Skip to content

Asterisk (star character) expansion reveals folder structure #3526

@Eccenux

Description

@Eccenux

Description

Seems like a star character ("*") is expanded into a directory listing. Might be a security I guess, but I don't think so. It's definitely an annoyance.

Configuration

Version: 2.24.3
[INFO] +- org.apache.logging.log4j:log4j-slf4j2-impl:jar:2.24.3:compile
[INFO] | +- (org.apache.logging.log4j:log4j-api:jar:2.24.3:compile - omitted for duplicate)
[INFO] | +- org.slf4j:slf4j-api:jar:2.0.16:compile
[INFO] | - (org.apache.logging.log4j:log4j-core:jar:2.24.3:runtime - omitted for duplicate)

Operating system: Ubuntu 22.04.4 LTS
(also happens on different test sever with later Ubuntu 22.04)
(on Windows11 it seems fine)

JDK: Adoptium JDK: OpenJDK Runtime Environment Temurin-17.0.6+10 (build 17.0.6+10)
(same on later Adoptium build: 17.0.11+9)

Logs

Expected log

2025-03-10 15:50:56.0374 INFO : com.e.cor.privateservice.HiddenEntryScheduler Initialized cron for index-sync: \
12 34 22 \
* * * (nux)

Actual log contains directory listing:

2025-03-10 12:46:09.0969 INFO : com.e.cor.privateservice.HiddenEntryScheduler Initialized cron for index-sync: \
12 34 22 \
bin BUILDING.txt conf CONTRIBUTING.md ... \
bin BUILDING.txt conf CONTRIBUTING.md ... \
bin BUILDING.txt conf CONTRIBUTING.md ... (nux)

This varies from server to server, but might be a /root/ listing (on some test VMs) or tomcat directory listing (as in the example above).

Reproduction

A minimized code (from actual service code):

package com.example.core.privateservice;

import javax.annotation.PostConstruct;
import org.springframework.stereotype.Component;
import org.springframework.beans.factory.annotation.Value;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component
public class HiddenEntryScheduler {
	private static final Logger LOG = LoggerFactory.getLogger(HiddenEntryScheduler.class);

	// daily (late evening)
	//@Value("${cron.hiddenentry.sync.cron:Rand60 Rand60 22 * * *}")
	@Value("${cron.hiddenentry.sync.cron:12 34 22 * * *}")
	private String cronExpression;

	@PostConstruct
	private void initialize() {
		String tenant = "nux";
		String dynamicCronExpression;
		dynamicCronExpression = cronExpression;
		LOG.info("Initialized cron for index-sync: {} ({})", dynamicCronExpression, tenant);
	}
}

Actual code is not much larger. Normally "Rand60" seen in the comment is dynamically replaced with a random number between 0-60.

But effectively that should simply be:

	private static final Logger LOG = LoggerFactory.getLogger(HiddenEntryScheduler.class);
	@PostConstruct
	private void initialize() {
		LOG.info("Initialized cron for index-sync: 12 34 22 * * * (nux)");
	}

Additional notes

I did try to add the old NoLookups thing, but that didn't help:

System.setProperty("log4j2.formatMsgNoLookups", "true");

I'm not quite sure if the option is still relevant. Looking at current code it doesn't seem like it is. Some docs still mention m{lookups}:
https://logging.apache.org/log4j/2.x/manual/pattern-layout.html#converter-message

I did also check and the @Value does not expand the asterisk/star. When I do this:

LOG.info("Initialized cron for index-sync: {} ({})", dynamicCronExpression.replace("*", "[any]"), tenant);

The message is:

2025-03-10 14:51:49.0943 INFO : com.e.cor.privateservice.HiddenEntryScheduler Initialized cron for index-sync: \
12 34 22 \
[any] [any] [any] (nux)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions