This is an automated email from the ASF dual-hosted git repository. pkarwasz pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
commit 1ddb9064c4f6e4e2db499778e205a6b5be94c332 Author: Piotr P. Karwasz <[email protected]> AuthorDate: Tue Oct 31 09:27:17 2023 +0100 Remove most alerts Removes all the security alerts, except PATH_TRAVERSAL_IN/OUT and URLCONNECTION_SSRF_FD. --- .../org/apache/logging/log4j/util/LowLevelLogUtil.java | 3 +-- .../main/java/org/apache/logging/log4j/util/NameUtil.java | 14 +++++++++----- .../core/appender/rolling/RolloverFilePatternTest.java | 8 ++++---- .../core/appender/rolling/AbstractRolloverStrategy.java | 4 ++-- .../core/appender/rolling/TimeBasedTriggeringPolicy.java | 3 +++ .../appender/rolling/action/PosixViewAttributeAction.java | 5 +++++ .../config/builder/impl/DefaultConfigurationBuilder.java | 5 +++++ .../logging/log4j/core/config/xml/XmlConfiguration.java | 5 +++++ .../apache/logging/log4j/core/jmx/LoggerContextAdmin.java | 5 +++++ .../org/apache/logging/log4j/core/layout/GelfLayout.java | 5 +++++ .../org/apache/logging/log4j/core/layout/HtmlLayout.java | 5 +++++ .../apache/logging/log4j/core/net/TcpSocketManager.java | 4 ++++ .../logging/log4j/core/net/ssl/LaxHostnameVerifier.java | 3 +++ .../log4j/core/pattern/ThrowablePatternConverter.java | 5 +++++ .../java/org/apache/logging/log4j/core/tools/Generate.java | 6 ++++++ .../logging/log4j/jdbc/appender/JdbcDatabaseManager.java | 9 +++++++++ .../java/org/apache/logging/log4j/jndi/JndiManager.java | 5 +++++ .../apache/logging/log4j/smtp/appender/SmtpManager.java | 8 ++++++-- 18 files changed, 87 insertions(+), 15 deletions(-) diff --git a/log4j-api/src/main/java/org/apache/logging/log4j/util/LowLevelLogUtil.java b/log4j-api/src/main/java/org/apache/logging/log4j/util/LowLevelLogUtil.java index 2753cfc4f1..dc7878706f 100644 --- a/log4j-api/src/main/java/org/apache/logging/log4j/util/LowLevelLogUtil.java +++ b/log4j-api/src/main/java/org/apache/logging/log4j/util/LowLevelLogUtil.java @@ -18,9 +18,8 @@ package org.apache.logging.log4j.util; import java.io.PrintWriter; -import org.apache.logging.log4j.Logger; - import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; +import org.apache.logging.log4j.Logger; /** * PrintWriter-based logging utility for classes too low level to use {@link org.apache.logging.log4j.status.StatusLogger}. diff --git a/log4j-api/src/main/java/org/apache/logging/log4j/util/NameUtil.java b/log4j-api/src/main/java/org/apache/logging/log4j/util/NameUtil.java index 9d9b4acb94..5766ffe6bc 100644 --- a/log4j-api/src/main/java/org/apache/logging/log4j/util/NameUtil.java +++ b/log4j-api/src/main/java/org/apache/logging/log4j/util/NameUtil.java @@ -21,6 +21,8 @@ import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.util.Objects; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; + /** * */ @@ -49,6 +51,11 @@ public final class NameUtil { * @param input string to be hashed * @return string composed of 32 hexadecimal digits of the calculated hash */ + @SuppressFBWarnings( + value = "WEAK_MESSAGE_DIGEST_MD5", + justification = "Used to create unique identifiers." + ) + @Deprecated public static String md5(final String input) { Objects.requireNonNull(input, "input"); try { @@ -57,11 +64,8 @@ public final class NameUtil { final byte[] bytes = digest.digest(inputBytes); final StringBuilder md5 = new StringBuilder(bytes.length * 2); for (final byte b : bytes) { - final String hex = Integer.toHexString(0xFF & b); - if (hex.length() == 1) { - md5.append('0'); - } - md5.append(hex); + md5.append(Character.forDigit((0xFF & b) >> 4, 16)); + md5.append(Character.forDigit(0x0F & b, 16)); } return md5.toString(); } diff --git a/log4j-core-test/src/test/java/org/apache/logging/log4j/core/appender/rolling/RolloverFilePatternTest.java b/log4j-core-test/src/test/java/org/apache/logging/log4j/core/appender/rolling/RolloverFilePatternTest.java index 12227cffcb..93c4116472 100644 --- a/log4j-core-test/src/test/java/org/apache/logging/log4j/core/appender/rolling/RolloverFilePatternTest.java +++ b/log4j-core-test/src/test/java/org/apache/logging/log4j/core/appender/rolling/RolloverFilePatternTest.java @@ -30,7 +30,7 @@ public class RolloverFilePatternTest { @Test public void testFilePatternWithoutPadding() throws Exception { final Matcher matcher = AbstractRolloverStrategy.PATTERN_COUNTER.matcher("target/logs/test-%i.log.gz"); - assertTrue(matcher.matches()); + assertTrue(matcher.find()); assertNull(matcher.group("ZEROPAD")); assertNull(matcher.group("PADDING")); } @@ -38,7 +38,7 @@ public class RolloverFilePatternTest { @Test public void