include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

This rule supports the following libraries: Log4J, ``++java.util.logging++`` and Logback


----
// === Log4J 2 ===
import org.apache.logging.log4j.core.config.builder.api.ConfigurationBuilderFactory;
import org.apache.logging.log4j.Level;
import org.apache.logging.log4j.core.*;
import org.apache.logging.log4j.core.config.*;

// Sensitive: creating a new custom configuration 
abstract class CustomConfigFactory extends ConfigurationFactory {
    // ...
}

class A {
    void foo(Configuration config, LoggerContext context, java.util.Map<String, Level> levelMap,
            Appender appender, java.io.InputStream stream, java.net.URI uri,
            java.io.File file, java.net.URL url, String source, ClassLoader loader, Level level, Filter filter)
            throws java.io.IOException {
        // Creating a new custom configuration
        ConfigurationBuilderFactory.newConfigurationBuilder();  // Sensitive

        // Setting loggers level can result in writing sensitive information in production
        Configurator.setAllLevels("com.example", Level.DEBUG);  // Sensitive
        Configurator.setLevel("com.example", Level.DEBUG);  // Sensitive
        Configurator.setLevel(levelMap);  // Sensitive
        Configurator.setRootLevel(Level.DEBUG);  // Sensitive

        config.addAppender(appender); // Sensitive: this modifies the configuration

        LoggerConfig loggerConfig = config.getRootLogger();
        loggerConfig.addAppender(appender, level, filter); // Sensitive
        loggerConfig.setLevel(level); // Sensitive

        context.setConfigLocation(uri); // Sensitive

        // Load the configuration from a stream or file
        new ConfigurationSource(stream);  // Sensitive
        new ConfigurationSource(stream, file);  // Sensitive
        new ConfigurationSource(stream, url);  // Sensitive
        ConfigurationSource.fromResource(source, loader);  // Sensitive
        ConfigurationSource.fromUri(uri);  // Sensitive
    }
}
----

----
// === java.util.logging ===
import java.util.logging.*;

class M {
    void foo(LogManager logManager, Logger logger, java.io.InputStream is, Handler handler)
            throws SecurityException, java.io.IOException {
        logManager.readConfiguration(is); // Sensitive

        logger.setLevel(Level.FINEST); // Sensitive
        logger.addHandler(handler); // Sensitive
    }
}
----

----
// === Logback ===
import ch.qos.logback.classic.util.ContextInitializer;
import ch.qos.logback.core.Appender;
import ch.qos.logback.classic.joran.JoranConfigurator;
import ch.qos.logback.classic.spi.ILoggingEvent;
import ch.qos.logback.classic.*;

class M {
    void foo(Logger logger, Appender<ILoggingEvent> fileAppender) {
        System.setProperty(ContextInitializer.CONFIG_FILE_PROPERTY, "config.xml"); // Sensitive
        JoranConfigurator configurator = new JoranConfigurator(); // Sensitive

        logger.addAppender(fileAppender); // Sensitive
        logger.setLevel(Level.DEBUG); // Sensitive
    }
}
----

== Exceptions

Log4J 1.x is not covered as it has reached https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces[end of life].

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

'''
== Comments And Links
(visible only on this page)

=== on 12 Sep 2018, 18:15:49 Nicolas Harraudeau wrote:
Note: For now we will not add support for configuration files.


However for the future this rule or another should also raise an issue on the first line of any file named ``++log4j2.xml++``, ``++log4j2-test.xml++``, ``++logback.xml++``, ``++logback-test.xml++``.

*Later* it would be great if it also raised an issue on the first line of files named

* ``++log4j2.json++``, ``++log4j2.jsn++``, ``++log4j2.yaml++``, ``++log4j2.yml++``, ``++log4j2.properties++``, ``++log4j2-test.json++``, ``++log4j2-test.jsn++``, ``++log4j2-test.yaml++``, ``++log4j2-test.yml++``, ``++log4j2-test.properties++``. See https://logging.apache.org/log4j/2.x/manual/configuration.html[Log4J 2 documentation ].
* ``++logback.groovy++`` See https://logback.qos.ch/manual/configuration.html[Logback documentation]

=== on 24 Oct 2018, 11:41:29 Nicolas Harraudeau wrote:
To investigate:

* ``++java.util.logging.LoggingMXBean#setLoggerLevel(String loggerName, String levelName)++`` could also be considered to raise an issue
* We could also raise issues for the logback library on classes extending ``++ch.qos.logback.classic.spi.Configurator++``

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]