Skip to content

Commit c0e077b

Browse files
wdblairwdblair
committed
[GR-35915] Search for vulnerable log4j libraries in native images
PullRequest: graal/10704
2 parents 845231e + 669862b commit c0e077b

File tree

1 file changed

+203
-0
lines changed

1 file changed

+203
-0
lines changed

substratevm/src/com.oracle.svm.hosted/src/com/oracle/svm/hosted/Log4ShellFeature.java

Lines changed: 203 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,203 @@
1+
/*
2+
* Copyright (c) 2021, 2022, Oracle and/or its affiliates. All rights reserved.
3+
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4+
*
5+
* This code is free software; you can redistribute it and/or modify it
6+
* under the terms of the GNU General Public License version 2 only, as
7+
* published by the Free Software Foundation. Oracle designates this
8+
* particular file as subject to the "Classpath" exception as provided
9+
* by Oracle in the LICENSE file that accompanied this code.
10+
*
11+
* This code is distributed in the hope that it will be useful, but WITHOUT
12+
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13+
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14+
* version 2 for more details (a copy is included in the LICENSE file that
15+
* accompanied this code).
16+
*
17+
* You should have received a copy of the GNU General Public License version
18+
* 2 along with this work; if not, write to the Free Software Foundation,
19+
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20+
*
21+
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22+
* or visit www.oracle.com if you need additional information or have any
23+
* questions.
24+
*/
25+
package com.oracle.svm.hosted;
26+
27+
import java.io.InputStream;
28+
import java.io.IOException;
29+
import java.lang.reflect.Method;
30+
import java.net.URISyntaxException;
31+
import java.net.URL;
32+
import java.nio.file.Files;
33+
import java.nio.file.FileSystem;
34+
import java.nio.file.FileSystems;
35+
import java.nio.file.Path;
36+
import java.nio.file.Paths;
37+
import java.util.HashSet;
38+
import java.util.Set;
39+
import java.util.Optional;
40+
import java.util.Properties;
41+
import java.util.stream.Stream;
42+
import java.security.CodeSource;
43+
import java.security.ProtectionDomain;
44+
45+
import org.graalvm.nativeimage.hosted.Feature;
46+
47+
import com.oracle.svm.core.annotate.AutomaticFeature;
48+
49+
/**
50+
* A feature that detects whether a native image may be vulnerable to Log4Shell.
51+
*
52+
* This feature first checks whether a vulnerable version of log4j is present in the native image.
53+
* If a vulnerable version is detected, the feature will then check whether any vulnerable methods
54+
* are reachable.
55+
*/
56+
@AutomaticFeature
57+
public class Log4ShellFeature implements Feature {
58+
private static final String log4jClassName = "org.apache.logging.log4j.Logger";
59+
private static final String log4jVulnerableErrorMessage = "Warning: A vulnerable version of log4j has been detected. Please update to log4j version 2.17.1 or later.%nVulnerable Method(s):";
60+
private static final String log4jUnknownVersion = "Warning: The log4j library has been detected, but the version is unavailable. Due to Log4Shell, please ensure log4j is at version 2.17.1 or later.";
61+
62+
/* Different versions of log4j overload all these methods. */
63+
private static final Set<String> targetMethods = Set.of("debug", "error", "fatal", "info", "log", "trace", "warn");
64+
65+
private static void warn(String warning) {
66+
System.err.println(warning);
67+
}
68+
69+
private static Optional<String> getPomVersion(Class<?> log4jClass) {
70+
ProtectionDomain pd = log4jClass.getProtectionDomain();
71+
CodeSource cs = pd.getCodeSource();
72+
73+
if (cs == null) {
74+
return Optional.empty();
75+
}
76+
URL location = cs.getLocation();
77+
if (location == null) {
78+
return Optional.empty();
79+
}
80+
81+