testFilePatternWithSpacePadding() throws Exception { final Matcher matcher = AbstractRolloverStrategy.PATTERN_COUNTER.matcher("target/logs/test-%3i.log.gz"); - assertTrue(matcher.matches()); + assertTrue(matcher.find()); assertNull(matcher.group("ZEROPAD")); assertEquals("3", matcher.group("PADDING")); } @@ -46,7 +46,7 @@ public class RolloverFilePatternTest { @Test public void testFilePatternWithZeroPadding() throws Exception { final Matcher matcher = AbstractRolloverStrategy.PATTERN_COUNTER.matcher("target/logs/test-%03i.log.gz"); - assertTrue(matcher.matches()); + assertTrue(matcher.find()); assertEquals("0", matcher.group("ZEROPAD")); assertEquals("3", matcher.group("PADDING")); } @@ -54,6 +54,6 @@ public class RolloverFilePatternTest { @Test public void testFilePatternUnmatched() throws Exception { final Matcher matcher = AbstractRolloverStrategy.PATTERN_COUNTER.matcher("target/logs/test-%n.log.gz"); - assertFalse(matcher.matches()); + assertFalse(matcher.find()); } } diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/AbstractRolloverStrategy.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/AbstractRolloverStrategy.java index 650e743ace..f40b6e82dc 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/AbstractRolloverStrategy.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/AbstractRolloverStrategy.java @@ -47,7 +47,7 @@ public abstract class AbstractRolloverStrategy implements RolloverStrategy { */ protected static final Logger LOGGER = StatusLogger.getLogger(); - public static final Pattern PATTERN_COUNTER= Pattern.compile(".*%((?<ZEROPAD>0)?(?<PADDING>\\d+))?i.*"); + public static final Pattern PATTERN_COUNTER = Pattern.compile(".*%(?<ZEROPAD>0)?(?<PADDING>\\d+)?i.*"); protected final StrSubstitutor strSubstitutor; @@ -114,7 +114,7 @@ public abstract class AbstractRolloverStrategy implements RolloverStrategy { } else { parent.mkdirs(); } - if (!PATTERN_COUNTER.matcher(logfilePattern).matches()) { + if (!PATTERN_COUNTER.matcher(logfilePattern).find()) { return eligibleFiles; } final Path dir = parent.toPath(); diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/TimeBasedTriggeringPolicy.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/TimeBasedTriggeringPolicy.java index c21da5ee56..349b5dc402 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/TimeBasedTriggeringPolicy.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/TimeBasedTriggeringPolicy.java @@ -19,6 +19,7 @@ package org.apache.logging.log4j.core.appender.rolling; import java.util.concurrent.ThreadLocalRandom; import java.util.concurrent.TimeUnit; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.LogEvent; import org.apache.logging.log4j.core.time.Clock; import org.apache.logging.log4j.plugins.Configurable; @@ -121,6 +122,7 @@ public final class TimeBasedTriggeringPolicy extends AbstractTriggeringPolicy { * @param aManager The RollingFileManager. */ @Override + @SuppressFBWarnings("PREDICTABLE_RANDOM") public void initialize(final RollingFileManager aManager) { this.manager = aManager; long current = aManager.getFileTime(); @@ -142,6 +144,7 @@ public final class TimeBasedTriggeringPolicy extends AbstractTriggeringPolicy { * @return true if a rollover should occur. */ @Override + @SuppressFBWarnings("PREDICTABLE_RANDOM") public boolean isTriggeringEvent(final LogEvent event) { final long nowMillis = event.getTimeMillis(); if (nowMillis >= nextRolloverMillis) { diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/action/PosixViewAttributeAction.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/action/PosixViewAttributeAction.java index fd74a31d6d..e7e0b54a66 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/action/PosixViewAttributeAction.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/action/PosixViewAttributeAction.java @@ -29,6 +29,7 @@ import java.nio.file.attribute.PosixFilePermissions; import java.util.List; import java.util.Set; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.config.Configuration; import org.apache.logging.log4j.core.config.plugins.PluginConfiguration; import org.apache.logging.log4j.core.lookup.StrSubstitutor; @@ -115,6 +116,10 @@ public class PosixViewAttributeAction extends AbstractPathAction { private String fileGroup; @Override + @SuppressFBWarnings( + value = "OVERLY_PERMISSIVE_FILE_PERMISSION", + justification = "File permissions are specified in a configuration file." + ) public PosixViewAttributeAction build() { if (Strings.isEmpty(basePath)) { LOGGER.error("Posix file attribute view action not valid because base path is empty."); diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/config/builder/impl/DefaultConfigurationBuilder.