search

mergebase / log4j-detector

A public open sourced tool. Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too! TAG_OS_TOOL, OWNER_KELLY, DC_PUBLIC
Other
634 stars 98 forks source link

Don't handle *.gwtar and other normal files ending with *ar as archives #82

Open phbreitbach opened 2 years ago

phbreitbach commented 2 years ago

The tool handles everything with file suffix *ar as a potential Java archive:

System.err output on an example with *.gwtar -- Problem: D:.m2\repository\com\google\gwt\gwt-user\2.7.0\gwt-user-2.7.0.jar!/com/google/gwt/user/User.gwtar - java.lang.RuntimeException: Inner-zip - could not find ZIP magic number: D:.m2\repository\com\google\gwt\gwt-user\2.7.0\gwt-user-2.7.0.jar!/com/google/gwt/user/User.gwtar

Another example with a service file called ComponentRegistrar -- Problem: C:\Users\XYZ\AppData\Roaming\JetBrains\IntelliJIdea2020.2\plugins\Kotlin\kotlinc\lib\allopen-compiler-plugin.jar!/META-INF/services/org.jetbrains.kotlin.compiler.plugin.ComponentRegistrar - java.lang.RuntimeException: Inner-zip - could not find ZIP magic number: C:\Users\XYZ\AppData\Roaming\JetBrains\IntelliJIdea2020.2\plugins\Kotlin\kotlinc\lib\allopen-compiler-plugin.jar!/META-INF/services/org.jetbrains.kotlin.compiler.plugin.ComponentRegistrar

Snippet from method fileType:

} else if ("zip".equalsIgnoreCase(suffix)
    || "jpi".equalsIgnoreCase(suffix)
    || "hpi".equalsIgnoreCase(suffix)
    || suffix.endsWith("ar")) {
  return 0;
}

.gwtar seems to be some proprietary file of GWT maybe similar to a .class file (haven't had the time to research on that up to now ... ComponentRegistrar is obviously not a ZIP

So the detection of file suffixes which are regarded as ZIP needs to be refined I think ...

phbreitbach commented 2 years ago

I tried the following as a first Quickfix to see further occurences:

else if ("zip".equalsIgnoreCase(suffix)
                    || "jpi".equalsIgnoreCase(suffix)
                    || "hpi".equalsIgnoreCase(suffix)
                    || (suffix.length() <= 4 && suffix.endsWith("ar"))) {
                return 0;
            }

Here some more examples which still can't be handled as ZIP (don't know currently for each wether they should be):

Problem: C:\oracle\Middleware\forms_builder\oracle_common\jdk\utl\jdk.zip!/jdk/oracle_jdk_install/Components/XML/oracle.jdk.var - java.lang.RuntimeException: Inner-zip - could not find ZIP magic number: C:\oracle\Middleware\forms_builder\oracle_common\jdk\utl\jdk.zip!/jdk/oracle_jdk_install/Components/XML/oracle.jdk.var Problem: C:\oracle\Middleware\forms_builder\RDBMS\ADMIN\spuexp.par - Not actually a zip!?! (no magic number) Problem: C:\Program Files\GIMP 2\32\lib\python2.7\test\testtar.tar - Not actually a zip!?! (no magic number) Problem: C:\Program Files (x86)\UiPath\Studio\AgentDesktop\resources\app.asar - Not actually a zip!?! (no magic number) Problem: C:\Program Files (x86)\WinSCP\Translations\WinSCP.ar - Not actually a zip!?! (no magic number) Some foo.bar file

I guess .var, .asar and .ar should definitely not be treated as ZIP. I'm not sure about .par and .tar ...

phbreitbach commented 2 years ago

Also it seems to me wildcards cannot be used in --exclude - this would help with this issue as one could specify

--exclude=*.var;*.asar;*\testtar.tar ...

(not the supported syntax just to get the idea). Maybe an idea for an alternate solution ...