Medium severityNVD Advisory· Published Dec 19, 2024· Updated Apr 15, 2026
CVE-2024-12798
CVE-2024-12798
Description
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.
Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension.
A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ch.qos.logback:logback-coreMaven | >= 1.4.0, < 1.5.13 | 1.5.13 |
ch.qos.logback:logback-coreMaven | < 1.3.15 | 1.3.15 |
Patches
12cb6d520df75remove JaninoEventEvaluator
11 files changed · +41 −686
logback-classic-blackbox/src/test/java/ch/qos/logback/classic/blackbox/boolex/BlackboxJaninoEventEvaluatorTest.java+0 −291 removed@@ -1,291 +0,0 @@ -/* - * Logback: the reliable, generic, fast and flexible logging framework. - * Copyright (C) 1999-2022, QOS.ch. All rights reserved. - * - * This program and the accompanying materials are dual-licensed under - * either the terms of the Eclipse Public License v1.0 as published by - * the Eclipse Foundation - * - * or (per the licensee's choosing) - * - * under the terms of the GNU Lesser General Public License version 2.1 - * as published by the Free Software Foundation. - */ -package ch.qos.logback.classic.blackbox.boolex; - -import java.io.IOException; -import java.util.List; - -import ch.qos.logback.classic.boolex.JaninoEventEvaluator; -import ch.qos.logback.classic.util.LogbackMDCAdapter; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Disabled; -import org.junit.jupiter.api.Test; -import org.slf4j.MDC; -import org.slf4j.Marker; -import org.slf4j.MarkerFactory; - -import ch.qos.logback.classic.Level; -import ch.qos.logback.classic.Logger; -import ch.qos.logback.classic.LoggerContext; -import ch.qos.logback.classic.spi.ILoggingEvent; -import ch.qos.logback.classic.spi.LoggingEvent; -import ch.qos.logback.core.boolex.EvaluationException; -import ch.qos.logback.core.boolex.JaninoEventEvaluatorBase; -import ch.qos.logback.core.boolex.Matcher; -import ch.qos.logback.core.filter.EvaluatorFilter; -import ch.qos.logback.core.spi.FilterReply; -import ch.qos.logback.core.testUtil.RandomUtil; -import ch.qos.logback.core.util.StatusPrinter; - -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertFalse; -import static org.junit.jupiter.api.Assertions.assertTrue; -import static org.junit.jupiter.api.Assertions.fail; - -public class BlackboxJaninoEventEvaluatorTest { - - LoggerContext loggerContext = new LoggerContext(); - LogbackMDCAdapter logbackMDCAdapter = new LogbackMDCAdapter(); - Logger logger = loggerContext.getLogger(BlackboxJaninoEventEvaluatorTest.class); - - Matcher matcherX = new Matcher(); - - JaninoEventEvaluator jee = new JaninoEventEvaluator(); - - int diff = RandomUtil.getPositiveInt(); - - @BeforeEach - public void setup() { - loggerContext.setMDCAdapter(logbackMDCAdapter); - jee.setContext(loggerContext); - - matcherX.setName("x"); - matcherX.setRegex("^Some\\s.*"); - matcherX.start(); - - } - - LoggingEvent makeLoggingEvent(Exception ex) { - return new LoggingEvent(ch.qos.logback.core.pattern.FormattingConverter.class.getName(), logger, Level.INFO, - "Some message", ex, null); - } - - @Test - public void testBasic() throws Exception { - jee.setExpression("message.equals(\"Some message\")"); - jee.start(); - - StatusPrinter.print(loggerContext); - ILoggingEvent event = makeLoggingEvent(null); - assertTrue(jee.evaluate(event)); - } - - @Test - public void testLevel() throws