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/config/builder/impl/DefaultConfigurationBuilder.java index 903e966d8c..2e4c4f945b 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/config/builder/impl/DefaultConfigurationBuilder.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/config/builder/impl/DefaultConfigurationBuilder.java @@ -39,6 +39,7 @@ import javax.xml.transform.TransformerFactoryConfigurationError; import javax.xml.transform.stream.StreamResult; import javax.xml.transform.stream.StreamSource; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.Level; import org.apache.logging.log4j.core.Filter; import org.apache.logging.log4j.core.LoggerContext; @@ -90,6 +91,10 @@ public class DefaultConfigurationBuilder<T extends BuiltConfiguration> implement private LoggerContext loggerContext; private String name; + @SuppressFBWarnings( + value = {"XXE_DTD_TRANSFORM_FACTORY", "XXE_XSLT_TRANSFORM_FACTORY"}, + justification = "This method only uses internally generated data." + ) public static void formatXml(final Source source, final Result result) throws TransformerConfigurationException, TransformerFactoryConfigurationError, TransformerException { final Transformer transformer = TransformerFactory.newInstance().newTransformer(); diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/config/xml/XmlConfiguration.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/config/xml/XmlConfiguration.java index d0c0ac1469..cb675c226e 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/config/xml/XmlConfiguration.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/config/xml/XmlConfiguration.java @@ -32,6 +32,7 @@ import javax.xml.validation.Schema; import javax.xml.validation.SchemaFactory; import javax.xml.validation.Validator; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.LoggerContext; import org.apache.logging.log4j.core.config.AbstractConfiguration; import org.apache.logging.log4j.core.config.Configuration; @@ -71,6 +72,10 @@ public class XmlConfiguration extends AbstractConfiguration implements Reconfigu private boolean strict; private String schemaResource; + @SuppressFBWarnings( + value = "XXE_DOCUMENT", + justification = "The `newDocumentBuilder` method disables DTD processing." + ) public XmlConfiguration(final LoggerContext loggerContext, final ConfigurationSource configSource) { super(loggerContext, configSource); byte[] buffer = null; diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/jmx/LoggerContextAdmin.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/jmx/LoggerContextAdmin.java index 7c5c0a8601..657c748073 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/jmx/LoggerContextAdmin.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/jmx/LoggerContextAdmin.java @@ -39,6 +39,7 @@ import javax.management.Notification; import javax.management.NotificationBroadcasterSupport; import javax.management.ObjectName; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.LoggerContext; import org.apache.logging.log4j.core.config.Configuration; import org.apache.logging.log4j.core.config.ConfigurationSource; @@ -144,6 +145,10 @@ public class LoggerContextAdmin extends NotificationBroadcasterSupport implement } @Override + @SuppressFBWarnings( + value = "INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE", + justification = "JMX should be considered a trusted channel." + ) public String getConfigText(final String charsetName) throws IOException { try { final ConfigurationSource source = loggerContext.getConfiguration().getConfigurationSource(); diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/layout/GelfLayout.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/layout/GelfLayout.java index 82b7e4510a..e64ab9d3a9 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/layout/GelfLayout.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/layout/GelfLayout.java @@ -30,6 +30,7 @@ import java.util.Objects; import java.util.zip.DeflaterOutputStream; import java.util.zip.GZIPOutputStream; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.Level; import org.apache.logging.log4j.core.Layout; import org.apache.logging.log4j.core.LogEvent; @@ -718,6 +719,10 @@ public final class GelfLayout extends AbstractStringLayout { /** * Non-private to make it accessible from unit test. */ + @SuppressFBWarnings( + value = "INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE", + justification = "Log4j prints stacktraces only to logs, which should be private." + ) static CharSequence formatThrowable(final Throwable throwable) { // stack traces are big enough to provide a reasonably large initial capacity here final StringWriter sw = new StringWriter(2048); diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/layout/HtmlLayout.