search

google / log4jscanner

A log4j vulnerability filesystem scanner and Go package for analyzing JAR files.
Apache License 2.0
1.57k stars 120 forks source link

release assets archives contain potentially dangerous "." folder #46

Closed alexsaveliev closed 2 years ago

alexsaveliev commented 2 years ago

How-to-repeat

make some folder FOLDER that belongs to USER:GROUP, assign 777 permissions to FOLDER, then

sudo -s
cd FOLDER
wget https://github.com/google/log4jscanner/releases/download/v0.2.0/log4jscanner-v0.2.0-linux-amd64.tar.gz
tar xfz log4jscanner-v0.2.0-linux-amd64.tar.gz

check new ownership and permissions of FOLDER, it's drwx------ 3 root root, because 

tar -ztvf log4jscanner-v0.2.0-linux-amd64.tar.gz
drwx------ root/root         0 2022-01-05 23:14 ./
drwxr-xr-x root/root         0 2022-01-05 23:14 ./log4jscanner/
-rwxr-xr-x root/root   2637215 2022-01-05 23:14 ./log4jscanner/log4jscanner

I think that ./ shouldn't be a part of release assets archive, because as a result you might set incorrect permissions on your folder (think of /tmp without full access)

Thanks