ysjj-system/node_modules/snyk/dist/cli/989.index.js

"use strict";
exports.id = 989;
exports.ids = [989];
exports.modules = {

/***/ 60959:
/***/ ((__unused_webpack_module, exports) => {


/**
 * The content of this file is generated by a tool.
 * Don't edit it manually!
 * */
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.vulnerableSignatures = void 0;
exports.vulnerableSignatures = {
    IfBVtiwVRT8NeXCp2ZTKtw: {
        filename: 'JndiManager.class',
        versions: ['2.13.2', '2.13.1', '2.13.0', '2.13.3'],
    },
    CsWz5uabp3ZWg3mOZpowsg: {
        filename: 'log4j-core-2.13.2.jar',
        versions: ['2.13.2'],
    },
    '8MQ62soq/HHGzID4UbOIGA': {
        filename: 'log4j-core-2.4.1.jar',
        versions: ['2.4.1'],
    },
    RyyOH7qg5hUg4CXCVbXRaA: {
        filename: 'log4j-core-2.6.2.jar',
        versions: ['2.6.2'],
    },
    '7Q4xglxv2kNCP7ODV6QrPQ': {
        filename: 'MessagePatternConverter.class',
        versions: ['2.16.0'],
    },
    geBDOuAGAsDk0AQk0hOwqw: {
        filename: 'log4j-core-2.15.0.jar',
        versions: ['2.15.0'],
    },
    'miPB9v/sgl70HMwQVBogkA': {
        filename: 'JndiManager.java',
        versions: ['2.8.2-sources', '2.8-sources', '2.7-sources', '2.8.1-sources'],
    },
    WCRxHWxoFi61NcxNv3SF0w: {
        filename: 'JndiManager.class',
        versions: ['2.12.1', '2.12.0'],
    },
    'xtIzvI6c/l2mkAWdJ9n4jw': {
        filename: 'log4j-core-2.8.jar',
        versions: ['2.8'],
    },
    zH1V7WnMX9NANbFcbt95oA: {
        filename: 'log4j-core-2.13.3.jar',
        versions: ['2.13.3'],
    },
    'EQqz4+TzeAkh6O5d3jNzrQ': {
        filename: 'log4j-core-2.3.jar',
        versions: ['2.3'],
    },
    'VSPxRPrvK/ygijyosr7Nag': {
        filename: 'log4j-core-2.6.jar',
        versions: ['2.6'],
    },
    'C1fpJhCjMxrxWn6Q+LNTnQ': {
        filename: 'Interpolator.class',
        versions: ['2.16.0'],
    },
    'QVwT58hQX7BW1UDqwpty+g': {
        filename: 'JndiManager.class',
        versions: ['2.7', '2.8.1', '2.8'],
    },
    zXChiI7N0xHBmQ54SGfOHg: {
        filename: 'log4j-core-2.0.jar',
        versions: ['2.0'],
    },
    'txoT/V3yUWlPyhFiQAA7Ig': {
        filename: 'log4j-core-2.13.0.jar',
        versions: ['2.13.0'],
    },
    VHuz7S3rhW0OO713wnuWJQ: {
        filename: 'log4j-core-2.8.1.jar',
        versions: ['2.8.1'],
    },
    SlF3oXJ2S9pvRHK5S6F8yw: {
        filename: 'log4j-core-2.8.2.jar',
        versions: ['2.8.2'],
    },
    ToAy4jACKoyI3X1SbwtnCw: {
        filename: 'JndiManager.java',
        versions: [
            '2.9.0-sources',
            '2.9.1-sources',
            '2.10.0-sources',
            '2.11.0-sources',
            '2.11.1-sources',
        ],
    },
    'oZNwOQSj8Y+zyQqHfrXIpw': {
        filename: 'JndiManager.class',
        versions: ['2.8.2'],
    },
    '+/pfM6tLKab91SRz7nuDTQ': {
        filename: 'log4j-core-2.0.1.jar',
        versions: ['2.0.1'],
    },
    'Kr7CzmZeDVKaPyj/+7st0w': {
        filename: 'log4j-core-2.11.0.jar',
        versions: ['2.11.0'],
    },
    'AHnJByMGWZaPD8DkGmq8+Q': {
        filename: 'log4j-core-2.4.jar',
        versions: ['2.4'],
    },
    '3o0BzBX9DHT+qLu2aOKJ9Q': {
        filename: 'log4j-core-2.0-rc2.jar',
        versions: ['2.0-rc2.jar'],
    },
    'siQt4Gd75lFdbO+/SOfl1Q': {
        filename: 'log4j-core-2.11.1.jar',
        versions: ['2.11.1'],
    },
    jTMVRLLnsgrRZt68olUNcw: {
        filename: 'log4j-core-2.1.jar',
        versions: ['2.1'],
    },
