Check reported security bugs in log4j-1.2-api

Author: ppkarwasz

log4j-1.2-api/src/main/java/org/apache/log4j/DefaultThrowableRenderer.java

@@ -24,6 +24,7 @@
 import java.io.StringWriter;
 import java.util.ArrayList;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.log4j.spi.ThrowableRenderer;
 
 /**
@@ -39,6 +40,10 @@ public final class DefaultThrowableRenderer implements ThrowableRenderer {
      * @param throwable throwable, may not be null.
      * @return string representation.
      */
+    @SuppressFBWarnings(
+            value = "INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE",
+            justification = "The throwable is formatted into a log file, which should be private."
+    )
     public static String[] render(final Throwable throwable) {
         final StringWriter sw = new StringWriter();
         final PrintWriter pw = new PrintWriter(sw);

log4j-1.2-api/src/main/java/org/apache/log4j/FileAppender.java

@@ -24,6 +24,7 @@
 import java.io.InterruptedIOException;
 import java.io.Writer;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.log4j.helpers.LogLog;
 import org.apache.log4j.helpers.QuietWriter;
 import org.apache.log4j.spi.ErrorCode;
@@ -248,6 +249,10 @@ public void setFile(final String file) {
      * @param fileName The path to the log file.
      * @param append If true will append to fileName. Otherwise will truncate fileName.
      */
+    @SuppressFBWarnings(
+            value = {"PATH_TRAVERSAL_IN", "PATH_TRAVERSAL_OUT"},
+            justification = "The file name comes from a configuration file."
+    )
     public synchronized void setFile(String fileName, boolean append, boolean bufferedIO, int bufferSize) throws IOException {
         LogLog.debug("setFile called: " + fileName + ", " + append);
 

log4j-1.2-api/src/main/java/org/apache/log4j/PropertyConfigurator.java

@@ -30,6 +30,7 @@
 import java.util.StringTokenizer;
 import java.util.Vector;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.log4j.bridge.FilterAdapter;
 import org.apache.log4j.config.Log4j1Configuration;
 import org.apache.log4j.config.PropertiesConfiguration;
@@ -356,6 +357,10 @@ public void doConfigure(final String fileName, final LoggerRepository loggerRepo
      * @param fileName The configuration file
      * @param loggerRepository The hierarchy
      */
+    @SuppressFBWarnings(
+            value = "PATH_TRAVERSAL_IN",
+            justification = "The filename comes from a system property."
+    )
     Configuration doConfigure(final String fileName, final LoggerRepository loggerRepository, final ClassLoader classLoader) {
         try (final InputStream inputStream = Files.newInputStream(Paths.get(fileName))) {
             return doConfigure(inputStream, loggerRepository, classLoader);

log4j-1.2-api/src/main/java/org/apache/log4j/RollingFileAppender.java

@@ -21,6 +21,7 @@
 import java.io.InterruptedIOException;
 import java.io.Writer;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.log4j.helpers.CountingQuietWriter;
 import org.apache.log4j.helpers.LogLog;
 import org.apache.log4j.helpers.OptionConverter;
@@ -107,6 +108,10 @@ public long getMaximumFileSize() {
      * created.
      * </p>
      */
+    @SuppressFBWarnings(
+            value = "PATH_TRAVERSAL_IN",
+            justification = "The filename comes from a system property."
+    )
     public // synchronization not necessary since doAppend is alreasy synched
     void rollOver() {
         File target;
@@ -182,6 +187,10 @@ void rollOver() {
         }
     }
 
+    @SuppressFBWarnings(
+            value = "PATH_TRAVERSAL_IN",
+            justification = "The file name comes from a configuration file."
+    )
     public synchronized void setFile(final String fileName, final boolean append, final boolean bufferedIO, final int bufferSize) throws IOException {
         super.setFile(fileName, append, this.bufferedIO, this.bufferSize);
         if (append) {

log4j-1.2-api/src/main/java/org/apache/log4j/helpers/FileWatchdog.java

@@ -18,6 +18,8 @@
 
 import java.io.File;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+
 /**
  * Checks every now and then that a certain file has not changed. If it has, then call the {@link #doOnChange} method.
  *
@@ -45,6 +47,10 @@ public abstract class FileWatchdog extends Thread {
     boolean warnedAlready;
     boolean interrupted;
 
+    @SuppressFBWarnings(
+            value = "PATH_TRAVERSAL_IN",
+            justification = "The filename comes from a system property."
+    )
     protected FileWatchdog(final String fileName) {
         super("FileWatchdog");
         this.filename = fileName;

log4j-1.2-api/src/main/java/org/apache/log4j/helpers/package-info.java

@@ -18,7 +18,7 @@
  * Log4j 1.x compatibility layer.
  */
 @Export
-@Version("2.20.1")
+@Version("2.20.2")
 package org.apache.log4j.helpers;
 
 import org.osgi.annotation.bundle.Export;

log4j-1.2-api/src/main/java/org/apache/log4j/layout/Log4j1XmlLayout.java

@@ -22,6 +22,7 @@
 import java.util.List;
 import java.util.Objects;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.logging.log4j.core.Layout;
 import org.apache.logging.log4j.core.LogEvent;
 import org.apache.logging.log4j.core.config.Node;
@@ -86,6 +87,10 @@ public String toSerializable(final LogEvent event) {
         return text.toString();
     }
 
+    @SuppressFBWarnings(
+            value = "INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE",
+            justification = "The throwable is formatted into a log file, which should be private."
+    )
     private void formatTo(final LogEvent event, final StringBuilder buf) {
         buf.append("<log4j:event logger=\"");
         buf.append(Transform.escapeHtmlTags(event.getLoggerName()));

log4j-1.2-api/src/main/java/org/apache/log4j/package-info.java

@@ -18,7 +18,7 @@
  * Log4j 1.x compatibility layer.
  */
 @Export
-@Version("2.20.1")
+@Version("2.20.2")
 package org.apache.log4j;
 
 import org.osgi.annotation.bundle.Export;

log4j-1.2-api/src/main/java/org/apache/log4j/xml/DOMConfigurator.java

@@ -31,6 +31,7 @@
 
 import javax.xml.parsers.FactoryConfigurationError;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.log4j.LogManager;
 import org.apache.log4j.config.PropertySetter;
 import org.apache.log4j.helpers.OptionConverter;
@@ -70,6 +71,10 @@ public class DOMConfigurator {
     public static void configure(final Element element) {
     }
 
+    @SuppressFBWarnings(
+            value = "PATH_TRAVERSAL_IN",
+            justification = "The filename comes from a system property."
+    )
     public static void configure(final String fileName) throws FactoryConfigurationError {
         final Path path = Paths.get(fileName);
         try (final InputStream inputStream = Files.newInputStream(path)) {

log4j-1.2-api/src/main/java/org/apache/log4j/xml/XmlConfiguration.java

@@ -29,6 +29,7 @@
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.FactoryConfigurationError;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.log4j.Appender;
 import org.apache.log4j.Layout;
 import org.apache.log4j.Level;
@@ -131,6 +132,10 @@ public void doConfigure() throws FactoryConfigurationError {
         final ConfigurationSource source = getConfigurationSource();
         final ParseAction action = new ParseAction() {
             @Override
+            @SuppressFBWarnings(
+                    value = "XXE_DOCUMENT",
+                    justification = "The `DocumentBuilder` is configured to not resolve external entities."
+            )
             public Document parse(final DocumentBuilder parser) throws SAXException, IOException {
                 @SuppressWarnings("resource")
                 final // The ConfigurationSource and its caller manages the InputStream.