try {
82+
ClassLoader nullClassLoader = null;
83+
FileSystem jarFileSystem = FileSystems.newFileSystem(Paths.get(location.toURI()), nullClassLoader);
84+
Stream<Path> files = Files.walk(jarFileSystem.getPath("/META-INF"));
85+
return files.filter(file -> file.endsWith("pom.properties"))
86+
.map(file -> {
87+
Properties properties = new Properties();
88+
try {
89+
InputStream inputStream = Files.newInputStream(file);
90+
if (inputStream != null) {
91+
properties.load(inputStream);
92+
}
93+
} catch (IOException ex) {
94+
/* Skip over properties we cannot read. */
95+
}
96+
return properties;
97+
})
98+
.filter(properties -> {
99+
String groupId = properties.getProperty("groupId");
100+
String artifactId = properties.getProperty("artifactId");
101+
return "org.apache.logging.log4j".equals(groupId) && "log4j-core".equals(artifactId);
102+
})
103+
.map(properties -> properties.getProperty("version"))
104+
.findFirst();
105+
} catch (IOException ex) {
106+
/* We encountered an IO error while looking up the log4j jar file's version. */
107+
} catch (URISyntaxException ex) {
108+
/* Obtaining a Path from the log4j jar file URL failed. */
109+
}
110+
111+
return Optional.empty();
112+
}
113+
114+
private static boolean vulnerableLog4jOne(String[] components) {
115+
String minor = components[1];
116+
if ("2".equals(minor)) {
117+
return true;
118+
}
119+
return false;
120+
}
121+
122+
private static boolean vulnerableLog4jTwo(String[] components) {
123+
/* Every minor version since 0 is vulnerable to an exploit. */
124+
String minor = components[1];
125+
126+
/* Recognize alpha and beta builds. */
127+
if (minor.charAt(0) == '0') {
128+
return true;
129+
}
130+
131+
try {
132+
int minorVersion = Integer.valueOf(minor);
133+
if (minorVersion <= 16) {
134+
return true;
135+
}
136+
137+
if (components.length == 3) {
138+
int patchVersion = Integer.valueOf(components[2]);
139+
if (minorVersion == 17 && patchVersion == 0) {
140+
return true;
141+
}
142+
}
143+
} catch (NumberFormatException ex) {
144+
warn(log4jUnknownVersion);
145+
}
146+
147+
return false;
148+
}
149+
150+
@Override
151+
public void afterAnalysis(AfterAnalysisAccess access) {
152+
Class<?> log4jClass = access.findClassByName(log4jClassName);
153+
154+
if (log4jClass == null) {
155+
return;
156+
}
157+
158+
Package log4jPackage = log4jClass.getPackage();
159+
String version = log4jPackage.getImplementationVersion();
160+
161+
if (version == null) {
162+
Optional<String> pomVersion = getPomVersion(log4jClass);
163+
if (pomVersion.isPresent()) {
164+
version = pomVersion.get();
165+
}
166+
}
167+
168+
/* We were unable to get the version, do not risk raising a false positive. */
169+
if (version == null) {
170+
warn(log4jUnknownVersion);
171+
return;
172+
}
173+
174+
String[] components = version.split("\\.");
175+
176+
/* Something is wrong with the version string, stop here. */
177+
if (components.length < 2) {
178+
warn(log4jUnknownVersion);
179+
return;
180+
}
181+
182+
Set<String> vulnerableMethods = new HashSet<>();
183+
184+
if (("1".equals(components[0]) && vulnerableLog4jOne(components)) || ("2".equals(components[0]) && vulnerableLog4jTwo(components))) {
185+
for (Method method : log4jClass.getMethods()) {
186+
String methodName = method.getName();
187+
if (targetMethods.contains(methodName) && (access.isReachable(method) || (access.reachableMethodOverrides(method).size() > 0))) {
188+
vulnerableMethods.add(method.getDeclaringClass().getName() + "." + method.getName());
189+
}
190+
}
191+
}
192+
193+
if (vulnerableMethods.size() == 0) {
194+
return;
195+
}
196+
197+
StringBuilder renderedErrorMessage = new StringBuilder(String.format(log4jVulnerableErrorMessage));
198+
for (String method : vulnerableMethods) {
199+
renderedErrorMessage.append(System.lineSeparator() + method);
200+
}
201+
warn(renderedErrorMessage.toString());
202+
}
203+
}

0 commit comments

Comments
 (0)