    '3Q4+C0BAg+xpYYqrtQuKwA': {
        filename: 'log4j-core-2.5.jar',
        versions: ['2.5'],
    },
    BP3XAYCdF0ZcF8fmA7GyAg: {
        filename: 'JndiManager.class',
        versions: ['2.11.1', '2.9.1', '2.11.0', '2.11.2', '2.10.0', '2.9.0'],
    },
    FS7LPOCUrFvJ6jnWEi4oFA: {
        filename: 'log4j-core-2.0-beta9.jar',
        versions: ['2.0-beta9.jar'],
    },
    'SPfzzaUwMKh+jDh9jR5CZQ': {
        filename: 'log4j-core-2.6.1.jar',
        versions: ['2.6.1'],
    },
    'axX0LDM6w5q6z+7rGIUqRA': {
        filename: 'JndiManager.class',
        versions: ['2.1', '2.2', '2.3'],
    },
    'XkvKXtILlKsZu2WDbak/lg': {
        filename: 'log4j-core-2.2.jar',
        versions: ['2.2'],
    },
    lI3aeHWTNAp68aGOMot7fw: {
        filename: 'log4j-core-2.14.1.jar',
        versions: ['2.14.1'],
    },
    'K2Pg5QY/2sz2aaHiY4Tz/Q': {
        filename: 'log4j-core-2.7.jar',
        versions: ['2.7'],
    },
    'iyJgsczmQUT2MQh2+UsWOA': {
        filename: 'JndiManager.class',
        versions: ['2.4', '2.4.1', '2.5'],
    },
    'CI3xE60kmrcr8Zt/ALhj1Q': {
        filename: 'log4j-core-2.0-rc1.jar',
        versions: ['2.0-rc1.jar'],
    },
    '3JkBHwR+Y9zHQbWraNEW2w': {
        filename: 'log4j-core-2.10.0.jar',
        versions: ['2.10.0'],
    },
    'XFJ4IdEISn7z4D1AFE/1Mg': {
        filename: 'log4j-core-2.12.0.jar',
        versions: ['2.12.0'],
    },
    n0GSikGCAN4iMt0yblIsxw: {
        filename: 'log4j-core-2.16.0.jar',
        versions: ['2.16.0'],
    },
    'XSU+U/qZPhIv8BIiGqSeww': {
        filename: 'JndiManager.class',
        versions: ['2.15.0'],
    },
    'NbG1m0kl+RbQmdW4+7nykQ': {
        filename: 'JndiManager.java',
        versions: [
            '2.11.2-sources',
            '2.12.1-sources',
            '2.13.0-sources',
            '2.13.1-sources',
            '2.13.2-sources',
            '2.14.1-sources',
            '2.12.0-sources',
            '2.13.3-sources',
            '2.14.0-sources',
        ],
    },
    'Kn94Du0/K5zJ8p4blmlGjw': {
        filename: 'JndiManager.java',
        versions: [
            '2.4-sources',
            '2.2-sources',
            '2.3-sources',
            '2.5-sources',
            '2.6.1-sources',
            '2.6.2-sources',
            '2.6-sources',
            '2.1-sources',
            '2.4.1-sources',
        ],
    },
    '02XkgiFBT5P+7wk6G/YH7w': {
        filename: 'log4j-core-2.13.1.jar',
        versions: ['2.13.1'],
    },
    '+rZGJX+UWwsqfOPhw+POXw': {
        filename: 'log4j-core-2.9.0.jar',
        versions: ['2.9.0'],
    },
    'lC9Cnqy4AV4Y2PWZls++5g': {
        filename: 'log4j-core-2.9.1.jar',
        versions: ['2.9.1'],
    },
    'yL2LXFqqoHo9y/V94BySZg': {
        filename: 'log4j-core-2.11.2.jar',
        versions: ['2.11.2'],
    },
    ATi6HBkdXHVP0OPDphwDBw: {
        filename: 'log4j-core-2.12.1.jar',
        versions: ['2.12.1'],
    },
    'hiwAsuhU+cDx6NhAnSPYmQ': {
        filename: 'log4j-core-2.14.0.jar',
        versions: ['2.14.0'],
    },
    'uhz4+B57MccJdoVhuoq1WA': {
        filename: 'JndiManager.class',
        versions: ['2.16.0'],
    },
    'O9n0G4nOT+jMv3PkMZWlzg': {
        filename: 'JndiManager.class',
        versions: ['2.6.1', '2.6', '2.6.2'],
    },
    '8dYwxIkoCWpITkuVzLFioA': {
        filename: 'JndiManager.class',
        versions: ['2.14.0', '2.14.1'],
    },
    jAzz6wRxVKT44W2vWiCTGQ: {
        filename: 'log4j-core-2.0.2.jar',
        versions: ['2.0.2'],
    },
};


