Java: Cover CVE-2021-45046 in the Log4jJndiInjection query #7423
Conversation
|
What's going on with the removed model lines? Most seem to end with a I'd strongly recommend using an inline-expectation test rather than committing a 5,000 line expectation. |
No lines were removed, it's just that I renamed the sinks from
Yes, that was my intention, but the problem is that we can't reuse anything from the query in the test because it's in experimental, and I didn't want to duplicate everything in the test 😞 |
Are you sure? The first block for example adds 5 less lines than it removes? |
Note that, e.g. line 57 contains two rows in one line because of the change in formatting: https://github.com/github/codeql/pull/7423/files#diff-c87c9c5a74ba94cb105e161c4d11190f6ea16f301da6e98c2779209abb3196ccR57 |
|
Doh right, so it does! I guess we can take care of fixing the test on promotion if that ever comes... |
| "org.apache.logging.log4j;LogBuilder;true;log;(String,Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0..10];log4j", | ||
| "org.apache.logging.log4j;LogBuilder;true;log;(String,Supplier[]);;Argument[0..1];log4j", | ||
| "org.apache.logging.log4j;LogBuilder;true;log;(Supplier);;Argument[0];log4j", | ||
| // org.apache.logging.log4j.ThreadContet |
There was a problem hiding this comment.
There are also CloseableThreadContext and CloseableThreadContext.Instance, in case you want to cover them as well.
There was a problem hiding this comment.
Good catch @Marcono1234, thanks. See #7435.
This PR adds sinks and taint steps for covering the new attack vectors discovered in CVE-2021-45046.
Tests were added too.