fix log4j exploit

soh boon keong · soh boon keong · commit 592a16e5df38 · 2021-08-10T03:10:17.000+08:00
diff --git a/build.gradle b/build.gradle
@@ -19,11 +19,16 @@ dependencies {
     
     //gradle 4.0
     compile group: 'commons-lang', name: 'commons-lang', version: '2.4'
-    compile group: 'org.slf4j', name: 'slf4j-api', version: '1.7.25'
+    //compile group: 'org.slf4j', name: 'slf4j-api', version: '1.7.25'
+    compile group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.14.1'
+    compile group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.14.1'
     compile group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.10.5.1'
     compile group: 'com.googlecode.json-simple', name: 'json-simple', version: '1.1.1'
     compile group: 'org.bouncycastle', name: 'bcpkix-jdk15on', version: '1.69'
-    testCompile group: 'org.slf4j', name: 'slf4j-log4j12', version: '1.7.32'
+    
+    //testCompile group: 'org.slf4j', name: 'slf4j-log4j12', version: '1.7.32'
+    testCompile group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.14.1'
+    testCompile group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.14.1'
     testCompile group: 'junit', name: 'junit', version: '4.13.1'
 
     //gradle 6.9
diff --git a/pom.xml b/pom.xml
@@ -77,11 +77,21 @@
 		<version>1.3</version>
 		<scope>test</scope>
 	</dependency> 	
-  	<dependency>
+  <!-- 	<dependency>
   		<groupId>org.slf4j</groupId>
   		<artifactId>slf4j-log4j12</artifactId>
   		<version>1.7.32</version>
-  	</dependency>
+  	</dependency>  -->
+  	  	<dependency>
+		    <groupId>org.apache.logging.log4j</groupId>
+		    <artifactId>log4j-api</artifactId>
+		    <version>2.14.1</version>
+	</dependency>
+  	<dependency>
+		    <groupId>org.apache.logging.log4j</groupId>
+		    <artifactId>log4j-core</artifactId>
+		    <version>2.14.1</version>
+	</dependency>
   	<dependency>
             <groupId>commons-lang</groupId>
             <artifactId>commons-lang</artifactId>
diff --git a/src/main/java/com/api/util/ApiSecurity/ApiSigning.java b/src/main/java/com/api/util/ApiSecurity/ApiSigning.java
@@ -7,8 +7,8 @@
 import org.bouncycastle.openssl.PEMParser;
 import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
 import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import org.apache.logging.log4j.Logger;
+import org.apache.logging.log4j.LogManager;
 
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
@@ -34,7 +34,7 @@
  */
 public class ApiSigning {
 
-    private static final Logger log = LoggerFactory.getLogger(ApiSigning.class);
+    private static final Logger log = LogManager.getLogger(ApiSigning.class);
 
     /**
      * Create HMACRSA256 Signature (L1) with a given basestring
diff --git a/src/test/java/com/api/util/ApiSecurity/ApiSecurityTest.java b/src/test/java/com/api/util/ApiSecurity/ApiSecurityTest.java
@@ -16,8 +16,10 @@
 import java.util.Set;
 
 import org.junit.runner.RunWith;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+//import org.slf4j.Logger;
+//import org.slf4j.LoggerFactory;
+import org.apache.logging.log4j.Logger;
+import org.apache.logging.log4j.LogManager;
 
 import com.api.util.testframework.JUnitFactoryRunner;
 import com.api.util.testframework.JUnitTestFactory;
@@ -35,7 +37,8 @@
 @RunWith(JUnitFactoryRunner.class)
 public class ApiSecurityTest {
 	
-	private static final Logger log = LoggerFactory.getLogger(ApiSecurityTest.class);
+	//private static final Logger log = LoggerFactory.getLogger(ApiSecurityTest.class);
+	private static final Logger log = LogManager.getLogger(ApiSecurityTest.class);
 	
 	private static final String testDataPath = getLocalPath("src/main/resources/test-suites/testData/");
 	
diff --git a/src/test/java/com/api/util/testframework/RuntimeTestCase.java b/src/test/java/com/api/util/testframework/RuntimeTestCase.java
@@ -1,7 +1,9 @@
 package com.api.util.testframework;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+//import org.slf4j.Logger;
+//import org.slf4j.LoggerFactory;
+import org.apache.logging.log4j.Logger;
+import org.apache.logging.log4j.LogManager;
 
 import com.api.util.ApiSecurity.ApiList;
 import com.api.util.ApiSecurity.ApiSigning;
@@ -24,7 +26,7 @@
 
 public class RuntimeTestCase{
 	
-	private static final Logger log = LoggerFactory.getLogger(RuntimeTestCase.class);
+	private static final Logger log = LogManager.getLogger(RuntimeTestCase.class);
 	
 	//private ApiList apiList;
 	private String testName;
diff --git a/src/test/java/com/api/util/testframework/RuntimeTestUtility.java b/src/test/java/com/api/util/testframework/RuntimeTestUtility.java
@@ -1,7 +1,9 @@
 package com.api.util.testframework;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+//import org.slf4j.Logger;
+//import org.slf4j.LoggerFactory;
+import org.apache.logging.log4j.Logger;
+import org.apache.logging.log4j.LogManager;
 
 import com.api.util.ApiSecurity.ApiList;
 import com.api.util.ApiSecurity.ApiUtilException;
@@ -17,7 +19,7 @@
 
 public class RuntimeTestUtility {
 	
-	private static final Logger log = LoggerFactory.getLogger(RuntimeTestUtility.class);
+	private static final Logger log = LogManager.getLogger(RuntimeTestUtility.class);
 	private static ApiList apiList;
 	
 	public static String getExpectedResultMap(ExpectedResult expectedResult) throws ApiUtilException {
