add portable fat jar support

tothi · Feb 4, 2022 · 4a230a9 · 4a230a9
1 parent 993385b
commit 4a230a9
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -14,6 +14,8 @@ Gradle wrapper should solve everything. Simply git clone the repo:
 git clone https://github.com/tothi/log4shell-vulnerable-app
 ```
 
+### running with gradle wrapper
+
 And in the project dir with the file [build.gradle](./build.gradle),
 simply run:
 
@@ -27,7 +29,37 @@ or on Windows platform:
 .\gradlew.bat appRun
 ```
 
-(JDK is needed.)
+JDK is needed. Versions 8 and 11 were tested and are working, 17 seems to
+have issues.
+
+### building a portable fat jar
+
+This method builds a one-file portable fat JAR including an embedded
+Tomcat server.
+
+Simply run the gradle wrapper with the configured `shadowJar' task:
+
+```
+./gradlew shadowJar
+```
+
+or on Windows platform:
+
+```
+.\gradlew.bat shadowJar
+```
+
+The compiled and packages JAR file will be built in the folder `./build/libs`.
+
+It is portable and can be launched using JRE:
+
+```
+java -jar ./build/libs/log4shell-vulnerable-app-all.jar
+```
+
+The all-in-one portable JAR is available on the [releases page](https://github.com/tothi/log4shell-vulnerable-app/releases) here in the repo.
+
+### interacting with the vulnerable application
 
 The vulnerable application should listen on _all_ interfaces by
 default (DANGEROUS behavior if you run it on a production box).

diff --git a/build.gradle b/build.gradle
@@ -1,6 +1,8 @@
 plugins {
   id "war"
   id "org.gretty" version "3.0.5"
+  id "com.github.johnrengelman.shadow" version "7.1.2"
+  id "java"
 }
 
 sourceCompatibility = "1.8"
@@ -12,9 +14,29 @@ repositories {
 
 dependencies {
   implementation 'org.apache.logging.log4j:log4j-core:2.14.1'
+  if (project.gradle.startParameter.taskNames.first().contains("shadow")) {
+    implementation 'org.apache.tomcat.embed:tomcat-embed-jasper:8.5.75'
+  }
 }
 
 gretty {
   contextPath = 'app'
   servletContainer = 'tomcat85'
 }
+
+sourceSets {
+  main {
+    java {
+      srcDir 'src'
+      if (!project.gradle.startParameter.taskNames.first().contains("shadow")) {
+        exclude '**/launch/**'
+      }
+    }
+  }
+}
+
+jar {
+  manifest {
+    attributes('Main-Class': 'launch.Main')
+  }
+}
diff --git a/src/main/java/dvl4wa/VulnServlet.java b/src/main/java/dvl4wa/VulnServlet.java
@@ -12,7 +12,7 @@
 
 public class VulnServlet extends HttpServlet {
   protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException {
-    Logger logger = LogManager.getLogger();
+    Logger logger = LogManager.getLogger(VulnServlet.class);
     try {
       Map<String, String> headers = Collections.list(req.getHeaderNames()).stream().collect(Collectors.toMap(h -> h, req::getHeader));
       res.setContentType("text/plain; charset=utf-8");

diff --git a/tomcat.xml b/tomcat.xml