18,7 +18,7 @@ * Log4j 1.x compatibility layer. */ @Export -@Version("2.20.1") +@Version("2.20.2") package org.apache.log4j.xml; import org.osgi.annotation.bundle.Export; diff --git a/log4j-api-test/pom.xml b/log4j-api-test/pom.xml index 7d5df0b099..f615fd4121 100644 --- a/log4j-api-test/pom.xml +++ b/log4j-api-test/pom.xml @@ -29,9 +29,8 @@ <name>Apache Log4j API Tests</name> <description>The Apache Log4j API Test</description> <properties> - <log4jParentDir>${basedir}/..</log4jParentDir> - <docLabel>API Documentation</docLabel> - <projectDir>/api</projectDir> + <!-- Ignore less important (high rank) bugs for test artifacts --> + <spotbugs.maxRank>9</spotbugs.maxRank> <!-- ~ OSGi and JPMS options diff --git a/log4j-core-test/pom.xml b/log4j-core-test/pom.xml index 5acfa567d9..3389f8ef28 100644 --- a/log4j-core-test/pom.xml +++ b/log4j-core-test/pom.xml @@ -29,9 +29,11 @@ <name>Apache Log4j Core Tests</name> <description>The Apache Log4j Implementation Tests</description> <properties> - <log4jParentDir>${basedir}/..</log4jParentDir> - <docLabel>Core Documentation</docLabel> - <projectDir>/log4j-core-test</projectDir> + <!-- Ignore less important (high rank) bugs for test artifacts --> + <spotbugs.maxRank>9</spotbugs.maxRank> + + <!-- Dependency versions --> + <slf4j-ext.version>${slf4j.version}</slf4j-ext.version> <!-- ~ OSGi and JPMS options