/***/ }),

/***/ 86989:
/***/ ((__unused_webpack_module, exports, __webpack_require__) => {


Object.defineProperty(exports, "__esModule", ({ value: true }));
const fs_1 = __webpack_require__(35747);
const crypto = __webpack_require__(76417);
const AdmZip = __webpack_require__(55285);
const ora = __webpack_require__(63395);
const semver = __webpack_require__(36625);
const log4shell_hashes_1 = __webpack_require__(60959);
const readFile = fs_1.promises.readFile;
const readDir = fs_1.promises.readdir;
const stat = fs_1.promises.stat;
const MAX_FILE_SIZE = 2 * 1024 * 1024 * 1024 - 1;
class Paths {
    constructor(paths) {
        this.paths = paths;
    }
    static empty() {
        return new Paths([]);
    }
    static fromZip(content, path) {
        try {
            const unzippedEntries = new AdmZip(content).getEntries();
            const entries = unzippedEntries.map((entry) => {
                return {
                    path: path + '/' + entry.entryName,
                    content: async () => entry.getData(),
                };
            });
            return new Paths(entries);
        }
        catch (error) {
            errors.push(error);
            return this.empty();
        }
    }
    static async fromDisk(paths) {
        try {
            const entries = paths.map((path) => {
                return {
                    path,
                    content: async () => await readFile(path),
                };
            });
            return new Paths(entries);
        }
        catch (error) {
            errors.push(error);
            return this.empty();
        }
    }
}
const errors = [];
async function startSpinner() {
    const spinner = ora({ isSilent: false, stream: process.stdout });
    spinner.text = `Looking for Log4Shell...`;
    spinner.start();
    return spinner;
}
// eslint-disable-next-line @typescript-eslint/no-unused-vars
async function log4shell(...args) {
    console.log('Please note this command is for already built artifacts. To test source code please use `snyk test`.');
    const signatures = new Array();
    const spinner = await startSpinner();
    const paths = await find('.');
    await parsePaths(await Paths.fromDisk(paths), signatures);
    spinner.stop();
    console.log('\nResults:');
    const issues = filterJndi(signatures);
    if (issues.length == 0) {
        console.log('No known vulnerable version of Log4J was detected');
        return;
    }
    const rceIssues = [];
    const dosIssues = [];
    issues.forEach((issue) => {
        issue.path = issue.path.replace(/(.*org\/apache\/logging\/log4j\/core).*/, '$1');
        if (issue.exploitType === 'Log4Shell') {
            rceIssues.push(issue);
        }
        if (issue.exploitType === 'DoS') {
            dosIssues.push(issue);
        }
    });
    if (rceIssues.length > 0) {
        displayIssues('A version of Log4J that is vulnerable to Log4Shell was detected:', rceIssues);
        displayRemediation('Log4Shell');
    }
    if (dosIssues.length > 0) {
        displayIssues('A version of Log4J that is vulnerable to CVE-2021-45105 (Denial of Service) was detected:', dosIssues);
        displayRemediation('DoS');
    }
    exitWithError();
}
exports.default = log4shell;
async function parsePaths(ctx, accumulator) {
    for (const { path, content } of ctx.paths) {
        if (!isArchiveOrJndi(path)) {
            continue;
        }
        const signature = await computeSignature(await content());
        const isVulnerable = signature in log4shell_hashes_1.vulnerableSignatures;
        if (isVulnerable || path.includes('JndiLookup')) {
            await append(path, signature, accumulator);
            continue;
