Merge pull request #11730 from cmaglie/remove_log4j

Remove log4j, to fix current and future CVEs.

Author: cmaglie

app/.classpath

@@ -38,8 +38,6 @@
 	<classpathentry kind="lib" path="lib/jmdns-3.5.5.jar"/>
 	<classpathentry kind="lib" path="lib/slf4j-api-1.7.22.jar"/>
 	<classpathentry kind="lib" path="lib/slf4j-simple-1.7.22.jar"/>
-	<classpathentry kind="lib" path="lib/log4j-api-2.16.0.jar"/>
-	<classpathentry kind="lib" path="lib/log4j-core-2.16.0.jar"/>
 	<classpathentry kind="lib" path="lib/jsch-0.1.50.jar"/>
 	<classpathentry kind="lib" path="lib/rsyntaxtextarea-3.0.3-SNAPSHOT.jar"/>
 	<classpathentry kind="lib" path="lib/xml-apis-1.3.04.jar"/>

app/build.xml

@@ -80,10 +80,6 @@
 	   includeAntRuntime="false"
 	   debug="true"
 	   classpathref="class.path" />
-    <!-- If you want to add files in the jars -->
-    <copy todir="bin" overwrite="true" verbose="true">
-      <fileset dir="src" includes="log4j2.xml" />
-    </copy>
   </target>
 
   <target name="test" depends="compile" description="Runs the test">

app/lib/log4j-api-2.16.0.jar

@@ -35,7 +35,6 @@
 import cc.arduino.contributions.packages.ContributionInstaller;
 import cc.arduino.contributions.packages.filters.UpdatablePlatformPredicate;
 import cc.arduino.view.NotificationPopup;
-import org.apache.logging.log4j.LogManager;
 import processing.app.*;
 
 import javax.swing.*;
@@ -160,12 +159,14 @@ public void windowGainedFocus(WindowEvent evt) {
 
   private void goToManager(String link) {
     try {
-      ((UpdatableBoardsLibsFakeURLsHandler) hyperlinkListener).openBoardLibManager(new URL(link));
-    }
-      catch (Exception e){
-        LogManager.getLogger(ContributionsSelfCheck.class).warn("Exception while attempting to go to board manager", e);
+      ((UpdatableBoardsLibsFakeURLsHandler) hyperlinkListener)
+          .openBoardLibManager(new URL(link));
+    } catch (Exception e) {
+      System.err.println("Error while attempting to open board manager: "
+                         + e.getMessage());
     }
   }
+
   // callback for boards button
   public void onOptionalButton1Callback() {
     goToManager(boardsManagerURL);

app/lib/log4j-core-2.16.0.jar

@@ -220,12 +220,6 @@ public Base(String[] args) throws Exception {
     parser.parseArgumentsPhase1();
     commandLine = !parser.isGuiMode();
 
-    // This configure the logs root folder
-    if (parser.isGuiMode()) {
-        System.out.println("Set log4j store directory " + BaseNoGui.getSettingsFolder().getAbsolutePath());
-    }
-    System.setProperty("log4j.dir", BaseNoGui.getSettingsFolder().getAbsolutePath());
-
     BaseNoGui.checkInstallationFolder();
 
     // If no path is set, get the default sketchbook folder for this platform

app/src/cc/arduino/contributions/ContributionsSelfCheck.java

@@ -8,8 +8,6 @@
 	<classpathentry kind="lib" path="lib/jmdns-3.5.5.jar"/>
 	<classpathentry kind="lib" path="lib/slf4j-api-1.7.22.jar"/>
 	<classpathentry kind="lib" path="lib/slf4j-simple-1.7.22.jar"/>
-	<classpathentry kind="lib" path="lib/log4j-api-2.16.0.jar"/>
-	<classpathentry kind="lib" path="lib/log4j-core-2.16.0.jar"/>
 	<classpathentry kind="lib" path="lib/jsch-0.1.50.jar"/>
 	<classpathentry kind="lib" path="lib/commons-exec-1.1.jar"/>
 	<classpathentry kind="lib" path="../app/lib/commons-httpclient-3.1.jar"/>

app/src/log4j2.xml

@@ -34,8 +34,6 @@
 import cc.arduino.utils.Progress;
 import cc.arduino.utils.network.FileDownloader;
 import org.apache.commons.io.FilenameUtils;
-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.Logger;
 import processing.app.BaseNoGui;
 import processing.app.PreferencesData;
 
