-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Description
Description
Seems like a star character ("*") is expanded into a directory listing. Might be a security I guess, but I don't think so. It's definitely an annoyance.
Configuration
Version: 2.24.3
[INFO] +- org.apache.logging.log4j:log4j-slf4j2-impl:jar:2.24.3:compile
[INFO] | +- (org.apache.logging.log4j:log4j-api:jar:2.24.3:compile - omitted for duplicate)
[INFO] | +- org.slf4j:slf4j-api:jar:2.0.16:compile
[INFO] | - (org.apache.logging.log4j:log4j-core:jar:2.24.3:runtime - omitted for duplicate)
Operating system: Ubuntu 22.04.4 LTS
(also happens on different test sever with later Ubuntu 22.04)
(on Windows11 it seems fine)
JDK: Adoptium JDK: OpenJDK Runtime Environment Temurin-17.0.6+10 (build 17.0.6+10)
(same on later Adoptium build: 17.0.11+9)
Logs
Expected log
2025-03-10 15:50:56.0374 INFO : com.e.cor.privateservice.HiddenEntryScheduler Initialized cron for index-sync: \
12 34 22 \
* * * (nux)
Actual log contains directory listing:
2025-03-10 12:46:09.0969 INFO : com.e.cor.privateservice.HiddenEntryScheduler Initialized cron for index-sync: \
12 34 22 \
bin BUILDING.txt conf CONTRIBUTING.md ... \
bin BUILDING.txt conf CONTRIBUTING.md ... \
bin BUILDING.txt conf CONTRIBUTING.md ... (nux)
This varies from server to server, but might be a /root/
listing (on some test VMs) or tomcat directory listing (as in the example above).
Reproduction
A minimized code (from actual service code):
package com.example.core.privateservice;
import javax.annotation.PostConstruct;
import org.springframework.stereotype.Component;
import org.springframework.beans.factory.annotation.Value;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@Component
public class HiddenEntryScheduler {
private static final Logger LOG = LoggerFactory.getLogger(HiddenEntryScheduler.class);
// daily (late evening)
//@Value("${cron.hiddenentry.sync.cron:Rand60 Rand60 22 * * *}")
@Value("${cron.hiddenentry.sync.cron:12 34 22 * * *}")
private String cronExpression;
@PostConstruct
private void initialize() {
String tenant = "nux";
String dynamicCronExpression;
dynamicCronExpression = cronExpression;
LOG.info("Initialized cron for index-sync: {} ({})", dynamicCronExpression, tenant);
}
}
Actual code is not much larger. Normally "Rand60" seen in the comment is dynamically replaced with a random number between 0-60.
But effectively that should simply be:
private static final Logger LOG = LoggerFactory.getLogger(HiddenEntryScheduler.class);
@PostConstruct
private void initialize() {
LOG.info("Initialized cron for index-sync: 12 34 22 * * * (nux)");
}
Additional notes
I did try to add the old NoLookups thing, but that didn't help:
System.setProperty("log4j2.formatMsgNoLookups", "true");
I'm not quite sure if the option is still relevant. Looking at current code it doesn't seem like it is. Some docs still mention m{lookups}
:
https://logging.apache.org/log4j/2.x/manual/pattern-layout.html#converter-message
I did also check and the @Value
does not expand the asterisk/star. When I do this:
LOG.info("Initialized cron for index-sync: {} ({})", dynamicCronExpression.replace("*", "[any]"), tenant);
The message is:
2025-03-10 14:51:49.0943 INFO : com.e.cor.privateservice.HiddenEntryScheduler Initialized cron for index-sync: \
12 34 22 \
[any] [any] [any] (nux)