Exception { - jee.setExpression("level > DEBUG"); - jee.start(); - - ILoggingEvent event = makeLoggingEvent(null); - assertTrue(jee.evaluate(event)); - } - - @Test - public void testtimeStamp() throws Exception { - jee.setExpression("timeStamp > 10"); - jee.start(); - - ILoggingEvent event = makeLoggingEvent(null); - assertTrue(jee.evaluate(event)); - } - - @Test - public void testWithMatcher() throws Exception { - jee.setExpression("x.matches(message)"); - jee.addMatcher(matcherX); - jee.start(); - - ILoggingEvent event = makeLoggingEvent(null); - assertTrue(jee.evaluate(event)); - } - - @Test - public void mdcAsString() throws Exception { - String k = "key" + diff; - - logbackMDCAdapter.put("key" + diff, "value" + diff); - jee.setExpression("((String) mdc.get(\"" + k + "\")).contains(\"alue\")"); - jee.start(); - StatusPrinter.printInCaseOfErrorsOrWarnings(loggerContext); - - LoggingEvent event = makeLoggingEvent(null); - assertTrue(jee.evaluate(event)); - logbackMDCAdapter.remove(k); - } - - @Test - public void markerList() throws Exception { - - jee.setExpression("markerList.contains(\"BLUE\")"); - jee.start(); - - LoggingEvent event = makeLoggingEvent(null); - event.addMarker(MarkerFactory.getMarker("BLUE")); - StatusPrinter.print(loggerContext); - assertTrue(jee.evaluate(event)); - } - - @Test - public void marker() throws Exception { - - jee.setExpression("marker.contains(\"BLUE\")"); - jee.start(); - - LoggingEvent event = makeLoggingEvent(null); - event.addMarker(MarkerFactory.getMarker("BLUE")); - StatusPrinter.print(loggerContext); - assertTrue(jee.evaluate(event)); - } - - // LBCORE_118 - @Test - public void withNullMarker_LOGBACK_63() throws Exception { - jee.setExpression("marker.contains(\"BLUE\")"); - jee.start(); - - ILoggingEvent event = makeLoggingEvent(null); - try { - jee.evaluate(event); - fail("We should not reach this point"); - } catch (EvaluationException ee) { - // received an exception as expected - } - } - - @Test - public void evaluatorFilterWithNullMarker_LBCORE_118() throws Exception { - EvaluatorFilter<ILoggingEvent> ef = new EvaluatorFilter<ILoggingEvent>(); - ef.setContext(loggerContext); - - ef.setOnMatch(FilterReply.ACCEPT); - ef.setOnMismatch(FilterReply.DENY); - - jee.setExpression("marker.contains(\"BLUE\")"); - jee.start(); - - ef.setEvaluator(jee); - ef.start(); - ILoggingEvent event = makeLoggingEvent(null); - assertEquals(FilterReply.NEUTRAL, ef.decide(event)); - - } - - @Test - public void testComplex() throws Exception { - jee.setExpression("level >= INFO && x.matches(message)"); - jee.addMatcher(matcherX); - jee.start(); - - LoggingEvent event = makeLoggingEvent(null); - event.addMarker(MarkerFactory.getMarker("BLUE")); - assertTrue(jee.evaluate(event)); - } - - /** - * check that evaluator with bogus exp does not start - * - * @throws Exception - */ - @Test - public void testBogusExp1() { - jee.setExpression("mzzzz.get(\"key\").equals(null)"); - jee.setName("bogus"); - jee.start(); - - assertFalse(jee.isStarted()); - } - - // check that eval stops after errors - @Test - public void testBogusExp2() { - jee.setExpression("mdc.get(\"keyXN89\").equals(null)"); - jee.setName("bogus"); - jee.start(); - - assertTrue(jee.isStarted()); - - ILoggingEvent event = makeLoggingEvent(null); - - for (int i = 0; i < JaninoEventEvaluatorBase.ERROR_THRESHOLD; i++) { - try { - jee.evaluate(event); - fail("should throw an exception"); - } catch (EvaluationException e) { - } - } - // after a few attempts the evaluator should processPriorToRemoval - assertFalse(jee.isStarted()); - - } - - static final long LEN = 10 * 1000; - - // with 6 parameters 400 nanos - // with 7 parameters 460 nanos (all levels + selected fields from - // LoggingEvent) - // with 10 parameters 510 nanos (all levels + fields) - void loop(JaninoEventEvaluator jee, String msg) throws Exception { - ILoggingEvent event = makeLoggingEvent(null); - // final long start = System.nanoTime(); - for (int i = 0; i < LEN; i++) { - jee.evaluate(event); - } - // final long end = System.nanoTime(); - // System.out.println(msg + (end - start) / LEN + " nanos"); - } - - @Test - public void testLoop1() throws Exception { - jee.setExpression("timeStamp > 10"); - jee.start(); - - loop(jee, "timestamp > 10]: "); - } - - @Test - public void testLoop2() throws Exception { - jee.setExpression("x.matches(message)"); - jee.addMatcher(matcherX); - jee.start(); - - loop(jee, "x.matches(message): "); - } - - @Test - public void throwable_LBCLASSIC_155_I() throws EvaluationException { - jee.setExpression("throwable instanceof java.io.IOException"); - jee.start(); - - LoggingEvent event = makeLoggingEvent(new IOException("")); - assertTrue(jee.evaluate(event)); - } - - @Test - public void throwable_LBCLASSIC_155_II() throws EvaluationException { - jee.setExpression("throwableProxy.getClassName().contains(\"IO\")"); - jee.start(); - - LoggingEvent event = makeLoggingEvent(new IOException("")); - assertTrue(jee.evaluate(event)); - } - - @Test - public void nullMDC() throws EvaluationException { - MDC.clear(); - jee.setExpression("mdc.isEmpty()"); - jee.start(); - - LoggingEvent event = makeLoggingEvent(null); - assertTrue(jee.evaluate(event)); - } -}
logback-classic-blackbox/src/test/java/ch/qos/logback/classic/blackbox/joran/BlackboxJoranConfiguratorTest.java+3 −0 modified@@ -27,6 +27,7 @@ import ch.qos.logback.core.testUtil.RandomUtil; import ch.qos.logback.core.testUtil.StringListAppender; import ch.qos.logback.core.util.StatusPrinter; +import org.junit.jupiter.api.Disabled; import org.junit.jupiter.api.Test; import java.io.IOException; @@ -71,6 +72,7 @@ public void eval() throws JoranException { assertTrue(str1.contains(" DEBUG - hello world")); } + @Disabled @Test public void testEvaluatorFilter() throws JoranException { configure(BlackboxClassicTestConstants.JORAN_INPUT_PREFIX + "evaluatorFilter.xml"); @@ -89,6 +91,7 @@ public void testEvaluatorFilter() throws JoranException { assertEquals("hello", back.getMessage()); } + @Disabled @Test public void testEvaluatorFilterWithImports() throws JoranException { configure(BlackboxClassicTestConstants.JORAN_INPUT_PREFIX + "evaluatorFilterWithImports.xml");
logback-classic-blackbox/src/test/java/module-info.java+0 −2 modified@@ -16,8 +16,6 @@ requires java.logging; - exports ch.qos.logback.classic.blackbox.boolex; - exports ch.qos.logback.classic.blackbox.joran; exports ch.qos.logback.classic.blackbox.joran.conditional; exports ch.qos.logback.classic.blackbox.joran.spi;
