Skip to content

Commit

Permalink
Merge pull request #37 from javabeanz/log4j2-update
Browse files Browse the repository at this point in the history
Log4j2 update
  • Loading branch information
augustd authored Mar 21, 2018
2 parents 6a8c418 + 0b5b7a9 commit 92460a6
Show file tree
Hide file tree
Showing 11 changed files with 186 additions and 160 deletions.
2 changes: 1 addition & 1 deletion owasp-security-logging-common/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<parent>
<artifactId>security-logging</artifactId>
<groupId>org.owasp</groupId>
<version>1.1.5</version>
<version>1.1.6</version>
<relativePath>../pom.xml</relativePath>
</parent>
<artifactId>security-logging-common</artifactId>
Expand Down
4 changes: 2 additions & 2 deletions owasp-security-logging-log4j/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<parent>
<artifactId>security-logging</artifactId>
<groupId>org.owasp</groupId>
<version>1.1.5</version>
<version>1.1.6</version>
<relativePath>../pom.xml</relativePath>
</parent>
<artifactId>security-logging-log4j</artifactId>
Expand All @@ -31,7 +31,7 @@
<url>https://github.com/javabeanz/owasp-security-logging</url>
</scm>
<properties>
<log4j.version>2.2</log4j.version>
<log4j.version>2.8.2</log4j.version>
</properties>
<dependencies>
<dependency>
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
/*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.owasp.security.logging.log4j;

import java.util.Iterator;
import org.apache.logging.log4j.Marker;
import org.apache.logging.log4j.MarkerManager;

/**
*
* @author August Detlefsen [[email protected]]
*/
public class Log4JMarkerConverter {

public static Marker convertMarker(org.slf4j.Marker input) {
Marker output = MarkerManager.getMarker(input.getName());

if (input.hasReferences()) {
Iterator i = input.iterator();
while (i.hasNext()) {
org.slf4j.Marker ref = (org.slf4j.Marker)i.next();
output.addParents(convertMarker(ref));
}
}
return output;
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -32,56 +32,60 @@
public class MaskingRewritePolicy implements RewritePolicy {

public static final Object MASKED_PASSWORD = "********";
@PluginFactory
public static MaskingRewritePolicy createPolicy() {
return new MaskingRewritePolicy();
}

@PluginFactory
public static MaskingRewritePolicy createPolicy() {
return new MaskingRewritePolicy();
}

/**
* Rewrite the event.
*
* @param source
* a logging event that may be returned or used to create a new
* logging event.
*
* @param source a logging event that may be returned or used to create a
* new logging event.
* @return The LogEvent after rewriting.
*/
@Override
@Override
public LogEvent rewrite(LogEvent source) {
// get the markers for the log event. If no markers, nothing can be
// tagged confidential and we can return
Marker sourceMarker = source.getMarker();
if (sourceMarker == null)
if (sourceMarker == null) {
return source;
}

// get the message. If no message we can return
final Message msg = source.getMessage();
if (msg == null || !(msg instanceof ParameterizedMessage))
if (msg == null || !(msg instanceof ParameterizedMessage)) {
return source;
}

// get the parameters. If no params we can return
Object[] params = msg.getParameters();
if (params == null || params.length == 0)
if (params == null || params.length == 0) {
return source;
}

// check if this event is actually marked as confidential. If not,
// return
Log4jMarker eventMarker = new Log4jMarker(sourceMarker);
if (!eventMarker.contains(SecurityMarkers.CONFIDENTIAL))
if (!eventMarker.contains(SecurityMarkers.CONFIDENTIAL)) {
return source;
}

// we have a message, parameters, a marker, and it is confidential.
// Process
for (int i = 0; i < params.length; i++) {
params[i] = MASKED_PASSWORD;
}

// create new message
Message outMessage = new ParameterizedMessage(msg.getFormat(), params,
msg.getThrowable());
LogEvent output = new Log4jLogEvent(source.getLoggerName(),
source.getMarker(), source.getLoggerFqcn(), source.getLevel(),
outMessage, source.getThrown(), source.getContextMap(),
source.getContextStack(), source.getThreadName(),
source.getSource(), source.getTimeMillis());

