search

wix / Detox

Gray box end-to-end testing and automation framework for mobile apps
https://wix.github.io/Detox/
MIT License
11.23k stars 1.92k forks source link

Is Detox affected by the log4j vulnerability? #3159

Closed TesterAuto closed 2 years ago

TesterAuto commented 2 years ago

Description

Hi, Just want to confirm, it seems there's a dependency of log4j in the dependency bunyan which is in the dependency list of Detox, will Detox be affected by the log4j vulnerability? If yes, what should we do to stay away from the risk? Thanks!

Environment

asafkorem commented 2 years ago

@TesterAuto where have you seen log4j in the dependencies of bunyan?

d4vidi commented 2 years ago

@TesterAuto the question doesn't make a lot of sense IMO. Detox never goes out to production, it's just a tool that runs your apps automatically. In addition, I don't think there are too many ways where Detox could be attacked in build environments.

TesterAuto commented 2 years ago

will Detox be affected by the log4j vulnerability?

@TesterAuto where have you seen log4j in the dependencies of bunyan?

I am not quite familiar with node and js. I just find it in the keywords list of the package.json, not sure if this means it depends on it or it's just a description keyword and there's nothing to do with log4j. I have also submitted an issue to bunyan to confirm.

TesterAuto commented 2 years ago

@TesterAuto the question doesn't make a lot of sense IMO. Detox never goes out to production, it's just a tool that runs your apps automatically. In addition, I don't think there are too many ways where Detox could be attacked in build environments.

Thanks for your clarification! I have a separate automation test project that includes a Detox package. If there's a chance to access my project in the internet, does it have a risk to be attacked by the log4j vulnerability(if Detox or it's dependency really depends on log4j)?

mikehardy commented 2 years ago

Let's get concrete by searching - pulled the detox repo at current commit and doing a recursive grep of all text, minus references to log4javascript because that has nothing really to do with log4j does it?:

mike@bistromath:~/work/react-random/detox (master) % reset && grep -r log4j *|grep -v log4js|grep -v log4javascript

detox/node_modules/bunyan/package.json:    "log4j",
detox/node_modules/bunyan/README.md:All loggers must provide a "name". This is somewhat akin to the log4j logger
detox/node_modules/bunyan/README.md:                // `log.isEnabledFor(INFO)` in log4j.
detox/node_modules/bunyan/README.md:to a log4j Appender). Ultimately Bunyan uses a
detox/node_modules/bunyan/bin/bunyan:        // <http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/SimpleLayout.html>
detox/node_modules/bunyan/CHANGES.md:  to usage for a service. No need to differ from log4j Logger "name".
examples/demo-plugin/node_modules/bunyan/package.json:    "log4j",
examples/demo-plugin/node_modules/bunyan/README.md:All loggers must provide a "name". This is somewhat akin to the log4j logger
examples/demo-plugin/node_modules/bunyan/README.md:                // `log.isEnabledFor(INFO)` in log4j.
examples/demo-plugin/node_modules/bunyan/README.md:to a log4j Appender). Ultimately Bunyan uses a
examples/demo-plugin/node_modules/bunyan/bin/bunyan:        // <http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/SimpleLayout.html>
examples/demo-plugin/node_modules/bunyan/CHANGES.md:  to usage for a service. No need to differ from log4j Logger "name".
examples/demo-react-native/node_modules/react-native/ReactAndroid/src/test/java/com/facebook/react/modules/share/ShareModuleTest.java:  "org.apache.log4j.*"
mike@bistromath:~/work/react-random/detox (master) %

So, you should definitely take this up with bunyan. They look like they might include it. You've done so, so that is good, but having read that issue, it does not appear you have done any actual investigation?

For a java project managed by gradle for dependencies, you can examine the dependencies directly by asking gradle to print them out: ./gradlew :app:dependencies > dependencies.txt in the android directory of your project.

I've done so for the react-native-firebase tests project (which uses Detox) and I'm attaching it here. log4j does not appear in the dependencies tree, which implies that projects that depend on Detox as their testing framework are not transitively vulnerable to any log4j issue.

So TL;DR: I don't think Detox creates any log4j problem in consumers

dependencies.txt.gz

On your bunyan issue you should investigate more deeply if possible. Check out the repository and actually search the full repo for log4j to see where + how it is maybe used. Ask gradle to show you the dependencies for it, to see if it is actually in there, and if so what version.

d4vidi commented 2 years ago

Thanks again @mikehardy.

I take some of what I said back - I think vulnerability of Detox or other utils running on build agents might be mildly exploitable after all. That said, Detox doesn't seem to be on the log4j list, not even through bunyan.