Remove PATH_TRAVERSAL_IN/OUT and URLCONNECTION_SSRF_FD warnings

Author: ppkarwasz

log4j-api/pom.xml

@@ -47,8 +47,6 @@
       java.management;static=true
     </bnd-extra-module-options>
 
-    <!-- FIXME: temporary -->
-    <spotbugs.skip>true</spotbugs.skip>
   </properties>
   <dependencies>
     <dependency>

log4j-core/src/main/java/org/apache/logging/log4j/core/appender/package-info.java

@@ -18,7 +18,7 @@
  * Log4j 2 Appenders.
  */
 @Export
-@Version("2.20.1")
+@Version("2.20.2")
 package org.apache.logging.log4j.core.appender;
 
 import org.osgi.annotation.bundle.Export;

log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/DefaultRolloverStrategy.java

@@ -28,6 +28,7 @@
 import java.util.concurrent.TimeUnit;
 import java.util.zip.Deflater;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.logging.log4j.core.Core;
 import org.apache.logging.log4j.core.appender.rolling.action.Action;
 import org.apache.logging.log4j.core.appender.rolling.action.CompositeAction;
@@ -411,6 +412,10 @@ private int purge(final int lowIndex, final int highIndex, final RollingFileMana
      * @param manager The RollingFileManager
      * @return true if purge was successful and rollover should be attempted.
      */
+    @SuppressFBWarnings(
+            value = "PATH_TRAVERSAL_IN",
+            justification = "The name of the accessed files is based on a configuration value."
+    )
     private int purgeAscending(final int lowIndex, final int highIndex, final RollingFileManager manager) {
         final SortedMap<Integer, Path> eligibleFiles = getEligibleFiles(manager);
         final int maxFiles = highIndex - lowIndex + 1;
@@ -467,6 +472,10 @@ private int purgeAscending(final int lowIndex, final int highIndex, final Rollin
      * @param manager The RollingFileManager
      * @return true if purge was successful and rollover should be attempted.
      */
+    @SuppressFBWarnings(
+            value = "PATH_TRAVERSAL_IN",
+            justification = "The name of the accessed files is based on a configuration value."
+    )
     private int purgeDescending(final int lowIndex, final int highIndex, final RollingFileManager manager) {
         // Retrieve the files in descending order, so the highest key will be first.
         final SortedMap<Integer, Path> eligibleFiles = getEligibleFiles(manager, false);
@@ -517,6 +526,10 @@ private int purgeDescending(final int lowIndex, final int highIndex, final Rolli
      * @throws SecurityException if an error occurs.
      */
     @Override
+    @SuppressFBWarnings(
+            value = "PATH_TRAVERSAL_IN",
+            justification = "The name of the accessed files is based on a configuration value."
+    )
     public RolloverDescription rollover(final RollingFileManager manager) throws SecurityException {
         int fileIndex;
         final StringBuilder buf = new StringBuilder(255);

log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/DirectWriteRolloverStrategy.java

@@ -27,6 +27,7 @@
 import java.util.concurrent.TimeUnit;
 import java.util.zip.Deflater;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.logging.log4j.core.Core;
 import org.apache.logging.log4j.core.appender.rolling.action.Action;
 import org.apache.logging.log4j.core.appender.rolling.action.CompositeAction;
@@ -340,6 +341,10 @@ public void clearCurrentFileName() {
      * @throws SecurityException if an error occurs.
      */
     @Override
+    @SuppressFBWarnings(
+            value = "PATH_TRAVERSAL_IN",
+            justification = "The name of the accessed files is based on a configuration value."
+    )
     public RolloverDescription rollover(final RollingFileManager manager) throws SecurityException {
         LOGGER.debug("Rolling " + currentFileName);
         if (maxFiles < 0) {

log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/FileExtension.java

@@ -19,6 +19,7 @@
 import java.io.File;
 import java.util.Objects;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.logging.log4j.core.appender.rolling.action.Action;
 import org.apache.logging.log4j.core.appender.rolling.action.CommonsCompressAction;
 import org.apache.logging.log4j.core.appender.rolling.action.GzCompressAction;
@@ -123,10 +124,18 @@ int length() {
         return extension.length();
     }
 
+    @SuppressFBWarnings(
+            value = "PATH_TRAVERSAL_IN",
+            justification = "The name of the accessed files is based on a configuration value."
+    )
     File source(final String fileName) {
         return new File(fileName);
     }
 