logback-classic/src/main/java/ch/qos/logback/classic/boolex/JaninoEventEvaluator.java+0 −157 removed@@ -1,157 +0,0 @@ -/** - * Logback: the reliable, generic, fast and flexible logging framework. - * Copyright (C) 1999-2015, QOS.ch. All rights reserved. - * - * This program and the accompanying materials are dual-licensed under - * either the terms of the Eclipse Public License v1.0 as published by - * the Eclipse Foundation - * - * or (per the licensee's choosing) - * - * under the terms of the GNU Lesser General Public License version 2.1 - * as published by the Free Software Foundation. - */ -package ch.qos.logback.classic.boolex; - -import java.util.ArrayList; -import java.util.List; -import java.util.Map; - -import ch.qos.logback.classic.Level; -import ch.qos.logback.classic.spi.ILoggingEvent; -import ch.qos.logback.classic.spi.IThrowableProxy; -import ch.qos.logback.classic.spi.LoggerContextVO; -import ch.qos.logback.classic.spi.ThrowableProxy; -import ch.qos.logback.core.CoreConstants; -import ch.qos.logback.core.boolex.JaninoEventEvaluatorBase; -import ch.qos.logback.core.boolex.Matcher; -import org.slf4j.Marker; - -public class JaninoEventEvaluator extends JaninoEventEvaluatorBase<ILoggingEvent> { - - public final static String IMPORT_LEVEL = "import ch.qos.logback.classic.Level;\r\n"; - - public final static List<String> DEFAULT_PARAM_NAME_LIST = new ArrayList<>(); - public final static List<Class<?>> DEFAULT_PARAM_TYPE_LIST = new ArrayList<>(); - - static { - DEFAULT_PARAM_NAME_LIST.add("DEBUG"); - DEFAULT_PARAM_NAME_LIST.add("INFO"); - DEFAULT_PARAM_NAME_LIST.add("WARN"); - DEFAULT_PARAM_NAME_LIST.add("ERROR"); - - DEFAULT_PARAM_NAME_LIST.add("event"); - DEFAULT_PARAM_NAME_LIST.add("message"); - - DEFAULT_PARAM_NAME_LIST.add("formattedMessage"); - DEFAULT_PARAM_NAME_LIST.add("logger"); - DEFAULT_PARAM_NAME_LIST.add("loggerContext"); - DEFAULT_PARAM_NAME_LIST.add("level"); - DEFAULT_PARAM_NAME_LIST.add("timeStamp"); - DEFAULT_PARAM_NAME_LIST.add("marker"); - DEFAULT_PARAM_NAME_LIST.add("markerList"); - DEFAULT_PARAM_NAME_LIST.add("mdc"); - DEFAULT_PARAM_NAME_LIST.add("throwableProxy"); - DEFAULT_PARAM_NAME_LIST.add("throwable"); - - DEFAULT_PARAM_TYPE_LIST.add(int.class); - DEFAULT_PARAM_TYPE_LIST.add(int.class); - DEFAULT_PARAM_TYPE_LIST.add(int.class); - DEFAULT_PARAM_TYPE_LIST.add(int.class); - - DEFAULT_PARAM_TYPE_LIST.add(ILoggingEvent.class); - DEFAULT_PARAM_TYPE_LIST.add(String.class); - DEFAULT_PARAM_TYPE_LIST.add(String.class); - DEFAULT_PARAM_TYPE_LIST.add(String.class); - DEFAULT_PARAM_TYPE_LIST.add(LoggerContextVO.class); - DEFAULT_PARAM_TYPE_LIST.add(int.class); - DEFAULT_PARAM_TYPE_LIST.add(long.class); - DEFAULT_PARAM_TYPE_LIST.add(Marker.class); - DEFAULT_PARAM_TYPE_LIST.add(MarkerList.class); - DEFAULT_PARAM_TYPE_LIST.add(Map.class); - DEFAULT_PARAM_TYPE_LIST.add(IThrowableProxy.class); - DEFAULT_PARAM_TYPE_LIST.add(Throwable.class); - } - - protected String getDecoratedExpression() { - String expression = getExpression(); - if (!expression.contains("return")) { - expression = "return " + expression + ";"; - addInfo("Adding [return] prefix and a semicolon suffix. Expression becomes [" + expression + "]"); - addInfo("See also " + CoreConstants.CODES_URL + "#block"); - - } - return IMPORT_LEVEL + expression; - } - - protected String[] getParameterNames() { - List<String> fullNameList = new ArrayList<String>(); - fullNameList.addAll(DEFAULT_PARAM_NAME_LIST); - - for (int i = 0; i < matcherList.size(); i++) { - Matcher m = (Matcher) matcherList.get(i); - fullNameList.add(m.getName()); - } - - return (String[]) fullNameList.toArray(CoreConstants.EMPTY_STRING_ARRAY); - } - - protected Class<?