Skip to content

Commit

Permalink
add --no-follow-symlinks
Browse files Browse the repository at this point in the history
  • Loading branch information
breadchris committed Dec 17, 2021
1 parent ccd10e6 commit b654be5
Show file tree
Hide file tree
Showing 5 changed files with 29 additions and 5 deletions.
7 changes: 7 additions & 0 deletions tools/log4shell/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,13 @@ You can disable these by passing `--ignore-warnings`.
$ log4shell scan --ignore-warnings <dir1> <dir2> ...
```

It can be common to run into symlink'ed jar files, and by default they are resolved. To not have this happen
use the `--no-follow-symlinks` flag.

```shell
$ log4shell scan --no-follow-symlinks <dir1> <dir2> ...
```

You may exclude subdirectories while searching by using `--exclude`. This can be used multiple times in the command to
exclude multiple subdirectories.

Expand Down
2 changes: 1 addition & 1 deletion tools/log4shell/commands/analyze.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ func AnalyzeCommand(c *cli.Context, globalBoolFlags map[string]bool) error {

processArchiveFile := analyze.ProcessArchiveFile

scanner := scan.NewLog4jDirectoryScanner([]string{}, false, processArchiveFile)
scanner := scan.NewLog4jDirectoryScanner([]string{}, false, false, processArchiveFile)

scannerFindings := scanner.Scan(searchDirs)

Expand Down
10 changes: 8 additions & 2 deletions tools/log4shell/commands/scan.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,11 @@ import (
"github.com/urfave/cli/v2"
)

func loadHashLookup(log4jLibraryHashes []byte, versionHashes string, onlyScanArchives bool) (hashLookup types.VulnerableHashLookup, err error) {
func loadHashLookup(
log4jLibraryHashes []byte,
versionHashes string,
onlyScanArchives bool,
) (hashLookup types.VulnerableHashLookup, err error) {
if versionHashes != "" {
hashLookup, err = scan.LoadVersionHashesFromFile(versionHashes)
if err != nil {
Expand Down Expand Up @@ -59,6 +63,7 @@ func ScanCommand(c *cli.Context, globalBoolFlags map[string]bool, log4jLibraryHa
onlyScanArchives := c.Bool("archives")
excludeDirs := c.StringSlice("exclude")
versionHashes := c.String("version-hashes")
noFollowSymlinks := c.Bool("no-follow-symlinks")

hashLookup, err := loadHashLookup(log4jLibraryHashes, versionHashes, onlyScanArchives)
if err != nil {
Expand All @@ -67,7 +72,8 @@ func ScanCommand(c *cli.Context, globalBoolFlags map[string]bool, log4jLibraryHa

processArchiveFile := scan.IdentifyPotentiallyVulnerableFiles(scanLog4j1, hashLookup)

scanner := scan.NewLog4jDirectoryScanner(excludeDirs, onlyScanArchives, processArchiveFile)
scanner := scan.NewLog4jDirectoryScanner(
excludeDirs, onlyScanArchives, noFollowSymlinks, processArchiveFile)

scannerFindings := scanner.Scan(searchDirs)

Expand Down
4 changes: 4 additions & 0 deletions tools/log4shell/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,10 @@ func main() {
Name: "ignore-warnings",
Usage: "Do not display warnings, only show findings.",
},
&cli.BoolFlag{
Name: "no-follow-symlinks",
Usage: "Disable the resolution of symlinks while scanning. Note: symlinks might resolve to files outside of the included directories and so this option might be useful if you strictly want to search in said directories.",
},
&cli.BoolFlag{
Name: "json",
Usage: "Display findings in json format.",
Expand Down
11 changes: 9 additions & 2 deletions tools/log4shell/scan/scan.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,13 +35,20 @@ type Log4jVulnerableDependencyScanner interface {
type Log4jDirectoryScanner struct {
excludeDirs []string
onlyScanArchives bool
noFollowSymlinks bool
processArchiveFile types.ProcessArchiveFile
}

func NewLog4jDirectoryScanner(excludeDirs []string, onlyScanArchives bool, processArchiveFile types.ProcessArchiveFile) Log4jVulnerableDependencyScanner {
func NewLog4jDirectoryScanner(
excludeDirs []string,
onlyScanArchives bool,
noFollowSymlinks bool,
processArchiveFile types.ProcessArchiveFile,
) Log4jVulnerableDependencyScanner {
return &Log4jDirectoryScanner{
excludeDirs: excludeDirs,
onlyScanArchives: onlyScanArchives,
noFollowSymlinks: noFollowSymlinks,
processArchiveFile: processArchiveFile,
}
}
Expand Down Expand Up @@ -79,7 +86,7 @@ func (s *Log4jDirectoryScanner) Scan(
return
}

if info.Mode() & os.ModeSymlink != 0 {
if !s.noFollowSymlinks && info.Mode() & os.ModeSymlink != 0 {
// overwrite path and info with the resolved symlink file values
path, info, err = util.ResolveSymlinkFilePathAndInfo(path)
if err != nil {
Expand Down

0 comments on commit b654be5

Please sign in to comment.