Also inspecting packaged jar and war in folders

Author: Johannes Spaeth

pom.xml

@@ -7,7 +7,7 @@
 
   <groupId>de.codeshield.log4shell</groupId>
   <artifactId>Log4JDetector</artifactId>
-  <version>0.2</version>
+  <version>0.3</version>
 
   <name>cve-2021-44228-detector</name>
   <url>http://www.codeshield.io</url>
@@ -30,7 +30,11 @@
       <artifactId>maven-model</artifactId>
       <version>3.8.4</version>
     </dependency>
-
+    <dependency>
+      <groupId>commons-io</groupId>
+      <artifactId>commons-io</artifactId>
+      <version>2.11.0</version>
+    </dependency>
     <!-- https://mvnrepository.com/artifact/org.apache.maven/maven-project -->
     <dependency>
       <groupId>org.apache.maven</groupId>

src/main/java/de/codeshield/log4jshell/Log4JDetector.java

@@ -1,10 +1,18 @@
 package de.codeshield.log4jshell;
 
+import java.io.BufferedInputStream;
+import java.io.BufferedOutputStream;
 import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
 import java.io.IOException;
+import java.util.Collection;
 import java.util.Enumeration;
 import java.util.jar.JarEntry;
 import java.util.jar.JarFile;
+import org.apache.commons.io.FileUtils;
+import org.apache.commons.io.filefilter.DirectoryFileFilter;
+import org.apache.commons.io.filefilter.RegexFileFilter;
 
 /**
  * A simple command line tool that scans a jar file for the CVE-2021-44228 vulnerability that
@@ -14,49 +22,108 @@ public class Log4JDetector {
 
   private static final String POM_FILE = "pom.xml";
   private static final String CLASS_FILE_NAME = ".class";
+  private static final String JAR_FILE = ".jar";
+  private static final String WAR_FILE = ".war";
 
-  public static void main(String[] args) {
-    System.out.println("Analysing "+ args[0]);
+  public static void main(String[] args) throws IOException {
+    System.out.println("Analysing " + args[0]);
     File inputJarFile = new File(args[0]);
     if (!inputJarFile.exists()) {
-      System.err.println("The file path " + args[0] + " does not exist. Ensure it is an absolute file paths");
+      System.err.println(
+          "The file path " + args[0] + " does not exist. Ensure it is an absolute file paths");
       return;
     }
     Log4JDetector detector = new Log4JDetector();
-    detector.run(inputJarFile);
+    detector.run(args[0]);
   }
 