+    @SuppressFBWarnings(
+            value = "PATH_TRAVERSAL_IN",
+            justification = "The name of the accessed files is based on a configuration value."
+    )
     File target(final String fileName) {
         return new File(fileName);
     }

log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/RollingFileManager.java

@@ -153,6 +153,10 @@ protected RollingFileManager(final LoggerContext loggerContext, final String fil
         this.directWrite = rolloverStrategy instanceof DirectFileRolloverStrategy;
     }
 
+    @SuppressFBWarnings(
+            value = "PATH_TRAVERSAL_IN",
+            justification = "The name of the accessed files is based on a configuration value."
+    )
     public void initialize() {
 
         if (!initialized) {
@@ -726,7 +730,7 @@ private static class RollingFileManagerFactory implements ManagerFactory<Rolling
          */
         @Override
         @SuppressFBWarnings(
-                value = "PATH_TRAVERSAL_IN",
+                value = {"PATH_TRAVERSAL_IN", "PATH_TRAVERSAL_OUT"},
                 justification = "The destination file should be specified in the configuration file."
         )
         public RollingFileManager createManager(final String name, final FactoryData data) {

log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/RollingRandomAccessFileManager.java

@@ -24,6 +24,7 @@
 import java.nio.ByteBuffer;
 import java.nio.file.Paths;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.logging.log4j.core.Layout;
 import org.apache.logging.log4j.core.LoggerContext;
 import org.apache.logging.log4j.core.appender.AppenderLoggingException;
@@ -150,13 +151,21 @@ protected synchronized void writeToDestination(final byte[] bytes, final int off
     }
 
     @Override
+    @SuppressFBWarnings(
+            value = "PATH_TRAVERSAL_IN",
+            justification = "The name of the accessed files is based on a configuration value."
+    )
     protected void createFileAfterRollover() throws IOException {
         final String fileName = getFileName();
         final File file = new File(fileName);
         FileUtils.makeParentDirs(file);
         createFileAfterRollover(fileName);
     }
 
+    @SuppressFBWarnings(
+            value = "PATH_TRAVERSAL_IN",
+            justification = "The name of the accessed files is based on a configuration value."
+    )
     private void createFileAfterRollover(final String fileName) throws IOException {
         this.randomAccessFile = new RandomAccessFile(fileName, "rw");
         if (isAttributeViewEnabled()) {
@@ -212,6 +221,10 @@ private static class RollingRandomAccessFileManagerFactory implements
          * @return a RollingFileManager.
          */
         @Override
+        @SuppressFBWarnings(
+                value = "PATH_TRAVERSAL_IN",
+                justification = "The name of the accessed files is based on a configuration value."
+        )
         public RollingRandomAccessFileManager createManager(final String name, final FactoryData data) {
             File file = null;
             long size = 0;

log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/action/AbstractPathAction.java

@@ -29,6 +29,7 @@
 import java.util.Set;
 import java.util.concurrent.TimeUnit;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.logging.log4j.core.lookup.StrSubstitutor;
 
 /**
@@ -101,6 +102,10 @@ protected abstract FileVisitor<Path> createFileVisitor(final Path visitorBaseDir
      *
      * @return the base path (all lookups resolved)
      */
+    @SuppressFBWarnings(
+            value = "PATH_TRAVERSAL_IN",
+            justification = "The name of the accessed files is based on a configuration value."
+    )
     public Path getBasePath() {
         return Paths.get(subst.replace(getBasePathString()));
     }

log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/action/FileRenameAction.java

@@ -25,6 +25,8 @@
 import java.nio.file.Paths;
 import java.nio.file.StandardCopyOption;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+
 /**
  * File rename action.
  */
@@ -103,6 +105,10 @@ public boolean isRenameEmptyFiles() {
      * @param renameEmptyFiles if true, rename file even if empty, otherwise delete empty files.
      * @return true if successfully renamed.
      */
+    @SuppressFBWarnings(
+            value = "PATH_TRAVERSAL_IN",
+            justification = "The name of the accessed files is based on a configuration value."
+    )
     public static boolean execute(final File source, final File destination, final boolean renameEmptyFiles) {
         if (renameEmptyFiles || (source.length() > 0)) {
             final File parent = destination.getParentFile();

log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/action/package-info.java

@@ -18,7 +18,7 @@
  * Support classes for the Rolling File Appender.
  */
 @Export
-@Version("2.20.1")
+@Version("2.20.2")
 package org.apache.logging.log4j.core.appender.rolling.action;
 
 import org.osgi.annotation.bundle.Export;