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/layout/HtmlLayout.java index 02d8eee9d3..3b6eb31a7e 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/layout/HtmlLayout.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/layout/HtmlLayout.java @@ -28,6 +28,7 @@ import java.nio.charset.StandardCharsets; import java.util.ArrayList; import java.util.Date; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.Level; import org.apache.logging.log4j.core.Layout; import org.apache.logging.log4j.core.LogEvent; @@ -238,6 +239,10 @@ public final class HtmlLayout extends AbstractStringLayout { return contentType; } + @SuppressFBWarnings( + value = "INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE", + justification = "Log4j prints stacktraces only to logs, which should be private." + ) private void appendThrowableAsHtml(final Throwable throwable, final StringBuilder sbuf) { final StringWriter sw = new StringWriter(); final PrintWriter pw = new PrintWriter(sw); diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/TcpSocketManager.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/TcpSocketManager.java index 3750c14771..ca1f9fb6c5 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/TcpSocketManager.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/TcpSocketManager.java @@ -29,6 +29,7 @@ import java.util.List; import java.util.Map; import java.util.concurrent.CountDownLatch; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.Layout; import org.apache.logging.log4j.core.appender.AppenderLoggingException; import org.apache.logging.log4j.core.appender.ManagerFactory; @@ -342,6 +343,9 @@ public class TcpSocketManager extends AbstractSocketManager { return createSocket(socketAddress, socketOptions, connectTimeoutMillis); } + @SuppressFBWarnings( + value = "UNENCRYPTED_SOCKET" + ) protected static Socket createSocket(final InetSocketAddress socketAddress, final SocketOptions socketOptions, final int connectTimeoutMillis) throws IOException { LOGGER.debug("Creating socket {}", socketAddress.toString()); diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/LaxHostnameVerifier.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/LaxHostnameVerifier.java index 08aa4c5936..b6f06c15b5 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/LaxHostnameVerifier.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/LaxHostnameVerifier.java @@ -19,6 +19,8 @@ package org.apache.logging.log4j.core.net.ssl; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLSession; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; + /** * An HostnameVerifier which accepts everything. */ @@ -32,6 +34,7 @@ public final class LaxHostnameVerifier implements HostnameVerifier { } @Override + @SuppressFBWarnings("WEAK_HOSTNAME_VERIFIER") public boolean verify(final String s, final SSLSession sslSession) { return true; } diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/pattern/ThrowablePatternConverter.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/pattern/ThrowablePatternConverter.java index f06e080422..a46ac18634 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/pattern/ThrowablePatternConverter.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/pattern/ThrowablePatternConverter.java @@ -22,6 +22,7 @@ import java.util.ArrayList; import java.util.Collections; import java.util.List; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.LogEvent; import org.apache.logging.log4j.core.config.Configuration; import org.apache.logging.log4j.core.impl.ThrowableFormatOptions; @@ -175,6 +176,10 @@ public class ThrowablePatternConverter extends LogEventPatternConverter { } } + @SuppressFBWarnings( + value = "INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE", + justification = "Formatting a throwable is the main purpose of this class." + ) private void formatOption(final Throwable throwable, final String suffix, final StringBuilder buffer) { final int len = buffer.length(); if (len > 0 && !Character.isWhitespace(buffer.charAt(len - 1))) { diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/tools/Generate.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/tools/Generate.java index e55f8d8a03..2acd60a178 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/tools/Generate.