search

cloudera / cloudera-scripts-for-log4j

Scripts for addressing log4j zero day security issue
Apache License 2.0
86 stars 68 forks source link

code to backup for tar.gz is invalid #32

Open starkjs opened 2 years ago

starkjs commented 2 years ago

The code here is not working (cm_cdp_cdh_log4j_jndi_removal.sh line 139)

  local backupdir=${2:-/opt/cloudera/log4shell-backup}
  mkdir -p "$backupdir/$(dirname $tarfile)"
  targetbackup="$backupdir/$tarfile.backup"
  if [ ! -f "$targetbackup" ]; then
    echo "Backing up to '$targetbackup'"
    cp -f "$tarfile" "$targetbackup"
  fi

You do a mkdir for a path and then don't use it.

I can't see any backups for the *.tar.gz in the location of the backupdir

There is something wrong with this block of code

Also the function is always creating a new tar.gz, even if there is nothing to "patch" thus touching files which don't need to be altered - this is bad.....

lhoss commented 2 years ago

Related https://github.com/cloudera/cloudera-scripts-for-log4j/issues/27

starkjs commented 2 years ago

This is fixed now, it was related to data leaking due to reused variable names from function to function. I have made all variables within functions local now

abiboakye commented 10 months ago

@starkjs Pertaining to this issue has the script been corrected by any chance or it is still the same in cm_cdp_cdh_log4j_jndi_removal.sh.

You do a mkdir for a path and then don't use it.

I can't see any backups for the *.tar.gz in the location of the backupdir

There is something wrong with this block of code

Also the function is always creating a new tar.gz, even if there is nothing to "patch" thus touching files which don't need to be altered - this is bad.....