Fixes after AVSS scanning#298
Merged
Merged
Conversation
Add lock(LockObj) to AddFilter and ClearFilters to synchronize with FilterEvent under concurrent logging (CWE-362).
Release acquired mutex and decrement recursiveWatch when stream is null to prevent indefinite blocking of other processes (CWE-772)
…termination Wrap Close() in the finalizer with try-catch for non-fatal exceptions and move _isClosed into a finally block to prevent repeated finalization attempts (CWE-755)
046332d to
2a0a190
Compare
This was referenced Jun 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes for https://github.com/apache/tooling-agents/blob/main/ASVS/reports/logging-log4net/f57d7b3/issues.md
Issue: FINDING-001 - Filter chain modification methods lack synchronization, creating potential race with FilterEvent under active logging
Labels: bug, security, priority:low
Description:
Summary
The
AddFilterandClearFiltersmethods inAppenderSkeleton.cslack proper synchronization, creating a race condition withFilterEventduring active logging operations. This can lead to inconsistent filter chain state, potentially causing filters to be skipped,NullReferenceException, or lost filter entries.Details
CWE: CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization)
ASVS: 15.4.1 (L3)
Data Flow:
AddFilter(no lock) → modifiesFilterHead/_tailFilter/filter.NextFilterEvent(underLockObjinDoAppend) readsFilterHeadand traversesf.NextAttack Vector:
In-process code within the trust boundary calling
AddFilter/ClearFiltersconcurrently with active logging—for example, during dynamic reconfiguration while the appender is receiving log events.Impact:
Inconsistent filter chain state during traversal in
FilterEvent, resulting in:NullReferenceExceptionduring chain traversalRemediation
Add
lock(LockObj)to bothAddFilterandClearFiltersmethods to synchronize with theDoAppendhot path and ensure thread-safe filter chain modifications.Acceptance Criteria
AddFiltermethod wrapped withlock(LockObj)ClearFiltersmethod wrapped withlock(LockObj)References
src/log4net/Appender/AppenderSkeleton.csPriority
Low - Requires in-process code with concurrent reconfiguration during active logging. Limited to availability/integrity impact within the logging subsystem.
Issue: FINDING-002 - InterProcessLock Mutex Not Released When Underlying File Stream Is Null
Labels: bug, security, priority:low
Description:
Summary
When
InterProcessLock.AcquireLock()is called and the underlying_streamis null (due to a prior file open failure), the named Mutex is acquired but never released. This causes a resource leak that blocks other processes attempting to use InterProcessLock on the same file, potentially leading to deadlock or resource exhaustion.Details
CWE: CWE-772 (Missing Release of Resource after Effective Lifetime)
ASVS: 1.4.3 (L2)
Data Flow:
InterProcessLock.AcquireLock()called with_stream == null_mutex.WaitOne()acquires the named Mutex_recursiveWatchis incrementedFileAppender.Append) does not enter try/finally blockReleaseLock()is never calledAttack Vector:
Not directly exploitable by external attackers. Requires environmental file open failure (e.g., permissions, disk full, file locked by another process).
Impact:
Remediation
Release the named Mutex immediately when
AcquireLock()detects that_streamis null:_recursiveWatch_mutex.ReleaseMutex()Ensure all code paths that acquire the mutex properly release it, even in error conditions.
Acceptance Criteria
_streamis null inAcquireLock()_recursiveWatchproperly decremented in error pathReferences
src/log4net/Appender/FileAppender.csPriority
Low - Requires environmental file system failure. Impact limited to inter-process synchronization and resource exhaustion within logging subsystem.
Issue: FINDING-003 - Finalizer path lacks exception protection, risking process termination
Labels: bug, security, priority:low
Description:
Summary
The
~AppenderSkeleton()finalizer callsClose()which in turn callsOnClose()without exception protection. An unhandled exception on the finalizer thread will terminate the entire process in .NET Framework 2.0+ and .NET Core/5+.Details
CWE: CWE-755 (Improper Handling of Exceptional Conditions)
ASVS: 16.5.4 (L3)
Data Flow:
GC finalizer thread →
~AppenderSkeleton()→Close()→OnClose()(subclass implementation) → unhandled exception → process terminationAttack Vector:
If a subclass implementation of
OnClose()throws an unhandled exception during finalization (e.g., due to resource cleanup failure, network timeout, or malformed state), the finalizer thread will propagate the exception and terminate the entire application process.Impact:
Remediation
Close()in a try-catch block:Close()itself with exception handling_isClosedis set in a finally block to prevent repeated finalization attemptsAcceptance Criteria
_isClosedflag set in finally blockReferences
src/log4net/Appender/AppenderSkeleton.csPriority
Low - Requires specific failure conditions during finalization. However, impact is severe (process termination) when triggered. Recommend prioritizing fix despite low likelihood.