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/tools/Generate.java @@ -21,6 +21,8 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.List; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; + /** * Generates source code for custom or extended logger wrappers. * <p> @@ -1104,6 +1106,10 @@ public final class Generate { out.println(" For each custom log level, specify NAME=intLevel (without spaces)."); } + @SuppressFBWarnings( + value = "FORMAT_STRING_MANIPULATION", + justification = "The format strings come from constants. The replacement is done for readability." + ) static String generateSource(final String classNameFQN, final List<LevelInfo> levels, final Type type) { final StringBuilder sb = new StringBuilder(10000 * levels.size()); final int lastDot = classNameFQN.lastIndexOf('.'); diff --git a/log4j-jdbc/src/main/java/org/apache/logging/log4j/jdbc/appender/JdbcDatabaseManager.java b/log4j-jdbc/src/main/java/org/apache/logging/log4j/jdbc/appender/JdbcDatabaseManager.java index 2d1ad28a40..f010dc11f5 100644 --- a/log4j-jdbc/src/main/java/org/apache/logging/log4j/jdbc/appender/JdbcDatabaseManager.java +++ b/log4j-jdbc/src/main/java/org/apache/logging/log4j/jdbc/appender/JdbcDatabaseManager.java @@ -37,6 +37,7 @@ import java.util.Map; import java.util.Objects; import java.util.concurrent.CountDownLatch; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.Layout; import org.apache.logging.log4j.core.LogEvent; import org.apache.logging.log4j.core.StringLayout; @@ -519,6 +520,10 @@ public final class JdbcDatabaseManager extends AbstractDatabaseManager { return true; } + @SuppressFBWarnings( + value = "SQL_INJECTION_JDBC", + justification = "The SQL statement is generated based on the configuration file." + ) private void connectAndPrepare() throws SQLException { logger().debug("Acquiring JDBC connection from {}", this.getConnectionSource()); this.connection = getConnectionSource().getConnection(); @@ -584,6 +589,10 @@ public final class JdbcDatabaseManager extends AbstractDatabaseManager { return factoryData.tableName; } + @SuppressFBWarnings( + value = "SQL_INJECTION_JDBC", + justification = "The SQL statement is generated based on the configuration file." + ) private void initColumnMetaData() throws SQLException { // Could use: // this.connection.getMetaData().getColumns(catalog, schemaPattern, tableNamePattern, columnNamePattern); diff --git a/log4j-jndi/src/main/java/org/apache/logging/log4j/jndi/JndiManager.java b/log4j-jndi/src/main/java/org/apache/logging/log4j/jndi/JndiManager.java index aabf46e837..455ed92cab 100644 --- a/log4j-jndi/src/main/java/org/apache/logging/log4j/jndi/JndiManager.java +++ b/log4j-jndi/src/main/java/org/apache/logging/log4j/jndi/JndiManager.java @@ -25,6 +25,7 @@ import javax.naming.Context; import javax.naming.InitialContext; import javax.naming.NamingException; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.core.appender.AbstractManager; import org.apache.logging.log4j.core.appender.ManagerFactory; import org.apache.logging.log4j.core.util.Constants; @@ -191,6 +192,10 @@ public class JndiManager extends AbstractManager { * @throws NamingException if a naming exception is encountered */ @SuppressWarnings({"unchecked", "BanJNDI"}) + @SuppressFBWarnings( + value = "LDAP_INJECTION", + justification = "This method only accepts an empty or 'java:' URI scheme." + ) public <T> T lookup(final String name) throws NamingException { if (context == null) { return null; diff --git a/log4j-smtp/src/main/java/org/apache/logging/log4j/smtp/appender/SmtpManager.java b/log4j-smtp/src/main/java/org/apache/logging/log4j/smtp/appender/SmtpManager.java index 2424c946eb..e3cdc7c9a5 100644 --- a/log4j-smtp/src/main/java/org/apache/logging/log4j/smtp/appender/SmtpManager.java +++ b/log4j-smtp/src/main/java/org/apache/logging/log4j/smtp/appender/SmtpManager.java @@ -37,6 +37,7 @@ import javax.mail.internet.MimeUtility; import javax.mail.util.ByteArrayDataSource; import javax.net.ssl.SSLSocketFactory; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.logging.log4j.LoggingException; import org.apache.logging.log4j.core.Layout; import org.apache.logging.log4j.core.LogEvent; @@ -284,8 +285,11 @@ public class SmtpManager extends AbstractManager { } } - protected void sendMultipartMessage(final MimeMessage msg, final MimeMultipart mp, final String subject) throws MessagingException { - synchronized (msg) { + @SuppressFBWarnings( + value = "SMTP_HEADER_INJECTION", + justification = "False positive, since MimeMessage#setSubject does actually escape new lines." + ) + protected void sendMultipartMessage(final MimeMessage msg, final MimeMultipart mp, final String subject) throws MessagingException {synchronized (msg) { msg.setContent(mp); msg.setSentDate(new Date()); msg.setSubject(subject);