-  public boolean run(File pathToJarFile) {
-    JarFile jarFile = null;
-    boolean isVulnerable = false;
-    try {
-      jarFile = new JarFile(pathToJarFile);
-      Enumeration<JarEntry> entries = jarFile.entries();
-      while (entries.hasMoreElements()) {
-        JarEntry entry = entries.nextElement();
-        //Check pom.xml files if a log4j dependency is declared
-        if (entry.getName().endsWith(Log4JDetector.POM_FILE)) {
-          if (POMDetector.isVulnerablePOM(jarFile.getInputStream(entry))) {
-            isVulnerable = true;
-            System.err.println("CVE-2021-44228 found declared as dependency in " + entry);
+  //Taken from https://stackoverflow.com/questions/981578/how-to-unzip-files-recursively-in-java/7108813#7108813
+  public static String extractFolder(String zipFile) throws IOException {
+    int buffer = 2048;
+    File file = new File(zipFile);
+    String newPath = zipFile.substring(0, zipFile.length() - 4);
+
+    try (JarFile zip = new JarFile(file)) {
+
+      new File(newPath).mkdir();
+      Enumeration<JarEntry> zipFileEntries = zip.entries();
+
+      // Process each entry
+      while (zipFileEntries.hasMoreElements()) {
+        // grab a zip file entry
+        JarEntry entry = zipFileEntries.nextElement();
+        String currentEntry = entry.getName();
+        File destFile = new File(newPath, currentEntry);
+        File destinationParent = destFile.getParentFile();
+
+        // create the parent directory structure if needed
+        destinationParent.mkdirs();
+
+        if (!entry.isDirectory()) {
+          BufferedInputStream is = new BufferedInputStream(zip.getInputStream(entry));
+          int currentByte;
+          // establish buffer for writing file
+          byte[] data = new byte[buffer];
+
+          // write the current file to disk
+          FileOutputStream fos = new FileOutputStream(destFile);
+          try (BufferedOutputStream dest = new BufferedOutputStream(fos, buffer)) {
+
+            // read and write until last byte is encountered
+            while ((currentByte = is.read(data, 0, buffer)) != -1) {
+              dest.write(data, 0, currentByte);
+            }
+            dest.flush();
+            is.close();
           }
         }
-        //Check if a a class file matches one of the pre-computed vulnerable SHAs.
-        if (entry.getName().endsWith(Log4JDetector.CLASS_FILE_NAME)) {
-          if (ClassDetector.isVulnerableClass(jarFile.getInputStream(entry))) {
-            isVulnerable = true;
-            System.err.println("CVE-2021-44228 found in class file " + entry);
-          }
+
+        if (currentEntry.endsWith(WAR_FILE) || currentEntry.endsWith(JAR_FILE)) {
+          // found a zip file, try to open
+          extractFolder(destFile.getAbsolutePath());
         }
       }
-    } catch (IOException e) {
-      System.err.println("Unable to open JarFile");
     }
-    if(!isVulnerable){
+    return newPath;
+  }
+
+  public boolean run(String pathToJarFile) throws IOException {
+    String folder = extractFolder(pathToJarFile);
+    Collection<File> pomFiles = FileUtils.listFiles(
+        new File(folder),
+        new RegexFileFilter("^(pom.xml)"),
+        DirectoryFileFilter.DIRECTORY
+    );
+    boolean isVulnerable = false;
+    for (File pomFile : pomFiles) {
+      try (FileInputStream is = new FileInputStream(pomFile)) {
+        //Check if a pom file matches one of the pre-computed groupId:artifactId:version
+        if (POMDetector.isVulnerablePOM(is)) {
+          isVulnerable = true;
+          System.err.println("CVE-2021-44228 found declared as dependency in " + pomFile);
+        }
+      }
+    }
+    Collection<File> classFiles = FileUtils.listFiles(
+        new File(folder),
+        new RegexFileFilter(".*.class$"),
+        DirectoryFileFilter.DIRECTORY
+    );
+
+    for (File pomFile : classFiles) {
+      try (FileInputStream is = new FileInputStream(pomFile)) {
+        //Check if a class file matches one of the pre-computed vulnerable SHAs.
+        if (ClassDetector.isVulnerableClass(is)) {
+          isVulnerable = true;
+          System.err.println("CVE-2021-44228 found declared as dependency in " + pomFile);
+        }
+      }
+    }
+    if (!isVulnerable) {
       System.out.println("Jar file not affected by CVE-2021-44228!");
     }
+    FileUtils.deleteDirectory(new File(folder));
     return isVulnerable;
   }
 
-
 }

src/test/java/de/codeshield/log4jshell/Log4JDetectorTests.java

@@ -9,25 +9,25 @@
 import java.net.URL;
 import org.junit.Test;
 
-public class Log4JDetectorTests
-{
-    @Test
-    public void checkVulnerables() throws IOException, URISyntaxException {
-      assertTrue(checkResourceFile("/en16931-xml-validator-2.0.0-b2-jar-with-dependencies.jar"));
-      assertTrue(checkResourceFile("/log4j-core-2.12.1.jar"));
-      assertTrue(checkResourceFile("/log4j-core-2.14.1.jar"));
-    }
+public class Log4JDetectorTests {
 
-    @Test
-    public void checkSecure() throws IOException, URISyntaxException {
-      assertFalse(checkResourceFile("/spring-boot-2.5.7.jar") );
-      assertFalse(checkResourceFile("/log4j-core-2.15.0.jar"));
-    }
+  @Test
+  public void checkVulnerables() throws IOException, URISyntaxException {
+    assertTrue(checkResourceFile("/en16931-xml-validator-2.0.0-b2-jar-with-dependencies.jar"));
+    assertTrue(checkResourceFile("/log4j-core-2.12.1.jar"));
+    assertTrue(checkResourceFile("/log4j-core-2.14.1.jar"));
+  }
 
-    private boolean checkResourceFile(String url) throws IOException, URISyntaxException {
-      URL resource = Log4JDetectorTests.class.getResource(url);
+  @Test
+  public void checkSecure() throws IOException, URISyntaxException {
+    assertFalse(checkResourceFile("/spring-boot-2.5.7.jar"));
+    assertFalse(checkResourceFile("/log4j-core-2.15.0.jar"));
+  }
 
-      Log4JDetector detector = new Log4JDetector();
-      return detector.run(new File(resource.toURI()));
-    }
+  private boolean checkResourceFile(String url) throws IOException, URISyntaxException {
+    URL resource = Log4JDetectorTests.class.getResource(url);
+
+    Log4JDetector detector = new Log4JDetector();
+    return detector.run(new File(resource.toURI()).getAbsolutePath());
+  }
 }