Giters

mergebase / log4j-detector

A public open sourced tool. Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too! TAG_OS_TOOL, OWNER_KELLY, DC_PUBLIC

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Weird new File("blah") in nextByte

Kretikus opened this issue · comments

commented

After 1 Minute of Code Review, I found this weird line.

Does nobody look at the code, before using it (with admin privilidges)?

commented

After 1 Minute of Code Review, I found this weird line.

Does nobody look at the code, before using it (with admin privilidges)?

I noticed that as well. It appears to be a harmless remnant of testing/debugging code that wasn't cleaned up.

log4j-detector/src/main/java/com/mergebase/log4j/Log4JDetector.java

Lines 207 to 214 in 8cb0604

private static int nextByte(int[] four, InputStream in) throws IOException {
four[0] = four[1];
four[1] = four[2];
four[2] = four[3];
four[3] = in.read();
File f = new File("blah");
return four[3];
}

There are other examples of code — for example, Strings.java — which seem 'strange', but make sense when you consider that this project was developed in a hurry and doesn't have any third-party dependencies.

commented

There are several companies which use this tool to scan all computers of all employees.
So my comment was not a critisism of the original authors, but more a call out to all the users of this software to make an own code review before using it!
better would be a code contribution... , but I am not in charge of using this software on a corporate level.

commented

Actually, I made a pull request for that in #77 already.