// build new log event for output
LogEvent output = new Log4jLogEvent.Builder(source)
.setMessage(outMessage).build();

return output;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@

import org.apache.logging.log4j.core.Filter;
import org.apache.logging.log4j.core.LogEvent;
import org.apache.logging.log4j.junit.InitialLoggerContext;
import org.apache.logging.log4j.junit.LoggerContextRule;
import org.apache.logging.log4j.test.appender.ListAppender;
import org.junit.After;
import org.junit.Before;
Expand All @@ -40,8 +40,7 @@ public class ExcludeClassifiedMarkerFilterTest {
.getLogger(ExcludeClassifiedMarkerFilterTest.class);

@ClassRule
public static InitialLoggerContext context = new InitialLoggerContext(
CONFIG);
public static LoggerContextRule context = new LoggerContextRule(CONFIG);

ListAppender appender;

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,19 +13,12 @@
*/
package org.owasp.security.logging.log4j;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;

import org.apache.logging.log4j.core.Filter;
import org.apache.logging.log4j.core.LogEvent;
import org.apache.logging.log4j.junit.InitialLoggerContext;
import org.apache.logging.log4j.junit.LoggerContextRule;
import org.apache.logging.log4j.test.appender.ListAppender;
import org.junit.After;
import org.junit.Before;
import org.junit.ClassRule;
import org.junit.Test;
import org.owasp.security.logging.SecurityMarkers;
import org.owasp.security.logging.log4j.filter.ExcludeClassifiedMarkerFilter;

/**
*
Expand All @@ -39,8 +32,7 @@ public class PureLog4jTest {
.getLogger(PureLog4jTest.class);

@ClassRule
public static InitialLoggerContext context = new InitialLoggerContext(
CONFIG);
public static LoggerContextRule context = new LoggerContextRule(CONFIG);

ListAppender appender;

Expand All @@ -63,7 +55,7 @@ public void test() {
LOGGER.error("Monster!");
}

/*
/*
@Test
public void testRaw() {
// create a new marker filter
Expand Down Expand Up @@ -134,6 +126,6 @@ public void testRaw() {
LogEvent multiSecurityEvent = appender.getEvents().get(9);
assertEquals(Filter.Result.DENY, mkt.filter(multiSecurityEvent));
}
*/
*/

}
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@

import org.apache.logging.log4j.core.Filter;
import org.apache.logging.log4j.core.LogEvent;
import org.apache.logging.log4j.junit.InitialLoggerContext;
import org.apache.logging.log4j.junit.LoggerContextRule;
import org.apache.logging.log4j.test.appender.ListAppender;
import org.junit.After;
import org.junit.Before;
Expand All @@ -42,8 +42,7 @@ public class SecurityMarkerFilterTest {
.getLogger(SecurityMarkerFilterTest.class);

@ClassRule
public static InitialLoggerContext context = new InitialLoggerContext(
CONFIG);
public static LoggerContextRule context = new LoggerContextRule(CONFIG);

ListAppender appender;

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@

import org.apache.logging.log4j.core.LogEvent;
import org.apache.logging.log4j.core.pattern.EncodingPatternConverter;
import org.apache.logging.log4j.junit.InitialLoggerContext;
import org.apache.logging.log4j.junit.LoggerContextRule;
import org.apache.logging.log4j.test.appender.ListAppender;
import org.junit.After;
import org.junit.Before;
Expand All @@ -30,7 +30,7 @@
/**
* Log4j already includes a converter to escape carriage returns and line feeds.
* This test just verifies that it works as expected.
*
*
* @author August Detlefsen [[email protected]]
*/
@RunWith(MockitoJUnitRunner.class)
Expand All @@ -39,8 +39,7 @@ public class CRLFConverterTest {
private static final String CONFIG = "log4j2.xml";

@ClassRule
public static InitialLoggerContext context = new InitialLoggerContext(
CONFIG);
public static final LoggerContextRule context = new LoggerContextRule(CONFIG);

private static final org.slf4j.Logger LOGGER = LoggerFactory
.getLogger(CRLFConverterTest.class);
Expand Down
Loading

0 comments on commit 92460a6

Please sign in to comment.