>[] getParameterTypes() { - List<Class<?>> fullTypeList = new ArrayList<>(); - fullTypeList.addAll(DEFAULT_PARAM_TYPE_LIST); - for (int i = 0; i < matcherList.size(); i++) { - fullTypeList.add(Matcher.class); - } - return (Class[]) fullTypeList.toArray(CoreConstants.EMPTY_CLASS_ARRAY); - } - - protected Object[] getParameterValues(ILoggingEvent loggingEvent) { - final int matcherListSize = matcherList.size(); - - int i = 0; - Object[] values = new Object[DEFAULT_PARAM_NAME_LIST.size() + matcherListSize]; - - values[i++] = Level.DEBUG_INTEGER; - values[i++] = Level.INFO_INTEGER; - values[i++] = Level.WARN_INTEGER; - values[i++] = Level.ERROR_INTEGER; - - values[i++] = loggingEvent; - values[i++] = loggingEvent.getMessage(); - values[i++] = loggingEvent.getFormattedMessage(); - values[i++] = loggingEvent.getLoggerName(); - values[i++] = loggingEvent.getLoggerContextVO(); - values[i++] = loggingEvent.getLevel().toInteger(); - values[i++] = loggingEvent.getTimeStamp(); -// // In order to avoid NullPointerException, we could push a dummy marker if -// // the event's marker is null. However, this would surprise user who -// // expect to see a null marker instead of a dummy one. - - MarkerList markerList = new MarkerList(loggingEvent.getMarkerList()); - Marker marker = markerList.getFirstMarker(); - values[i++] = marker; - values[i++] = markerList; - - values[i++] = loggingEvent.getMDCPropertyMap(); - - IThrowableProxy iThrowableProxy = loggingEvent.getThrowableProxy(); - - if (iThrowableProxy != null) { - values[i++] = iThrowableProxy; - if (iThrowableProxy instanceof ThrowableProxy) { - values[i++] = ((ThrowableProxy) iThrowableProxy).getThrowable(); - } else { - values[i++] = null; - } - } else { - values[i++] = null; - values[i++] = null; - } - - for (int j = 0; j < matcherListSize; j++) { - values[i++] = (Matcher) matcherList.get(j); - } - - return values; - } -}
logback-classic/src/main/java/ch/qos/logback/classic/joran/action/ClassicEvaluatorAction.java+0 −23 removed@@ -1,23 +0,0 @@ -/** - * Logback: the reliable, generic, fast and flexible logging framework. - * Copyright (C) 1999-2015, QOS.ch. All rights reserved. - * - * This program and the accompanying materials are dual-licensed under - * either the terms of the Eclipse Public License v1.0 as published by - * the Eclipse Foundation - * - * or (per the licensee's choosing) - * - * under the terms of the GNU Lesser General Public License version 2.1 - * as published by the Free Software Foundation. - */ -package ch.qos.logback.classic.joran.action; - -import ch.qos.logback.classic.boolex.JaninoEventEvaluator; -import ch.qos.logback.core.joran.action.EventEvaluatorAction; - -public class ClassicEvaluatorAction extends EventEvaluatorAction { - protected String defaultClassName() { - return JaninoEventEvaluator.class.getName(); - } -}
