rspec/rules/S4792/java/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

This rule supports the following libraries: Log4J, ``++java.util.logging++`` and Logback


----
// === Log4J 2 ===
import org.apache.logging.log4j.core.config.builder.api.ConfigurationBuilderFactory;
import org.apache.logging.log4j.Level;
import org.apache.logging.log4j.core.*;
import org.apache.logging.log4j.core.config.*;

// Sensitive: creating a new custom configuration 
abstract class CustomConfigFactory extends ConfigurationFactory {
    // ...
}

class A {
    void foo(Configuration config, LoggerContext context, java.util.Map<String, Level> levelMap,
            Appender appender, java.io.InputStream stream, java.net.URI uri,
            java.io.File file, java.net.URL url, String source, ClassLoader loader, Level level, Filter filter)
            throws java.io.IOException {
        // Creating a new custom configuration
        ConfigurationBuilderFactory.newConfigurationBuilder();  // Sensitive

        // Setting loggers level can result in writing sensitive information in production
        Configurator.setAllLevels("com.example", Level.DEBUG);  // Sensitive
        Configurator.setLevel("com.example", Level.DEBUG);  // Sensitive
        Configurator.setLevel(levelMap);  // Sensitive
        Configurator.setRootLevel(Level.DEBUG);  // Sensitive

        config.addAppender(appender); // Sensitive: this modifies the configuration

        LoggerConfig loggerConfig = config.getRootLogger();
        loggerConfig.addAppender(appender, level, filter); // Sensitive
        loggerConfig.setLevel(level); // Sensitive

        context.setConfigLocation(uri); // Sensitive

        // Load the configuration from a stream or file
        new ConfigurationSource(stream);  // Sensitive
        new ConfigurationSource(stream, file);  // Sensitive
        new ConfigurationSource(stream, url);  // Sensitive
        ConfigurationSource.fromResource(source, loader);  // Sensitive
        ConfigurationSource.fromUri(uri);  // Sensitive
    }
}
----

----
// === java.util.logging ===
import java.util.logging.*;

class M {
    void foo(LogManager logManager, Logger logger, java.io.InputStream is, Handler handler)
            throws SecurityException, java.io.IOException {
        logManager.readConfiguration(is); // Sensitive

        logger.setLevel(Level.FINEST); // Sensitive
        logger.addHandler(handler); // Sensitive
    }
}
----

----
// === Logback ===
import ch.qos.logback.classic.util.ContextInitializer;
import ch.qos.logback.core.Appender;
import ch.qos.logback.classic.joran.JoranConfigurator;
import ch.qos.logback.classic.spi.ILoggingEvent;
import ch.qos.logback.classic.*;

class M {
    void foo(Logger logger, Appender<ILoggingEvent> fileAppender) {
        System.setProperty(ContextInitializer.CONFIG_FILE_PROPERTY, "config.xml"); // Sensitive
        JoranConfigurator configurator = new JoranConfigurator(); // Sensitive

        logger.addAppender(fileAppender); // Sensitive
        logger.setLevel(Level.DEBUG); // Sensitive
    }
}
----

== Exceptions

Log4J 1.x is not covered as it has reached https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces[end of life].

include::../see.adoc[]

ifdef::env-github,rspecator-view[]
'''
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			This rule supports the following libraries: Log4J, ``++java.util.logging++`` and Logback
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`
			`// === Log4J 2 ===`
			`import org.apache.logging.log4j.core.config.builder.api.ConfigurationBuilderFactory;`
			`import org.apache.logging.log4j.Level;`
			`import org.apache.logging.log4j.core.*;`
			`import org.apache.logging.log4j.core.config.*;`

			`// Sensitive: creating a new custom configuration`
			`abstract class CustomConfigFactory extends ConfigurationFactory {`
			`// ...`
			`}`

			`class A {`
			`void foo(Configuration config, LoggerContext context, java.util.Map<String, Level> levelMap,`
			`Appender appender, java.io.InputStream stream, java.net.URI uri,`
			`java.io.File file, java.net.URL url, String source, ClassLoader loader, Level level, Filter filter)`
			`throws java.io.IOException {`
			`// Creating a new custom configuration`
			`ConfigurationBuilderFactory.newConfigurationBuilder(); // Sensitive`

			`// Setting loggers level can result in writing sensitive information in production`
			`Configurator.setAllLevels("com.example", Level.DEBUG); // Sensitive`
			`Configurator.setLevel("com.example", Level.DEBUG); // Sensitive`
			`Configurator.setLevel(levelMap); // Sensitive`
			`Configurator.setRootLevel(Level.DEBUG); // Sensitive`

			`config.addAppender(appender); // Sensitive: this modifies the configuration`

			`LoggerConfig loggerConfig = config.getRootLogger();`
			`loggerConfig.addAppender(appender, level, filter); // Sensitive`
			`loggerConfig.setLevel(level); // Sensitive`

			`context.setConfigLocation(uri); // Sensitive`

			`// Load the configuration from a stream or file`
			`new ConfigurationSource(stream); // Sensitive`
			`new ConfigurationSource(stream, file); // Sensitive`
			`new ConfigurationSource(stream, url); // Sensitive`
			`ConfigurationSource.fromResource(source, loader); // Sensitive`
			`ConfigurationSource.fromUri(uri); // Sensitive`
			`}`
			`}`
			`----`

			`----`
			`// === java.util.logging ===`
			`import java.util.logging.*;`

			`class M {`
			`void foo(LogManager logManager, Logger logger, java.io.InputStream is, Handler handler)`
			`throws SecurityException, java.io.IOException {`
			`logManager.readConfiguration(is); // Sensitive`

			`logger.setLevel(Level.FINEST); // Sensitive`
			`logger.addHandler(handler); // Sensitive`
			`}`
			`}`
			`----`

			`----`
			`// === Logback ===`
			`import ch.qos.logback.classic.util.ContextInitializer;`
			`import ch.qos.logback.core.Appender;`
			`import ch.qos.logback.classic.joran.JoranConfigurator;`
			`import ch.qos.logback.classic.spi.ILoggingEvent;`
			`import ch.qos.logback.classic.*;`

			`class M {`
			`void foo(Logger logger, Appender<ILoggingEvent> fileAppender) {`
			`System.setProperty(ContextInitializer.CONFIG_FILE_PROPERTY, "config.xml"); // Sensitive`
			`JoranConfigurator configurator = new JoranConfigurator(); // Sensitive`

			`logger.addAppender(fileAppender); // Sensitive`
			`logger.setLevel(Level.DEBUG); // Sensitive`
			`}`
			`}`
			`----`

			`== Exceptions`

			`Log4J 1.x is not covered as it has reached https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces[end of life].`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`