search

logpresso / CVE-2021-44228-Scanner

Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228
Apache License 2.0
850 stars 174 forks source link

symlinks not scanning #193

Closed nddipiazza closed 2 years ago

nddipiazza commented 2 years ago

symlinks are no longer scanning.

steps to reproduce

mkdir test
wget 'https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.13.2/log4j-core-2.13.2.jar' -O test/test-vuln.jar
ln -s test test-symlink
./log4j2-scan test-symlink

finds 0 vulns

note: Scanner 1.7.0 (2021-12-17) did not have this problem. this is new regression.

jgstew commented 2 years ago

I think the default might have changed to not scan symlinks automatically, but I don't remember for certain, or when.

jgstew commented 2 years ago

Hmm, I just checked the release notes. I think I'm wrong. My bad.

xeraph commented 2 years ago

@nddipiazza Ah.. At first I think that you reported symlink file. Scanner does not follow symlink directory any more by default. It may cause infinite traverse loop. --no-symlink option means 'Do not scan or detect symlink file'.

xeraph commented 2 years ago

@nddipiazza Just released v2.6.0. It will follow symlink if user explicitly specified file path.

nddipiazza commented 2 years ago

@xeraph thanks so much for looking at this. can you elaborate what you mean by if user explicitly specified file path. ?

nddipiazza commented 2 years ago

never mind, I understand what you mean now.

log4j2-scan - will not follow sym links log4j2-scan /my/path - will follow sym links log4j2-scan --no-symlink /my/path - will not follow sym links

xeraph commented 2 years ago

@nddipiazza Technically, it means depth 0 scan target paths. :D

nddipiazza commented 2 years ago

Verified fixed with v2.6.0. Closing.