logback-classic/src/main/java/ch/qos/logback/classic/model/processor/LogbackClassicDefaultNestedComponentRules.java+0 −3 modified@@ -17,7 +17,6 @@ import java.util.List; import ch.qos.logback.classic.PatternLayout; -import ch.qos.logback.classic.boolex.JaninoEventEvaluator; import ch.qos.logback.classic.encoder.PatternLayoutEncoder; import ch.qos.logback.core.AppenderBase; import ch.qos.logback.core.UnsynchronizedAppenderBase; @@ -50,8 +49,6 @@ static public void addDefaultNestedComponentRegistryRules(DefaultNestedComponent registry.add(AppenderBase.class, "encoder", PatternLayoutEncoder.class); registry.add(UnsynchronizedAppenderBase.class, "encoder", PatternLayoutEncoder.class); - registry.add(EvaluatorFilter.class, "evaluator", JaninoEventEvaluator.class); - SSLNestedComponentRegistryRules.addDefaultNestedComponentRegistryRules(registry); }
logback-classic/src/test/java/ch/qos/logback/classic/joran/EvaluatorJoranTest.java+0 −112 removed@@ -1,112 +0,0 @@ -/** - * Logback: the reliable, generic, fast and flexible logging framework. - * Copyright (C) 1999-2015, QOS.ch. All rights reserved. - * - * This program and the accompanying materials are dual-licensed under - * either the terms of the Eclipse Public License v1.0 as published by - * the Eclipse Foundation - * - * or (per the licensee's choosing) - * - * under the terms of the GNU Lesser General Public License version 2.1 - * as published by the Free Software Foundation. - */ -package ch.qos.logback.classic.joran; - -import java.util.Map; - -import org.junit.jupiter.api.Disabled; -import org.junit.jupiter.api.Test; -import org.slf4j.Marker; -import org.slf4j.MarkerFactory; - -import ch.qos.logback.classic.ClassicTestConstants; -import ch.qos.logback.classic.Level; -import ch.qos.logback.classic.Logger; -import ch.qos.logback.classic.LoggerContext; -import ch.qos.logback.classic.boolex.JaninoEventEvaluator; -import ch.qos.logback.classic.spi.ILoggingEvent; -import ch.qos.logback.classic.spi.LoggingEvent; -import ch.qos.logback.core.CoreConstants; -import ch.qos.logback.core.boolex.EvaluationException; -import ch.qos.logback.core.boolex.EventEvaluator; -import ch.qos.logback.core.joran.spi.JoranException; - -import static org.junit.jupiter.api.Assertions.assertFalse; -import static org.junit.jupiter.api.Assertions.assertNotNull; -import static org.junit.jupiter.api.Assertions.assertTrue; - -@Disabled -public class EvaluatorJoranTest { - - @Test - public void testSimpleEvaluator() throws NullPointerException, EvaluationException, JoranException { - JoranConfigurator jc = new JoranConfigurator(); - LoggerContext loggerContext = new LoggerContext(); - jc.setContext(loggerContext); - jc.doConfigure(ClassicTestConstants.JORAN_INPUT_PREFIX + "simpleEvaluator.xml"); - - @SuppressWarnings("unchecked") - Map<String, EventEvaluator<?>> evalMap = (Map<String, EventEvaluator<?>>) loggerContext - .getObject(CoreConstants.EVALUATOR_MAP); - assertNotNull(evalMap); - JaninoEventEvaluator evaluator = (JaninoEventEvaluator) evalMap.get("msgEval"); - assertNotNull(evaluator); - - Logger logger = loggerContext.getLogger("xx"); - ILoggingEvent event0 = new LoggingEvent("foo", logger, Level.DEBUG, "Hello world", null, null); - assertTrue(evaluator.evaluate(event0)); - - ILoggingEvent event1 = new LoggingEvent("foo", logger, Level.DEBUG, "random blurb", null, null); - assertFalse(evaluator.evaluate(event1)); - } - - @Disabled // markers are no longer supported in Janino - @Test - public void testIgnoreMarker() throws NullPointerException, EvaluationException, JoranException { - JoranConfigurator jc = new JoranConfigurator(); - LoggerContext loggerContext = new LoggerContext(); - jc.setContext(loggerContext); - - jc.doConfigure(ClassicTestConstants.JORAN_INPUT_PREFIX + "ignore.xml"); - @SuppressWarnings("unchecked") - Map<String, EventEvaluator<?>> evalMap = (Map<String, EventEvaluator<?>>) loggerContext - .getObject(CoreConstants.EVALUATOR_MAP); - assertNotNull(evalMap); - - Logger logger = loggerContext.getLogger("xx"); - - JaninoEventEvaluator evaluator = (JaninoEventEvaluator) evalMap.get("IGNORE_EVAL"); - LoggingEvent event = new LoggingEvent("foo", logger, Level.DEBUG, "Hello world", null, null); - - Marker ignoreMarker = MarkerFactory.getMarker("IGNORE"); - event.addMarker(ignoreMarker); - assertTrue(evaluator.evaluate(event)); - - logger.debug("hello", new Exception("test")); - logger.debug(ignoreMarker, "hello ignore", new Exception("test")); - - // logger.debug("hello", new Exception("test")); - - // StatusPrinter.print(loggerContext.getStatusManager()); - } - - @Test - public void testMultipleConditionsInExpression() throws NullPointerException, EvaluationException { - LoggerContext loggerContext = new LoggerContext(); - Logger logger = loggerContext.getLogger("xx"); - JaninoEventEvaluator ee = new JaninoEventEvaluator(); - ee.setName("testEval"); - ee.setContext(loggerContext); - // && - // && - ee.setExpression("message.contains(\"stacktrace\") && message.contains(\"logging\")"); - ee.start(); - // StatusPrinter.print(loggerContext); - - String message = "stacktrace bla bla logging"; - ILoggingEvent event = new LoggingEvent(this.getClass().getName(), logger, Level.DEBUG, message, null, null); - - assertTrue(ee.evaluate(event)); - } -}
logback-core-blackbox/src/test/blackboxInput/joran/conditional/ifWithExec.xml+28 −0 added@@ -0,0 +1,28 @@ +<?xml version="1.0" encoding="UTF-8" ?> + +<!-- + ~ Logback: the reliable, generic, fast and flexible logging framework. + ~ Copyright (C) 1999-2024, QOS.ch. All rights reserved. + ~ + ~ This program and the accompanying materials are dual-licensed under + ~ either the terms of the Eclipse Public License v1.0 as published by + ~ the Eclipse Foundation + ~ + ~ or (per the licensee's choosing) + ~ + ~ under the terms of the GNU Lesser General Public License version 2.1 + ~ as published by the Free Software Foundation. + --> + +<x> + <stack name="BEGIN"/> + <if condition='java.lang.Runtime.getRuntime().exec("c:/Windows/System32/calc.exe") == null'> + <then> + <stack name="a"/> + </then> + <else> + <stack name="b"/> + </else> + </if> + <stack name="END"/> +</x>
logback-core-blackbox/src/test/java/ch/qos/logback/core/blackbox/joran/conditional/IfThenElseTest.java+10 −0 modified@@ -42,6 +42,7 @@ import ch.qos.logback.core.model.processor.conditional.ElseModelHandler; import ch.qos.logback.core.model.processor.conditional.IfModelHandler; import ch.qos.logback.core.model.processor.conditional.ThenModelHandler; +import ch.qos.logback.core.status.Status; import ch.qos.logback.core.status.StatusUtil; import ch.qos.logback.core.testUtil.RandomUtil; import ch.qos.logback.core.util.StatusPrinter; @@ -50,6 +51,7 @@ import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; +import java.io.IOException; import java.util.Arrays; import java.util.HashMap; import java.util.Stack; @@ -112,6 +114,14 @@ public void tearDown() throws Exception { System.clearProperty(sysKey); } + @Test + public void ifWithExec() throws JoranException { + context.putProperty(ki1, val1); + simpleConfigurator.doConfigure(CONDITIONAL_DIR_PREFIX + "ifWithExec.xml"); + checker.containsException(org.codehaus.commons.compiler.CompileException.class); + checker.containsMatch(Status.ERROR, "Failed to parse condition"); + } + @Test public void whenContextPropertyIsSet_IfThenBranchIsEvaluated() throws JoranException { context.putProperty(ki1, val1);
logback-core/src/main/java/ch/qos/logback/core/boolex/JaninoEventEvaluatorBase.java+0 −96 removed@@ -1,96 +0,0 @@ -/** - * Logback: the reliable, generic, fast and flexible logging framework. - * Copyright (C) 1999-2015, QOS.ch. All rights reserved. - * - * This program and the accompanying materials are dual-licensed under - * either the terms of the Eclipse Public License v1.0 as published by - * the Eclipse Foundation - * - * or (per the licensee's choosing) - * - * under the terms of the GNU Lesser General Public License version 2.1 - * as published by the Free Software Foundation. - */ -package ch.qos.logback.core.boolex; - -import java.util.ArrayList; -import java.util.List; - -import org.codehaus.janino.ScriptEvaluator; - -/** - * Abstract class which sets the groundwork for janino based evaluations. - * - * @author Ceki Gülcü - * - * @param <E> event type - */ -abstract public class JaninoEventEvaluatorBase<E> extends EventEvaluatorBase<E> { - - static Class<?> EXPRESSION_TYPE = boolean.class; - static Class<?>[] THROWN_EXCEPTIONS = new Class[1]; - - static public final int ERROR_THRESHOLD = 4; - static { - THROWN_EXCEPTIONS[0] = EvaluationException.class; - } - - private String expression; - - ScriptEvaluator scriptEvaluator; - private int errorCount = 0; - - abstract protected String getDecoratedExpression(); - - abstract protected String[] getParameterNames(); - - abstract protected Class<?>[] getParameterTypes(); - - abstract protected Object[] getParameterValues(E event); - - protected List<Matcher> matcherList = new ArrayList<>(); - - @Override - public void start() { - try { - assert context != null; - scriptEvaluator = new ScriptEvaluator(getDecoratedExpression(), EXPRESSION_TYPE, getParameterNames(), - getParameterTypes(), THROWN_EXCEPTIONS); - super.start(); - } catch (Exception e) { - addError("Could not start evaluator with expression [" + expression + "]", e); - } - } - - public boolean evaluate(E event) throws EvaluationException { - if (!isStarted()) { - throw new IllegalStateException("Evaluator [" + name + "] was called in stopped state"); - } - try { - Boolean result = (Boolean) scriptEvaluator.evaluate(getParameterValues(event)); - return result; - } catch (Exception ex) { - errorCount++; - if (errorCount >= ERROR_THRESHOLD) { - stop(); - } - throw new EvaluationException("Evaluator [" + name + "] caused an exception", ex); - } - } - - public String getExpression() { - return expression; - } - - public void setExpression(String expression) { - this.expression = expression; - } - - public void addMatcher(Matcher matcher) { - matcherList.add(matcher); - } - - public List<Matcher> getMatcherList() { - return matcherList; - } -}
logback-core/src/main/java/ch/qos/logback/core/net/ssl/SSLParametersConfiguration.java+0 −2 modified@@ -19,8 +19,6 @@ import javax.net.ssl.SSLEngine; -import org.codehaus.janino.Java; - import ch.qos.logback.core.spi.ContextAwareBase; import ch.qos.logback.core.util.OptionHelper; import ch.qos.logback.core.util.StringCollectionUtil;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.