Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Asterisk (star character) expansion reveals folder structure #3526

Closed
Eccenux opened this issue Mar 10, 2025 · 3 comments
Closed

Asterisk (star character) expansion reveals folder structure #3526

Eccenux opened this issue Mar 10, 2025 · 3 comments

Comments

@Eccenux
Copy link

Eccenux commented Mar 10, 2025

Description

Seems like a star character ("*") is expanded into a directory listing. Might be a security I guess, but I don't think so. It's definitely an annoyance.

Configuration

Version: 2.24.3
[INFO] +- org.apache.logging.log4j:log4j-slf4j2-impl:jar:2.24.3:compile
[INFO] | +- (org.apache.logging.log4j:log4j-api:jar:2.24.3:compile - omitted for duplicate)
[INFO] | +- org.slf4j:slf4j-api:jar:2.0.16:compile
[INFO] | - (org.apache.logging.log4j:log4j-core:jar:2.24.3:runtime - omitted for duplicate)

Operating system: Ubuntu 22.04.4 LTS
(also happens on different test sever with later Ubuntu 22.04)
(on Windows11 it seems fine)

JDK: Adoptium JDK: OpenJDK Runtime Environment Temurin-17.0.6+10 (build 17.0.6+10)
(same on later Adoptium build: 17.0.11+9)

Logs

Expected log

2025-03-10 15:50:56.0374 INFO : com.e.cor.privateservice.HiddenEntryScheduler Initialized cron for index-sync: \
12 34 22 \
* * * (nux)

Actual log contains directory listing:

2025-03-10 12:46:09.0969 INFO : com.e.cor.privateservice.HiddenEntryScheduler Initialized cron for index-sync: \
12 34 22 \
bin BUILDING.txt conf CONTRIBUTING.md ... \
bin BUILDING.txt conf CONTRIBUTING.md ... \
bin BUILDING.txt conf CONTRIBUTING.md ... (nux)

This varies from server to server, but might be a /root/ listing (on some test VMs) or tomcat directory listing (as in the example above).

Reproduction

A minimized code (from actual service code):

package com.example.core.privateservice;

import javax.annotation.PostConstruct;
import org.springframework.stereotype.Component;
import org.springframework.beans.factory.annotation.Value;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component
public class HiddenEntryScheduler {
	private static final Logger LOG = LoggerFactory.getLogger(HiddenEntryScheduler.class);

	// daily (late evening)
	//@Value("${cron.hiddenentry.sync.cron:Rand60 Rand60 22 * * *}")
	@Value("${cron.hiddenentry.sync.cron:12 34 22 * * *}")
	private String cronExpression;

	@PostConstruct
	private void initialize() {
		String tenant = "nux";
		String dynamicCronExpression;
		dynamicCronExpression = cronExpression;
		LOG.info("Initialized cron for index-sync: {} ({})", dynamicCronExpression, tenant);
	}
}

Actual code is not much larger. Normally "Rand60" seen in the comment is dynamically replaced with a random number between 0-60.

But effectively that should simply be:

	private static final Logger LOG = LoggerFactory.getLogger(HiddenEntryScheduler.class);
	@PostConstruct
	private void initialize() {
		LOG.info("Initialized cron for index-sync: 12 34 22 * * * (nux)");
	}

Additional notes

I did try to add the old NoLookups thing, but that didn't help:

System.setProperty("log4j2.formatMsgNoLookups", "true");

I'm not quite sure if the option is still relevant. Looking at current code it doesn't seem like it is. Some docs still mention m{lookups}:
https://logging.apache.org/log4j/2.x/manual/pattern-layout.html#converter-message

I did also check and the @Value does not expand the asterisk/star. When I do this:

LOG.info("Initialized cron for index-sync: {} ({})", dynamicCronExpression.replace("*", "[any]"), tenant);

The message is:

2025-03-10 14:51:49.0943 INFO : com.e.cor.privateservice.HiddenEntryScheduler Initialized cron for index-sync: \
12 34 22 \
[any] [any] [any] (nux)
@ppkarwasz
Copy link
Contributor

@Eccenux,

Can you add your Log4j Core configuration file? Are you using a custom layout? Is the standard output of your application directly connected to a terminal or is it interpreted by a shell?

Standard Log4j Core layouts and message factories do not expand * globs in neither the message format nor the parameters. However, this does not exclude the possibility of a third-party layout doing that.

Seems like a star character ("*") is expanded into a directory listing. Might be a security I guess, but I don't think so. It's definitely an annoyance.

Whenever you suspect that a bug might be a security vulnerability, please follow our vulnerability reporting process instead of opening public PRs.

Your bug is not reproducible using PatternLayout (which is what you probably use), but if it was reproducible it would be a mild vulnerability.

@ppkarwasz ppkarwasz added waiting-for-user More information is needed from the user and removed waiting-for-maintainer labels Mar 10, 2025
@Eccenux
Copy link
Author

Eccenux commented Mar 11, 2025

Sorry for the mix up. It was in fact a problem with 3rd party service / script used in some CI tools. So like you suggested the output was passed through a script and the star was expanded on the way. Thankfully only during startup.

@Eccenux Eccenux closed this as completed Mar 11, 2025
@github-actions github-actions bot added waiting-for-maintainer and removed waiting-for-user More information is needed from the user labels Mar 11, 2025
@ppkarwasz
Copy link
Contributor

Sorry for the mix up. It was in fact a problem with 3rd party service / script used in some CI tools. So like you suggested the output was passed through a script and the star was expanded on the way. Thankfully only during startup.

I am glad you found the culprit before it could do some damage! 💯

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Eccenux @ppkarwasz