logpresso / CVE-2021-44228-Scanner

Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228
Apache License 2.0
852 stars 173 forks source link

Scan error: 'Index -1 out of bounds for length 0 #153

Closed AlexMilotin closed 2 years ago

AlexMilotin commented 2 years ago

Hi,

Seems like zip file scanning is running into a error Scan error: 'Index -1 out of bounds for length 0' on file: C:\Users\uie13286.VT1\Downloads\OneDrive_1_11-15-2021.zip

image

and Scan error: 'malformed input off : 98, length : 1' on file: C:\Users\uix08287\Desktop\IE-DFSS-15-0003 (2).zip Scan error: 'malformed input off : 82, length : 1' on file: C:\Users\uix08287\Desktop\IE-DFSS-15-0003.zip

image

xeraph commented 2 years ago

@AlexMilotin Would you run with --debug and comment stacktrace for Scan error: 'Index -1 out of bounds for length 0' on file: C:\Users\uie13286.VT1\Downloads\OneDrive_1_11-15-2021.zip ?

AlexMilotin commented 2 years ago

Scan error: 'Index -1 out of bounds for length 0

Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.2 (2021-12-19)
Scanning directory: C:\Users\uie13286.VT1\Downloads\OneDrive_1_11-15-2021.zip
Scan error: 'Index -1 out of bounds for length 0' on file: C:\Users\uie13286.VT1\Downloads\OneDrive_1_11-15-2021.zip
java.lang.IndexOutOfBoundsException: Index -1 out of bounds for length 0
        at jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:64)
        at jdk.internal.util.Preconditions.outOfBoundsCheckIndex(Preconditions.java:70)
        at jdk.internal.util.Preconditions.checkIndex(Preconditions.java:248)
        at java.util.Objects.checkIndex(Objects.java:372)
        at java.util.ArrayList.get(ArrayList.java:459)
        at com.logpresso.scanner.Detector.scanStream(Detector.java:250)
        at com.logpresso.scanner.Detector.scanJarFile(Detector.java:112)
        at com.logpresso.scanner.Log4j2Scanner.traverse(Log4j2Scanner.java:306)
        at com.logpresso.scanner.Log4j2Scanner.run(Log4j2Scanner.java:146)
        at com.logpresso.scanner.Log4j2Scanner.run(Log4j2Scanner.java:69)
        at com.logpresso.scanner.Log4j2Scanner.main(Log4j2Scanner.java:30)
AlexMilotin commented 2 years ago

Also for one of the malformed perhaps would be helpful

PS C:\temp> .\log4j2-scan.exe --debug --scan-log4j1 --scan-logback --scan-zip --silent "C:\Program Files\Python36\Lib\test\zip_cp437_header.zip"
Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.2 (2021-12-19)
Scanning directory: C:\Program Files\Python36\Lib\test\zip_cp437_header.zip
Scan error: 'malformed input off : 14, length : 1' on file: C:\Program Files\Python36\Lib\test\zip_cp437_header.zip
java.lang.IllegalArgumentException: malformed input off : 14, length : 1
        at java.lang.StringCoding.throwMalformed(StringCoding.java:685)
        at java.lang.StringCoding.decodeUTF8_0(StringCoding.java:872)
        at java.lang.StringCoding.newStringUTF8NoRepl(StringCoding.java:965)
        at java.lang.System$2.newStringUTF8NoRepl(System.java:2203)
        at java.util.zip.ZipCoder$UTF8.toString(ZipCoder.java:60)
        at java.util.zip.ZipCoder.toString(ZipCoder.java:87)
        at java.util.zip.ZipInputStream.readLOC(ZipInputStream.java:303)
        at java.util.zip.ZipInputStream.getNextEntry(ZipInputStream.java:125)
        at com.logpresso.scanner.Detector.scanStream(Detector.java:171)
        at com.logpresso.scanner.Detector.scanJarFile(Detector.java:112)
        at com.logpresso.scanner.Log4j2Scanner.traverse(Log4j2Scanner.java:306)
        at com.logpresso.scanner.Log4j2Scanner.run(Log4j2Scanner.java:146)
        at com.logpresso.scanner.Log4j2Scanner.run(Log4j2Scanner.java:69)
        at com.logpresso.scanner.Log4j2Scanner.main(Log4j2Scanner.java:30)
Caused by: java.nio.charset.MalformedInputException: Input length = 1
        ... 14 more
xeraph commented 2 years ago

@AlexMilotin Both exception traces are caused by encoding issues. The default zip entry encoding is utf8, but the file appears to be encoded in a different character set. Maybe adding another encoding option can be useful, however, if each zip file uses different encoding, it is hard to resolve..

AlexMilotin commented 2 years ago

@xeraph Assuming the most used ones are utf8 , latin1 and CP437 i would hope that adding latin1 and CP437 is enough ?

xeraph commented 2 years ago

@AlexMilotin Would you upload some small CP437 zip file which causes error? I want to reproduce it.

AlexMilotin commented 2 years ago

Hopefully this is the one you need. Is what i got from one of our devs zip_cp437_header.zip It is the same one from the malformed error here : https://github.com/logpresso/CVE-2021-44228-Scanner/issues/153#issuecomment-997365739

xeraph commented 2 years ago

@AlexMilotin Would you test v2.3.3 release? If your system default encoding is cp437, no additional option is required. If you want to decompress ZIP which is encoded by other charset, use --zip-charset option. e.g. --zip-charset CP437

AlexMilotin commented 2 years ago

That works like a charm for the malformed issues For the Scan error: 'Index -1 out of bounds for length 0' i do not get the error anymore but instead it does Skipping it as broken .jar

image

xeraph commented 2 years ago

Oops.. 'Index -1 out of bounds for length 0' was different issue. I will fix it soon. Thank you for reporting! @AlexMilotin

xeraph commented 2 years ago

~@AlexMilotin Would you upload zip which cause only DEFLATED entries can have EXT descriptor ?~ Found some sample from https://github.com/Aefyr/SAI/files/4343980/Netflix_v7.48.0.build.10.34747.zip

xeraph commented 2 years ago

@AlexMilotin v2.3.4 reduces only DEFLATED entries can have EXT descriptor errors. (still error occurs for nested zip case due to jdk limitation)

xeraph commented 2 years ago

@AlexMilotin v2.6.0 release can resolves almost all ZIP errors.