No network mount scan by default

Add a flag to allow user to force scan of network mounts when necessary. Useful as servers may have huge remote mounts.
google · Jan 7, 2022 · 9537312 · 9537312
1 parent eb36a17
commit 9537312
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 5 deletions.
diff --git a/log4jscanner.go b/log4jscanner.go
@@ -37,6 +37,7 @@ Flags:
 
     -s, --skip     Glob pattern to skip when scanning (e.g. '/var/run/*'). May
                    be provided multiple times.
+    -f, --force    Don't skip network and userland filesystems. (smb,nfs,afs,fuse)
     -w, --rewrite  Rewrite vulnerable JARs as they are detected.
     -v, --verbose  Print verbose logs to stderr.
 
@@ -58,6 +59,8 @@ func main() {
 		w       bool
 		verbose bool
 		v       bool
+		force   bool
+		f       bool
 		toSkip  []string
 	)
 	appendSkip := func(dir string) error {
@@ -69,6 +72,8 @@ func main() {
 	flag.BoolVar(&w, "w", false, "")
 	flag.BoolVar(&verbose, "verbose", false, "")
 	flag.BoolVar(&v, "v", false, "")
+	flag.BoolVar(&force, "force", false, "")
+	flag.BoolVar(&f, "f", false, "")
 	flag.Func("s", "", appendSkip)
 	flag.Func("skip", "", appendSkip)
 	flag.Usage = usage
@@ -78,13 +83,15 @@ func main() {
 		usage()
 		os.Exit(1)
 	}
+	if f {
+		force = f
+	}
 	if v {
 		verbose = v
 	}
 	if w {
 		rewrite = w
 	}
-
 	log.SetFlags(log.LstdFlags | log.Lshortfile)
 	logf := func(format string, v ...interface{}) {
 		if verbose {
@@ -110,7 +117,7 @@ func main() {
 			if skipDirs[filepath.Base(path)] {
 				return true
 			}
-			ignore, err := ignoreDir(path)
+			ignore, err := ignoreDir(path, force)
 			if err != nil {
 				log.Printf("Error scanning %s: %v", path, err)
 			}

diff --git a/log4jscanner_linux.go b/log4jscanner_linux.go
@@ -33,10 +33,23 @@ var toIgnore = map[int64]bool{
 	unix.TRACEFS_MAGIC:      true,
 }
 
-func ignoreDir(path string) (bool, error) {
+var networkIgnore = map[int64]bool{
+	unix.SMB_SUPER_MAGIC: true,
+	unix.AFS_SUPER_MAGIC: true,
+	unix.NFS_SUPER_MAGIC: true,
+	0x65735546:           true, // Fuse_SUPER_MAGIC
+	0xff534d42:           true, // CIFS_MAGIC_NUMBER
+	0xfe534d42:           true, // SMB2_MAGIC_NUMBER
+}
+
+func ignoreDir(path string, force bool) (bool, error) {
 	var stat unix.Statfs_t
 	if err := unix.Statfs(path, &stat); err != nil {
 		return false, fmt.Errorf("determining filesystem of %s: %v", path, err)
 	}
-	return toIgnore[stat.Type], nil
+	if force {
+		return toIgnore[stat.Type], nil
+	}
+	return toIgnore[stat.Type] || networkIgnore[stat.Type], nil
+
 }
diff --git a/log4jscanner_other.go b/log4jscanner_other.go
@@ -16,6 +16,6 @@
 
 package main
 
-func ignoreDir(path string) (bool, error) {
+func ignoreDir(path string, force bool) (bool, error) {
 	return false, nil
 }