@@ -48,8 +46,6 @@
 import static processing.app.I18n.tr;
 
 public class DownloadableContributionsDownloader {
-  private static Logger log = LogManager.getLogger(DownloadableContributionsDownloader.class);
-
   private final File stagingFolder;
 
   public DownloadableContributionsDownloader(File _stagingFolder) {
@@ -151,7 +147,6 @@ public void download(URL url, File tmpFile, Progress progress, String statusText
   }
 
   public void downloadIndexAndSignature(MultiStepProgress progress, URL packageIndexUrl, ProgressListener progressListener, SignatureVerifier signatureVerifier) throws Exception {
-
     // Extract the file name from the url
     final String indexFileName = FilenameUtils.getName(packageIndexUrl.getPath());
     final File packageIndex = BaseNoGui.indexer.getIndexFile(indexFileName);
@@ -169,16 +164,13 @@ public void downloadIndexAndSignature(MultiStepProgress progress, URL packageInd
         if (checkSignature(progress, signatureUrl, progressListener, signatureVerifier, statusText, packageIndexTemp)) {
           Files.move(packageIndexTemp.toPath(), packageIndex.toPath(), StandardCopyOption.REPLACE_EXISTING);
         } else {
-          log.info("The cached files have been removed. {} {}", packageIndexUrl, signatureUrl);
           FileDownloader.invalidateFiles(packageIndexUrl, signatureUrl);
         }
       } else {
         // Move the package index to the destination when the signature is not necessary
         Files.move(packageIndexTemp.toPath(), packageIndex.toPath(), StandardCopyOption.REPLACE_EXISTING);
-        log.info("The domain is not selected to verify the signature. will be copied into this path {}, packageIndex url: {}", packageIndex, packageIndexUrl);
       }
     } catch (Exception e) {
-      log.error("Cannot download the package index from {} the package will be discard", packageIndexUrl, e);
       throw e;
     } finally {
       // Delete useless temp file
@@ -196,49 +188,39 @@ public boolean verifyDomain(URL url) {
     if (domain.contains(url.getHost())) {
       return true;
     } else {
-      log.info("The domain is not selected to verify the signature. domain list: {}, url: {}", domain, url);
       return false;
     }
   }
 
   public boolean checkSignature(MultiStepProgress progress, URL signatureUrl, ProgressListener progressListener, SignatureVerifier signatureVerifier, String statusText, File fileToVerify) throws Exception {
-
-
     // Signature file name
     final String signatureFileName = FilenameUtils.getName(signatureUrl.getPath());
     final File packageIndexSignature = BaseNoGui.indexer.getIndexFile(signatureFileName);
     final File packageIndexSignatureTemp = File.createTempFile(signatureFileName, ".tmp");
 
-
     try {
       // Download signature
       download(signatureUrl, packageIndexSignatureTemp, progress, statusText, progressListener, true);
 
       if (PreferencesData.areInsecurePackagesAllowed()) {
         Files.move(packageIndexSignatureTemp.toPath(), packageIndexSignature.toPath(), StandardCopyOption.REPLACE_EXISTING);
-        log.info("Allowing insecure packages because allow_insecure_packages is set to true in preferences.txt" +
-          " but the signature was download");
         return true;
       }
 
       // Verify the signature before move the files
       final boolean signatureVerified = signatureVerifier.isSigned(fileToVerify, packageIndexSignatureTemp);
       if (signatureVerified) {
-        log.info("Signature verified. url={}, signature url={}, file to verify={}, signature file={}", signatureUrl, signatureUrl, fileToVerify, packageIndexSignatureTemp);
         // Move if the signature is ok
         Files.move(packageIndexSignatureTemp.toPath(), packageIndexSignature.toPath(), StandardCopyOption.REPLACE_EXISTING);
       } else {
-        log.error("{} file signature verification failed. File ignored.", signatureUrl);
         System.err.println(format(tr("{0} file signature verification failed. File ignored."), signatureUrl.toString()));
       }
       return signatureVerified;
     } catch (Exception e) {
-      log.error("Cannot download the signature from {} the package will be discard", signatureUrl, e);
       throw e;
     } finally {
       Files.deleteIfExists(packageIndexSignatureTemp.toPath());
     }
-
   }
 
 }

app/src/processing/app/Base.java

@@ -38,8 +38,6 @@
 import cc.arduino.utils.MultiStepProgress;
 import cc.arduino.utils.network.FileDownloader;
 import org.apache.commons.io.FilenameUtils;
-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.Logger;
 import processing.app.BaseNoGui;
 import processing.app.I18n;
 import processing.app.Platform;
@@ -57,8 +55,6 @@
 import static processing.app.I18n.tr;
 
 public class LibraryInstaller {
-  private static Logger log = LogManager.getLogger(LibraryInstaller.class);
-
   private final Platform platform;
   private final GPGDetachedSignatureVerifier signatureVerifier;
 
@@ -97,10 +93,7 @@ public synchronized void updateIndex(ProgressListener progressListener) throws E
         }
       } else {
         FileDownloader.invalidateFiles(libraryGzURL, libraryURL, signatureUrl);
-        log.error("Fail to verify the signature of {} the cached files have been removed", libraryURL);
       }
-    } else {
-      log.info("The domain is not selected to verify the signature. library index: {}", signatureUrl);
     }
 
