From a163ee71b69f58fa4105a05989d05adfa9253983 Mon Sep 17 00:00:00 2001
From: Roland Grunberg <rgrunber@redhat.com>
Date: Fri, 10 Dec 2021 16:55:35 -0500
Subject: [PATCH] Add system property to JVM arguments, to be interpreted by
 LOG4J 1.x

- Add '-Dlog4j2.formatMsgNoLookups=true'
- CVE-2021-44228

Signed-off-by: Roland Grunberg <rgrunber@redhat.com>
---
 package.json             | 4 ++--
 src/javaServerStarter.ts | 7 +++++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index 66dd25cc3..c19dafbab 100644
--- a/package.json
+++ b/package.json
@@ -178,8 +178,8 @@
             "string",
             "null"
           ],
-          "default": "-XX:+UseParallelGC -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -Dsun.zip.disableMemoryMapping=true -Xmx1G -Xms100m",
-          "description": "Specifies extra VM arguments used to launch the Java Language Server. Eg. use `-XX:+UseParallelGC -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -Dsun.zip.disableMemoryMapping=true -Xmx1G -Xms100m ` to optimize memory usage with the parallel garbage collector",
+          "default": "-XX:+UseParallelGC -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -Dsun.zip.disableMemoryMapping=true -Xmx1G -Xms100m -Dlog4j2.formatMsgNoLookups=true",
+          "description": "Specifies extra VM arguments used to launch the Java Language Server. Eg. use `-XX:+UseParallelGC -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -Dsun.zip.disableMemoryMapping=true -Xmx1G -Xms100m` to optimize memory usage with the parallel garbage collector",
           "scope": "window"
         },
         "java.errors.incompleteClasspath.severity": {
diff --git a/src/javaServerStarter.ts b/src/javaServerStarter.ts
index ed500aafa..dc32f4d47 100644
--- a/src/javaServerStarter.ts
+++ b/src/javaServerStarter.ts
@@ -24,6 +24,8 @@ const DEBUG = (typeof v8debug === 'object') || startedInDebugMode();
   */
  export const HEAP_DUMP = '-XX:+HeapDumpOnOutOfMemoryError';
 
+ const LOG4J_FRMT_MSG_NO_LOOKUPS = '-Dlog4j2.formatMsgNoLookups=';
+
 export function prepareExecutable(requirements: RequirementsData, workspacePath, javaConfig, context: ExtensionContext, isSyntaxServer: boolean): Executable {
 	const executable: Executable = Object.create(null);
 	const options: ExecutableOptions = Object.create(null);
@@ -118,6 +120,11 @@ function prepareParams(requirements: RequirementsData, javaConfiguration, worksp
 		}
 	}
 
+	// CVE-2021-44228 for LOG4J 1.x
+	if (vmargs.indexOf(LOG4J_FRMT_MSG_NO_LOOKUPS) < 0) {
+		params.push(`${LOG4J_FRMT_MSG_NO_LOOKUPS}true`);
+	}
+
 	// "OpenJDK 64-Bit Server VM warning: Options -Xverify:none and -noverify
 	// were deprecated in JDK 13 and will likely be removed in a future release."
 	// so only add -noverify for older versions