diff --git a/README.md b/README.md index 5cbea48..a7dbbff 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,9 @@ page. ``` $ ./local-log4j-vuln-scanner [--verbose] [--quiet] \ [--ignore-v1] [--ignore-vulns=...] \ - [--exclude /path/to/exclude …] [--log /path/to/file.log] \ + [--exclude /path/to/exclude …] \ + [--scan-network] \ + [--log /path/to/file.log] \ /path/to/app1 /path/to/app2 … ``` @@ -54,6 +56,8 @@ The `--log` flag allows everythig to be written to a log file instead of stdout/ Use the `--exclude` flag to exclude subdirectories from being scanned. Can be used multiple times. +The `--scan-network` flag tells the scanner to search network filesystems (disabled by default). This has not been implemented for Windows. + If class files indicating one of the vulnerabilities are found, messages like the following are printed to standard output: ``` console diff --git a/scanner/fs_darwin.go b/scanner/fs_darwin.go index d7c6f22..10749f8 100644 --- a/scanner/fs_darwin.go +++ b/scanner/fs_darwin.go @@ -17,13 +17,26 @@ func typeToString(name [16]int8) string { return string(b) } +func isPseudoFS(path string) bool { + var buf syscall.Statfs_t + if err := syscall.Statfs(path, &buf); err != nil { + return false + } + switch typeToString(buf.Fstypename) { + case "devfs": + return true + default: + return false + } +} + func isNetworkFS(path string) bool { var buf syscall.Statfs_t if err := syscall.Statfs(path, &buf); err != nil { return false } switch typeToString(buf.Fstypename) { - case "nfs", "afpfs", "smbfs", "webdav", "devfs": + case "nfs", "afpfs", "smbfs", "webdav": return true default: return false diff --git a/scanner/fs_generic.go b/scanner/fs_generic.go index d8e0ccd..26f616e 100644 --- a/scanner/fs_generic.go +++ b/scanner/fs_generic.go @@ -2,4 +2,6 @@ package main +func isPseudoFS(string) bool { return false } + func isNetworkFS(string) bool { return false } diff --git a/scanner/fs_linux.go b/scanner/fs_linux.go index ee84ad5..321ed41 100644 --- a/scanner/fs_linux.go +++ b/scanner/fs_linux.go @@ -106,14 +106,13 @@ const ( OPENAFS_FS_MAGIC = 0x5346414f ) -func isNetworkFS(path string) bool { +func isPseudoFS(path string) bool { var buf syscall.Statfs_t if err := syscall.Statfs(path, &buf); err != nil { return false } switch uint32(buf.Type) { case - // pseudo filesystems BDEVFS_MAGIC, BINFMTFS_MAGIC, CGROUP_SUPER_MAGIC, @@ -125,8 +124,20 @@ func isNetworkFS(path string) bool { PROC_SUPER_MAGIC, SELINUX_MAGIC, SMACK_MAGIC, - SYSFS_MAGIC, - // network filesystems + SYSFS_MAGIC: + return true + default: + return false + } +} + +func isNetworkFS(path string) bool { + var buf syscall.Statfs_t + if err := syscall.Statfs(path, &buf); err != nil { + return false + } + switch uint32(buf.Type) { + case AFS_FS_MAGIC, OPENAFS_FS_MAGIC, CEPH_SUPER_MAGIC, diff --git a/scanner/main.go b/scanner/main.go index b8938c1..166e151 100644 --- a/scanner/main.go +++ b/scanner/main.go @@ -104,6 +104,7 @@ var quiet bool var vulns filter.Vulnerabilities var ignoreVulns filter.Vulnerabilities = filter.CVE_2021_45046 | filter.CVE_2021_44832 var ignoreV1 bool +var network bool func main() { flag.Var(&excludes, "exclude", "paths to exclude (can be used multiple times)") @@ -112,6 +113,7 @@ func main() { flag.BoolVar(&quiet, "quiet", false, "no ouput unless vulnerable") flag.BoolVar(&ignoreV1, "ignore-v1", false, "ignore log4j 1.x versions") flag.Var(&ignoreVulns, "ignore-vulns", "ignore vulnerabilities") + flag.BoolVar(&network, "scan-network", false, "search network filesystems") flag.Parse() @@ -144,12 +146,19 @@ func main() { for _, root := range flag.Args() { filepath.Walk(filepath.Clean(root), func(path string, info os.FileInfo, err error) error { - if isNetworkFS(path) { + if isPseudoFS(path) { if !quiet { - fmt.Fprintf(logFile, "Skipping %s: pseudo or network filesystem\n", path) + fmt.Fprintf(logFile, "Skipping %s: pseudo filesystem\n", path) } return filepath.SkipDir } + if !network && isNetworkFS(path) { + if !quiet { + fmt.Fprintf(logFile, "Skipping %s: network filesystem\n", path) + } + return filepath.SkipDir + } + if !quiet { fmt.Fprintf(logFile, "examining %s\n", path) }