     // Step 2: Parse index

arduino-core/.classpath

@@ -41,8 +41,6 @@
 import org.apache.commons.exec.DefaultExecutor;
 import org.apache.commons.exec.Executor;
 import org.apache.commons.exec.PumpStreamHandler;
-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.Logger;
 import processing.app.BaseNoGui;
 import processing.app.I18n;
 import processing.app.Platform;
@@ -64,8 +62,6 @@
 import static processing.app.I18n.tr;
 
 public class ContributionInstaller {
-  private static Logger log = LogManager.getLogger(ContributionInstaller.class);
-
   private final Platform platform;
   private final SignatureVerifier signatureVerifier;
 
@@ -271,8 +267,6 @@ public synchronized List<String> remove(ContributedPlatform contributedPlatform)
         Files.delete(destFolder.getParentFile().toPath());
       } catch (Exception e) {
         // ignore
-        log.info("The directory is not empty there is another version installed. directory {}",
-          destFolder.getParentFile().toPath(),  e);
       }
     }
 
@@ -298,15 +292,12 @@ public synchronized void updateIndex(ProgressListener progressListener) {
         // Extract the file name from the URL
         final URL packageIndexURL = new URL(packageIndexURLString);
 
-        log.info("Start download and signature check of={}", packageIndexURLs);
         downloader.downloadIndexAndSignature(progress, packageIndexURL, progressListener, signatureVerifier);
       } catch (Exception e) {
-        log.error(e.getMessage(), e);
         System.err.println(e.getMessage());
       }
     }
 
     progress.stepDone();
-    log.info("Downloaded package index URL={}", packageIndexURLs);
   }
 }

arduino-core/lib/log4j-api-2.16.0.jar

@@ -30,8 +30,6 @@
 package cc.arduino.utils.network;
 
 import org.apache.commons.compress.utils.IOUtils;
-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.Logger;
 import processing.app.helpers.FileUtils;
 
 import javax.script.ScriptException;
@@ -50,8 +48,6 @@
 import java.util.Optional;
 
 public class FileDownloader extends Observable {
-  private static Logger log = LogManager.getLogger(FileDownloader.class);
-
   public enum Status {
     CONNECTING, //
     CONNECTION_TIMEOUT_ERROR, //
@@ -146,17 +142,16 @@ public static void invalidateFiles(URL... filesUrl) {
       try {
         FileDownloaderCache.getFileCached(url).ifPresent(fileCached -> {
           try {
-            log.info("Invalidate this file {} that comes from {}", fileCached.getLocalPath(), fileCached.getRemoteURL());
             fileCached.invalidateCache();
           } catch (Exception e) {
-            log.warn("Fail to invalidate cache", e);
+            System.err.println("Error invalidating cached file " + fileCached.getLocalPath() + " that comes from "
+                + fileCached.getRemoteURL() + ": " + e.getMessage());
           }
         });
       } catch (URISyntaxException | NoSuchMethodException | ScriptException | IOException e) {
-        log.warn("Fail to get the file cached during the file invalidation", e);
+        System.err.println("Fail to get the file cached during the file invalidation" + e.getMessage());
       }
     });
-
   }
 
   private void downloadFile(boolean noResume) throws InterruptedException {
@@ -171,7 +166,6 @@ private void downloadFile(boolean noResume) throws InterruptedException {
         final Optional<File> fileFromCache = getFileCached(fileCached);
         if (fileCached.isNotChange() && fileFromCache.isPresent()) {
           // Copy the cached file in the destination file
-          log.info("The file will be taken from the cache {}", fileFromCache);
           FileUtils.copyFile(fileFromCache.get(), outputFile);
         } else {
           openConnectionAndFillTheFile(noResume);
@@ -191,34 +185,23 @@ private void downloadFile(boolean noResume) throws InterruptedException {
     } catch (SocketTimeoutException e) {
       setStatus(Status.CONNECTION_TIMEOUT_ERROR);
       setError(e);
-      log.error("The request went in socket timeout", e);
 
     } catch (Exception e) {
       setStatus(Status.ERROR);
       setError(e);
-      log.error("The request stop", e);
     }
 
   }
 
   private Optional<File> getFileCached(FileDownloaderCache.FileCached fileCached) {
-
     try {
-      final Optional<File> fileFromCache =
-        fileCached.getFileFromCache();
+      final Optional<File> fileFromCache = fileCached.getFileFromCache();
       if (fileFromCache.isPresent()) {
-        log.info("No need to download using cached file: {}", fileCached);
         return fileFromCache;
-      } else {
-        log.info(
-          "The file in the cache is not in the path or the md5 validation failed: path={}, file exist={}, md5 validation={}",
-          fileCached.getLocalPath(), fileCached.exists(), fileCached.md5Check());
       }
     } catch (Exception e) {
-      log.warn(
-        "Cannot get the file from the cache, will be downloaded a new one ", e);
+      // Cannot get the file from the cache, download a new one
     }
-    log.info("The file is change {}", fileCached);
     return Optional.empty();
   }