FormattedMessage doesn't need to use regular expressions #1223
Comments
|
@jvz I was looking into this. How do you suggest we check for a parametrized message, by doing |
|
@adwsingh, that sounds about right. I marked you as "assignee" to prevent other contributors to work on it. It's not an obligation. |
|
@ppkarwasz after reading the docs I am not so sure of my implementation anymore as I think it would break users. In docs we specify,
For a message like |
|
Yes, it is a breaking change to silence Code scanning alert #51: checking for an unescaped I believe we can change the documentation to state:
BTW: The regex we use currently is identical to |
jvz
added
the
performance
We change the order in which `FormattedMessage` checks the format of the
provided pattern: we first check for the presence of `{}` placeholders
and only then for `java.util.Format` specifiers.
This eliminates the need for a potentially exponential regular
expression evalutation, which was reported by Spotbugs (apache#1849).
The Javadoc and documentation were improved to clarify the heuristic
used by `FormattedMessage`.
Closes apache#1223.
Remark: since `FormattedMessage` used the **same** regular expression as
`java.util.Format`, if a message uses `java.util.Format` specifiers, it
is still vulnerable to a ReDOS.
We change the order in which `FormattedMessage` checks the format of the
provided pattern: we first check for the presence of `{}` placeholders
and only then for `java.util.Format` specifiers.
This eliminates the need for a potentially exponential regular
expression evalutation, which was reported by Spotbugs (apache#1849).
The Javadoc and documentation were improved to clarify the heuristic
used by `FormattedMessage`.
Closes apache#1223.
Remark: since `FormattedMessage` used the **same** regular expression as
`java.util.Format`, if a message uses `java.util.Format` specifiers, it
is still vulnerable to a ReDOS.
### What changes were proposed in this pull request? The pr aims to upgrade log4j2 from 2.21.0 to 2.22.0. ### Why are the changes needed? This is the first log4j2 version that provides a CycloneDX Software Bill of Materials (SBOM) and the new version bring some new change and fix like: - Change the order of evaluation of FormattedMessage formatters. Messages are evaluated using java.util.Format only if they don't comply to the java.text.MessageFormat or ParameterizedMessage format. (apache/logging-log4j2#1223) - Change default encoding of HTTP Basic Authentication to UTF-8 and add log4j2.configurationAuthorizationEncoding property to overwrite it. (apache/logging-log4j2#1970) - Removed unused FastDateParser which was causing unnecessary heap overhead ([LOG4J2-3672](https://issues.apache.org/jira/browse/LOG4J2-3672), apache/logging-log4j2#1848) - Fix MDC pattern converter causing issues for %notEmpty (apache/logging-log4j2#1922) - Fix NotSerializableException thrown when Logger is serialized with a ReusableMessageFactory (apache/logging-log4j2#1884) the full release note as follows: -https:/apache/logging-log4j2/releases/tag/rel%2F2.22.0 ### Does this PR introduce _any_ user-facing change? No ### How was this patch tested? Pass GitHub Actions ### Was this patch authored or co-authored using generative AI tooling? No Closes #43940 from LuciferYang/SPARK-46038. Authored-by: yangjie01 <[email protected]> Signed-off-by: Dongjoon Hyun <[email protected]>
We change the order in which `FormattedMessage` checks the format of the
provided pattern: we first check for the presence of `{}` placeholders
and only then for `java.util.Format` specifiers.
This eliminates the need for a potentially exponential regular
expression evalutation, which was reported by Spotbugs (apache#1849).
The Javadoc and documentation were improved to clarify the heuristic
used by `FormattedMessage`.
Closes apache#1223.
Remark: since `FormattedMessage` used the **same** regular expression as
`java.util.Format`, if a message uses `java.util.Format` specifiers, it
is still vulnerable to a ReDOS.
We change the order in which `FormattedMessage` checks the format of the
provided pattern: we first check for the presence of `{}` placeholders
and only then for `java.util.Format` specifiers.
This eliminates the need for a potentially exponential regular
expression evalutation, which was reported by Spotbugs (apache#1849).
The Javadoc and documentation were improved to clarify the heuristic
used by `FormattedMessage`.
Closes apache#1223.
Remark: since `FormattedMessage` used the **same** regular expression as
`java.util.Format`, if a message uses `java.util.Format` specifiers, it
is still vulnerable to a ReDOS.
In order to determine which message format syntax to use in
FormattedMessage, this uses a regular expression. This can be simplified by flipping the ordering to check for a parametrized message first before assuming it's a printf-style message.The text was updated successfully, but these errors were encountered: