Medcify/API
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
4470d23d40
API/api.medcify.app/node_modules/snyk/dist/cli/989.index.js

482 lines
14 KiB
JavaScript
Raw Normal View History

final
2022-09-26 06:11:44 +00:00
"use strict";
exports.id = 989;
exports.ids = [989];
exports.modules = {
/***/ 60959:
/***/ ((__unused_webpack_module, exports) => {
/**
* The content of this file is generated by a tool.
* Don't edit it manually!
* */
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.vulnerableSignatures = void 0;
exports.vulnerableSignatures = {
IfBVtiwVRT8NeXCp2ZTKtw: {
filename: 'JndiManager.class',
versions: ['2.13.2', '2.13.1', '2.13.0', '2.13.3'],
},
CsWz5uabp3ZWg3mOZpowsg: {
filename: 'log4j-core-2.13.2.jar',
versions: ['2.13.2'],
},
'8MQ62soq/HHGzID4UbOIGA': {
filename: 'log4j-core-2.4.1.jar',
versions: ['2.4.1'],
},
RyyOH7qg5hUg4CXCVbXRaA: {
filename: 'log4j-core-2.6.2.jar',
versions: ['2.6.2'],
},
'7Q4xglxv2kNCP7ODV6QrPQ': {
filename: 'MessagePatternConverter.class',
versions: ['2.16.0'],
},
geBDOuAGAsDk0AQk0hOwqw: {
filename: 'log4j-core-2.15.0.jar',
versions: ['2.15.0'],
},
'miPB9v/sgl70HMwQVBogkA': {
filename: 'JndiManager.java',
versions: ['2.8.2-sources', '2.8-sources', '2.7-sources', '2.8.1-sources'],
},
WCRxHWxoFi61NcxNv3SF0w: {
filename: 'JndiManager.class',
versions: ['2.12.1', '2.12.0'],
},
'xtIzvI6c/l2mkAWdJ9n4jw': {
filename: 'log4j-core-2.8.jar',
versions: ['2.8'],
},
zH1V7WnMX9NANbFcbt95oA: {
filename: 'log4j-core-2.13.3.jar',
versions: ['2.13.3'],
},
'EQqz4+TzeAkh6O5d3jNzrQ': {
filename: 'log4j-core-2.3.jar',
versions: ['2.3'],
},
'VSPxRPrvK/ygijyosr7Nag': {
filename: 'log4j-core-2.6.jar',
versions: ['2.6'],
},
'C1fpJhCjMxrxWn6Q+LNTnQ': {
filename: 'Interpolator.class',
versions: ['2.16.0'],
},
'QVwT58hQX7BW1UDqwpty+g': {
filename: 'JndiManager.class',
versions: ['2.7', '2.8.1', '2.8'],
},
zXChiI7N0xHBmQ54SGfOHg: {
filename: 'log4j-core-2.0.jar',
versions: ['2.0'],
},
'txoT/V3yUWlPyhFiQAA7Ig': {
filename: 'log4j-core-2.13.0.jar',
versions: ['2.13.0'],
},
VHuz7S3rhW0OO713wnuWJQ: {
filename: 'log4j-core-2.8.1.jar',
versions: ['2.8.1'],
},
SlF3oXJ2S9pvRHK5S6F8yw: {
filename: 'log4j-core-2.8.2.jar',
versions: ['2.8.2'],
},
ToAy4jACKoyI3X1SbwtnCw: {
filename: 'JndiManager.java',
versions: [
'2.9.0-sources',
'2.9.1-sources',
'2.10.0-sources',
'2.11.0-sources',
'2.11.1-sources',
],
},
'oZNwOQSj8Y+zyQqHfrXIpw': {
filename: 'JndiManager.class',
versions: ['2.8.2'],
},
'+/pfM6tLKab91SRz7nuDTQ': {
filename: 'log4j-core-2.0.1.jar',
versions: ['2.0.1'],
},
'Kr7CzmZeDVKaPyj/+7st0w': {
filename: 'log4j-core-2.11.0.jar',
versions: ['2.11.0'],
},
'AHnJByMGWZaPD8DkGmq8+Q': {
filename: 'log4j-core-2.4.jar',
versions: ['2.4'],
},
'3o0BzBX9DHT+qLu2aOKJ9Q': {
filename: 'log4j-core-2.0-rc2.jar',
versions: ['2.0-rc2.jar'],
},
'siQt4Gd75lFdbO+/SOfl1Q': {
filename: 'log4j-core-2.11.1.jar',
versions: ['2.11.1'],
},
jTMVRLLnsgrRZt68olUNcw: {
filename: 'log4j-core-2.1.jar',
versions: ['2.1'],
},
'3Q4+C0BAg+xpYYqrtQuKwA': {
filename: 'log4j-core-2.5.jar',
versions: ['2.5'],
},
BP3XAYCdF0ZcF8fmA7GyAg: {
filename: 'JndiManager.class',
versions: ['2.11.1', '2.9.1', '2.11.0', '2.11.2', '2.10.0', '2.9.0'],
},
FS7LPOCUrFvJ6jnWEi4oFA: {
filename: 'log4j-core-2.0-beta9.jar',
versions: ['2.0-beta9.jar'],
},
'SPfzzaUwMKh+jDh9jR5CZQ': {
filename: 'log4j-core-2.6.1.jar',
versions: ['2.6.1'],
},
'axX0LDM6w5q6z+7rGIUqRA': {
filename: 'JndiManager.class',
versions: ['2.1', '2.2', '2.3'],
},
'XkvKXtILlKsZu2WDbak/lg': {
filename: 'log4j-core-2.2.jar',
versions: ['2.2'],
},
lI3aeHWTNAp68aGOMot7fw: {
filename: 'log4j-core-2.14.1.jar',
versions: ['2.14.1'],
},
'K2Pg5QY/2sz2aaHiY4Tz/Q': {
filename: 'log4j-core-2.7.jar',
versions: ['2.7'],
},
'iyJgsczmQUT2MQh2+UsWOA': {
filename: 'JndiManager.class',
versions: ['2.4', '2.4.1', '2.5'],
},
'CI3xE60kmrcr8Zt/ALhj1Q': {
filename: 'log4j-core-2.0-rc1.jar',
versions: ['2.0-rc1.jar'],
},
'3JkBHwR+Y9zHQbWraNEW2w': {
filename: 'log4j-core-2.10.0.jar',
versions: ['2.10.0'],
},
'XFJ4IdEISn7z4D1AFE/1Mg': {
filename: 'log4j-core-2.12.0.jar',
versions: ['2.12.0'],
},
n0GSikGCAN4iMt0yblIsxw: {
filename: 'log4j-core-2.16.0.jar',
versions: ['2.16.0'],
},
'XSU+U/qZPhIv8BIiGqSeww': {
filename: 'JndiManager.class',
versions: ['2.15.0'],
},
'NbG1m0kl+RbQmdW4+7nykQ': {
filename: 'JndiManager.java',
versions: [
'2.11.2-sources',
'2.12.1-sources',
'2.13.0-sources',
'2.13.1-sources',
'2.13.2-sources',
'2.14.1-sources',
'2.12.0-sources',
'2.13.3-sources',
'2.14.0-sources',
],
},
'Kn94Du0/K5zJ8p4blmlGjw': {
filename: 'JndiManager.java',
versions: [
'2.4-sources',
'2.2-sources',
'2.3-sources',
'2.5-sources',
'2.6.1-sources',
'2.6.2-sources',
'2.6-sources',
'2.1-sources',
'2.4.1-sources',
],
},
'02XkgiFBT5P+7wk6G/YH7w': {
filename: 'log4j-core-2.13.1.jar',
versions: ['2.13.1'],
},
'+rZGJX+UWwsqfOPhw+POXw': {
filename: 'log4j-core-2.9.0.jar',
versions: ['2.9.0'],
},
'lC9Cnqy4AV4Y2PWZls++5g': {
filename: 'log4j-core-2.9.1.jar',
versions: ['2.9.1'],
},
'yL2LXFqqoHo9y/V94BySZg': {
filename: 'log4j-core-2.11.2.jar',
versions: ['2.11.2'],
},
ATi6HBkdXHVP0OPDphwDBw: {
filename: 'log4j-core-2.12.1.jar',
versions: ['2.12.1'],
},
'hiwAsuhU+cDx6NhAnSPYmQ': {
filename: 'log4j-core-2.14.0.jar',
versions: ['2.14.0'],
},
'uhz4+B57MccJdoVhuoq1WA': {
filename: 'JndiManager.class',
versions: ['2.16.0'],
},
'O9n0G4nOT+jMv3PkMZWlzg': {
filename: 'JndiManager.class',
versions: ['2.6.1', '2.6', '2.6.2'],
},
'8dYwxIkoCWpITkuVzLFioA': {
filename: 'JndiManager.class',
versions: ['2.14.0', '2.14.1'],
},
jAzz6wRxVKT44W2vWiCTGQ: {
filename: 'log4j-core-2.0.2.jar',
versions: ['2.0.2'],
},
};
/***/ }),
/***/ 86989:
/***/ ((__unused_webpack_module, exports, __webpack_require__) => {
Object.defineProperty(exports, "__esModule", ({ value: true }));
const fs_1 = __webpack_require__(35747);
const crypto = __webpack_require__(76417);
const AdmZip = __webpack_require__(55285);
const ora = __webpack_require__(63395);
const semver = __webpack_require__(36625);
const log4shell_hashes_1 = __webpack_require__(60959);
const readFile = fs_1.promises.readFile;
const readDir = fs_1.promises.readdir;
const stat = fs_1.promises.stat;
const MAX_FILE_SIZE = 2 * 1024 * 1024 * 1024 - 1;
class Paths {
constructor(paths) {
this.paths = paths;
}
static empty() {
return new Paths([]);
}
static fromZip(content, path) {
try {
const unzippedEntries = new AdmZip(content).getEntries();
const entries = unzippedEntries.map((entry) => {
return {
path: path + '/' + entry.entryName,
content: async () => entry.getData(),
};
});
return new Paths(entries);
}
catch (error) {
errors.push(error);
return this.empty();
}
}
static async fromDisk(paths) {
try {
const entries = paths.map((path) => {
return {
path,
content: async () => await readFile(path),
};
});
return new Paths(entries);
}
catch (error) {
errors.push(error);
return this.empty();
}
}
}
const errors = [];
async function startSpinner() {
const spinner = ora({ isSilent: false, stream: process.stdout });
spinner.text = `Looking for Log4Shell...`;
spinner.start();
return spinner;
}
// eslint-disable-next-line @typescript-eslint/no-unused-vars
async function log4shell(...args) {
console.log('Please note this command is for already built artifacts. To test source code please use `snyk test`.');
const signatures = new Array();
const spinner = await startSpinner();
const paths = await find('.');
await parsePaths(await Paths.fromDisk(paths), signatures);
spinner.stop();
console.log('\nResults:');
const issues = filterJndi(signatures);
if (issues.length == 0) {
console.log('No known vulnerable version of Log4J was detected');
return;
}
const rceIssues = [];
const dosIssues = [];
issues.forEach((issue) => {
issue.path = issue.path.replace(/(.*org\/apache\/logging\/log4j\/core).*/, '$1');
if (issue.exploitType === 'Log4Shell') {
rceIssues.push(issue);
}
if (issue.exploitType === 'DoS') {
dosIssues.push(issue);
}
});
if (rceIssues.length > 0) {
displayIssues('A version of Log4J that is vulnerable to Log4Shell was detected:', rceIssues);
displayRemediation('Log4Shell');
}
if (dosIssues.length > 0) {
displayIssues('A version of Log4J that is vulnerable to CVE-2021-45105 (Denial of Service) was detected:', dosIssues);
displayRemediation('DoS');
}
exitWithError();
}
exports.default = log4shell;
async function parsePaths(ctx, accumulator) {
for (const { path, content } of ctx.paths) {
if (!isArchiveOrJndi(path)) {
continue;
}
const signature = await computeSignature(await content());
const isVulnerable = signature in log4shell_hashes_1.vulnerableSignatures;
if (isVulnerable || path.includes('JndiLookup')) {
await append(path, signature, accumulator);
continue;
}
if (!isVulnerable && isJavaArchive(path)) {
await parsePaths(Paths.fromZip(await content(), path), accumulator);
}
}
}
async function computeSignature(content) {
return crypto
.createHash('md5')
.update(content)
.digest('base64')
.replace(/=/g, '');
}
async function find(path) {
const result = [];
await traverse(path, (filePath, stats) => {
if (!stats.isFile() || stats.size > MAX_FILE_SIZE) {
return;
}
result.push(filePath);
});
return result;
}
async function traverse(path, handle) {
try {
const stats = await stat(path);
if (!stats.isDirectory()) {
handle(path, stats);
return;
}
const entries = await readDir(path);
for (const entry of entries) {
const absolute = path + '/' + entry;
await traverse(absolute, handle);
}
}
catch (error) {
errors.push(error);
}
}
async function computeExploitType(signatureDetails) {
for (const version of signatureDetails.versions) {
const coercedVersion = semver.coerce(version);
if (coercedVersion === null) {
continue;
}
if (semver.lt(coercedVersion, '2.16.0')) {
return 'Log4Shell';
}
if (semver.satisfies(coercedVersion, '2.16.x')) {
return 'DoS';
}
}
return 'Unknown';
}
function displayIssues(message, signatures) {
console.log(message);
signatures.forEach((signature) => {
console.log(`\t${signature.path}`);
});
}
function displayRemediation(exploitType) {
switch (exploitType) {
case 'Log4Shell':
console.log(`\nWe highly recommend fixing this vulnerability. If it cannot be fixed by upgrading, see mitigation information here:
\t- https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720
\t- https://snyk.io/blog/log4shell-remediation-cheat-sheet/\n`);
break;
case 'DoS':
console.log(`\nWe recommend fixing this vulnerability by upgrading to a later version. To learn more about this vulnerability, see:
\t- https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524\n`);
break;
default:
break;
}
}
function isJavaArchive(path) {
return path.endsWith('.jar') || path.endsWith('.war') || path.endsWith('ear');
}
function isArchiveOrJndi(path) {
return (isJavaArchive(path) ||
path.includes('JndiManager') ||
path.includes('JndiLookup'));
}
async function append(path, signature, accumulator) {
const exploitType = log4shell_hashes_1.vulnerableSignatures[signature]
? await computeExploitType(log4shell_hashes_1.vulnerableSignatures[signature])
: 'Unknown';
accumulator.push({
value: signature,
path,
exploitType,
});
}
function filterJndi(signatures) {
return signatures.filter((signature) => {
if (isJavaArchive(signature.path)) {
return true;
}
if (signature.path.includes('JndiManager')) {
const jndiManagerPathIndex = signature.path.indexOf('/net/JndiManager.class');
const jndiLookupPath = signature.path.substr(0, jndiManagerPathIndex) + '/lookup/JndiLookup';
const isJndiLookupPresent = signatures.find((element) => element.path.includes(jndiLookupPath));
return !!isJndiLookupPresent;
}
return false;
});
}
function exitWithError() {
const err = new Error();
err.code = 'VULNS';
throw err;
}
/***/ })
};
;
//# sourceMappingURL=989.index.js.map
Reference in New Issue Copy Permalink