ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4792/java/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

130 lines
4.7 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
This rule supports the following libraries: Log4J, ``++java.util.logging++`` and Logback
----
// === Log4J 2 ===
import org.apache.logging.log4j.core.config.builder.api.ConfigurationBuilderFactory;
import org.apache.logging.log4j.Level;
import org.apache.logging.log4j.core.*;
import org.apache.logging.log4j.core.config.*;
// Sensitive: creating a new custom configuration
abstract class CustomConfigFactory extends ConfigurationFactory {
// ...
}
class A {
void foo(Configuration config, LoggerContext context, java.util.Map<String, Level> levelMap,
Appender appender, java.io.InputStream stream, java.net.URI uri,
java.io.File file, java.net.URL url, String source, ClassLoader loader, Level level, Filter filter)
throws java.io.IOException {
// Creating a new custom configuration
ConfigurationBuilderFactory.newConfigurationBuilder(); // Sensitive
// Setting loggers level can result in writing sensitive information in production
Configurator.setAllLevels("com.example", Level.DEBUG); // Sensitive
Configurator.setLevel("com.example", Level.DEBUG); // Sensitive
Configurator.setLevel(levelMap); // Sensitive
Configurator.setRootLevel(Level.DEBUG); // Sensitive
config.addAppender(appender); // Sensitive: this modifies the configuration
LoggerConfig loggerConfig = config.getRootLogger();
loggerConfig.addAppender(appender, level, filter); // Sensitive
loggerConfig.setLevel(level); // Sensitive
context.setConfigLocation(uri); // Sensitive
// Load the configuration from a stream or file
new ConfigurationSource(stream); // Sensitive
new ConfigurationSource(stream, file); // Sensitive
new ConfigurationSource(stream, url); // Sensitive
ConfigurationSource.fromResource(source, loader); // Sensitive
ConfigurationSource.fromUri(uri); // Sensitive
}
}
----
----
// === java.util.logging ===
import java.util.logging.*;
class M {
void foo(LogManager logManager, Logger logger, java.io.InputStream is, Handler handler)
throws SecurityException, java.io.IOException {
logManager.readConfiguration(is); // Sensitive
logger.setLevel(Level.FINEST); // Sensitive
logger.addHandler(handler); // Sensitive
}
}
----
----
// === Logback ===
import ch.qos.logback.classic.util.ContextInitializer;
import ch.qos.logback.core.Appender;
import ch.qos.logback.classic.joran.JoranConfigurator;
import ch.qos.logback.classic.spi.ILoggingEvent;
import ch.qos.logback.classic.*;
class M {
void foo(Logger logger, Appender<ILoggingEvent> fileAppender) {
System.setProperty(ContextInitializer.CONFIG_FILE_PROPERTY, "config.xml"); // Sensitive
JoranConfigurator configurator = new JoranConfigurator(); // Sensitive
logger.addAppender(fileAppender); // Sensitive
logger.setLevel(Level.DEBUG); // Sensitive
}
}
----
== Exceptions
Log4J 1.x is not covered as it has reached https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces[end of life].
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
include::../highlighting.adoc[]
'''
== Comments And Links
(visible only on this page)
=== on 12 Sep 2018, 18:15:49 Nicolas Harraudeau wrote:
Note: For now we will not add support for configuration files.
However for the future this rule or another should also raise an issue on the first line of any file named ``++log4j2.xml++``, ``++log4j2-test.xml++``, ``++logback.xml++``, ``++logback-test.xml++``.
*Later* it would be great if it also raised an issue on the first line of files named
* ``++log4j2.json++``, ``++log4j2.jsn++``, ``++log4j2.yaml++``, ``++log4j2.yml++``, ``++log4j2.properties++``, ``++log4j2-test.json++``, ``++log4j2-test.jsn++``, ``++log4j2-test.yaml++``, ``++log4j2-test.yml++``, ``++log4j2-test.properties++``. See https://logging.apache.org/log4j/2.x/manual/configuration.html[Log4J 2 documentation ].
* ``++logback.groovy++`` See https://logback.qos.ch/manual/configuration.html[Logback documentation]
=== on 24 Oct 2018, 11:41:29 Nicolas Harraudeau wrote:
To investigate:
* ``++java.util.logging.LoggingMXBean#setLoggerLevel(String loggerName, String levelName)++`` could also be considered to raise an issue
* We could also raise issues for the logback library on classes extending ``++ch.qos.logback.classic.spi.Configurator++``
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink