|
Description:
|
Any code that can import org.slf4j.LoggerFactory or cast org.slf4j.Logger to the LOGBack Classic implementation ch.qos.logback.classic.Logger can alter the logging configuration by starting/stopping the LoggerContext, adding Listeners, adding/removing Appenders to Loggers, starting/stopping filters, etc.. In an environment where untrusted code is being executed, such as user-defined scripts, this possibility introduces a certain security risk as the logging configuration can be altered by anyone.
Example:
{code}
LoggerContext loggerContext = (LoggerContext) LoggerFactory.getILoggerFactory();
Logger rootLogger = loggerContext.getLogger(Logger.ROOT_LOGGER_NAME);
rootLogger.detachAndStopAllAppenders();
rootLogger.addAppender(myAppender);
{code}
This could be prevented by checking in security-sensitive methods of LoggerContext and Logger if the caller has a certain permission, e.g. a LoggingPermission with the required action (only if System.getSecurityManager() != null).
JUL has such a permission (java.util.logging.LoggingPermission) supporting currently only one action called "control". This JUL permission could be used as a template for designing a LOGBack specific one.
|
Major