Merge branch 'bump-log4shell-cli-version' of github.com:lunasec-io/lu…

…nasec into bump-log4shell-cli-version

tools/log4shell/scan/scan.go

@@ -79,6 +79,14 @@ func (s *Log4jDirectoryScanner) Scan(
 			return
 		}
 
+		if info.Mode() & os.ModeSymlink != 0 {
+			// overwrite path and info with the resolved symlink file values
+			path, info, err = util.ResolveSymlinkFilePathAndInfo(path)
+			if err != nil {
+				return
+			}
+		}
+
 		fileExt := util.FileExt(path)
 		switch fileExt {
 		case constants.JarFileExt, constants.WarFileExt:
@@ -105,7 +113,7 @@ func (s *Log4jDirectoryScanner) scanLocatedArchive(
 		log.Warn().
 			Str("path", path).
 			Err(err).
-			Msg("unable to open archive")
+			Msg("unable to open located archive")
 		return
 	}
 	defer file.Close()
@@ -130,7 +138,7 @@ func (s *Log4jDirectoryScanner) scanArchiveForVulnerableFiles(
 		log.Warn().
 			Str("path", path).
 			Err(err).
-			Msg("unable to open archive")
+			Msg("unable to open archive for scanning")
 		return
 	}
 
@@ -169,7 +177,7 @@ func (s *Log4jDirectoryScanner) scanFile(
 			}
 			return
 		}
-		return s.scanArchive(path, file)
+		return s.scanEmbeddedArchive(path, file)
 	}
 	return
 }
@@ -191,7 +199,7 @@ func (s *Log4jDirectoryScanner) scanArchiveFile(
 	return s.processArchiveFile(reader, path, file.Name)
 }
 
-func (s *Log4jDirectoryScanner) scanArchive(
+func (s *Log4jDirectoryScanner) scanEmbeddedArchive(
 	path string,
 	file *zip.File,
 ) (findings []types.Finding) {
@@ -201,7 +209,7 @@ func (s *Log4jDirectoryScanner) scanArchive(
 			Str("classFile", file.Name).
 			Str("path", path).
 			Err(err).
-			Msg("unable to open archive")
+			Msg("unable to open embedded archive")
 		return
 	}
 	defer reader.Close()
@@ -212,7 +220,7 @@ func (s *Log4jDirectoryScanner) scanArchive(
 			Str("classFile", file.Name).
 			Str("path", path).
 			Err(err).
-			Msg("unable to read archive")
+			Msg("unable to read embedded archive")
 		return
 	}
 

tools/log4shell/test/vulnerable-log4j2-versions/not-jars/symlink-to-log4j-core-2.0.1.jar

@@ -0,0 +1 @@
+../apache/apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar

tools/log4shell/util/fs.go

@@ -15,7 +15,8 @@
 package util
 
 import (
-	"log"
+	"github.com/rs/zerolog/log"
+	"os"
 	"path/filepath"
 	"strings"
 )
@@ -27,7 +28,11 @@ func FileExt(path string) string {
 func searchDir(searchDir string, callback filepath.WalkFunc) {
 	err := filepath.Walk(searchDir, callback)
 	if err != nil {
-		log.Fatal(err)
+		log.Error().
+			Err(err).
+			Str("searchDir", searchDir).
+			Msg("Unable to walk directory")
+		panic(err)
 	}
 }
 
@@ -37,3 +42,25 @@ func SearchDirs(searchDirs []string, callback filepath.WalkFunc) {
 		searchDir(dir, callback)
 	}
 }
+
+func ResolveSymlinkFilePathAndInfo(symlinkPath string) (path string, info os.FileInfo, err error) {
+	path, err = filepath.EvalSymlinks(symlinkPath)
+	if err != nil {
+		log.Warn().
+			Str("path", path).
+			Err(err).
+			Msg("unable to read symlink to file")
+		return
+	}
+
+	// use file info of the resolved file
+	info, err = os.Lstat(path)
+	if err != nil {
+		log.Warn().
+			Str("path", path).
+			Err(err).
+			Msg("unable to read file info of symlink file")
+		return
+	}
+	return
+}