        }
        if (!isVulnerable && isJavaArchive(path)) {
            await parsePaths(Paths.fromZip(await content(), path), accumulator);
        }
    }
}
async function computeSignature(content) {
    return crypto
        .createHash('md5')
        .update(content)
        .digest('base64')
        .replace(/=/g, '');
}
async function find(path) {
    const result = [];
    await traverse(path, (filePath, stats) => {
        if (!stats.isFile() || stats.size > MAX_FILE_SIZE) {
            return;
        }
        result.push(filePath);
    });
    return result;
}
async function traverse(path, handle) {
    try {
        const stats = await stat(path);
        if (!stats.isDirectory()) {
            handle(path, stats);
            return;
        }
        const entries = await readDir(path);
        for (const entry of entries) {
            const absolute = path + '/' + entry;
            await traverse(absolute, handle);
        }
    }
    catch (error) {
        errors.push(error);
    }
}
async function computeExploitType(signatureDetails) {
    for (const version of signatureDetails.versions) {
        const coercedVersion = semver.coerce(version);
        if (coercedVersion === null) {
            continue;
        }
        if (semver.lt(coercedVersion, '2.16.0')) {
            return 'Log4Shell';
        }
        if (semver.satisfies(coercedVersion, '2.16.x')) {
            return 'DoS';
        }
    }
    return 'Unknown';
}
function displayIssues(message, signatures) {
    console.log(message);
    signatures.forEach((signature) => {
        console.log(`\t${signature.path}`);
    });
}
function displayRemediation(exploitType) {
    switch (exploitType) {
        case 'Log4Shell':
            console.log(`\nWe highly recommend fixing this vulnerability. If it cannot be fixed by upgrading, see mitigation information here:
      \t- https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720
      \t- https://snyk.io/blog/log4shell-remediation-cheat-sheet/\n`);
            break;
        case 'DoS':
            console.log(`\nWe recommend fixing this vulnerability by upgrading to a later version. To learn more about this vulnerability, see:
      \t- https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524\n`);
            break;
        default:
            break;
    }
}
function isJavaArchive(path) {
    return path.endsWith('.jar') || path.endsWith('.war') || path.endsWith('ear');
}
function isArchiveOrJndi(path) {
    return (isJavaArchive(path) ||
        path.includes('JndiManager') ||
        path.includes('JndiLookup'));
}
async function append(path, signature, accumulator) {
    const exploitType = log4shell_hashes_1.vulnerableSignatures[signature]
        ? await computeExploitType(log4shell_hashes_1.vulnerableSignatures[signature])
        : 'Unknown';
    accumulator.push({
        value: signature,
        path,
        exploitType,
    });
}
function filterJndi(signatures) {
    return signatures.filter((signature) => {
        if (isJavaArchive(signature.path)) {
            return true;
        }
        if (signature.path.includes('JndiManager')) {
            const jndiManagerPathIndex = signature.path.indexOf('/net/JndiManager.class');
            const jndiLookupPath = signature.path.substr(0, jndiManagerPathIndex) + '/lookup/JndiLookup';
            const isJndiLookupPresent = signatures.find((element) => element.path.includes(jndiLookupPath));
            return !!isJndiLookupPresent;
        }
        return false;
    });
}
function exitWithError() {
    const err = new Error();
    err.code = 'VULNS';
    throw err;
}


/***/ })

};
;
//# sourceMappingURL=989.index.js.map