| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by hvasilev 1632 days ago

The essence is: https://github.com/google/log4jscanner/blob/main/jar/jar.go

this is the decision logic:

func (c *checker) bad() bool {

return (c.hasLookupClass && c.hasOldJndiManagerConstructor) || (c.hasLookupClass && c.seenJndiManagerClass && !c.isAtLeastTwoDotSixteen)

}

1 comments

throwaway4good 1632 days ago

It is a lot of code for just that.

link

stingraycharles 1632 days ago

I’d argue that the convenience of this tool isn’t just the fact that it can tell a class/jar is “bad”, but the convenience of being able to automatically scan the filesystem to do that.

And most of the code I see is about walking the filesystem, unzipping jars, walking the files inside the jars.

Most codebases have this kind of plumbing all the time.

link

hvasilev 1632 days ago

the story of browsing through code: "I'm wasting my time reading this", until you read the 3 lines that actually matter.

link