log4j-detector hangs on special files

mergebase / log4j-detector

A public open sourced tool. Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too! TAG_OS_TOOL, OWNER_KELLY, DC_PUBLIC

Other

638 stars 98 forks source link

log4j-detector hangs on special files #8

Closed dorchain closed 2 years ago

dorchain commented 2 years ago

log4j-dector should avoid opening device files, named pipes, sockets, etc., i.e only normal files.

E.g. by adding a small check in Log4JDetector.java

        } else {
            if (f.isFile() || f.isHidden()) {
              scan(f);
            }
        }

r-eis commented 2 years ago

I can confirm this. On one of our Debian systems, we are stuck at this line: Examining /boot/vmlinuz-4.9.0-16-amd64...

With dorchain's suggestion, we get over this.

juliusmusseau commented 2 years ago

I've applied the "(f.isFile() || f.isHidden())" logic to the latest version. Thanks so much for reporting this!