.github/workflows/extended-test.yml

name: Extended test

on:
  pull_request:
    branches: [ main ]

  workflow_dispatch:


permissions:
  contents: read

jobs:  
  build:
    runs-on: ubuntu-latest
    
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          egress-policy: audit

      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0

      - name: Build the images
        run: |
          ./build_images.sh

      # Simple non-vulnerable scenarios 
      - name: Test the exploit lab using the python cli with --java-version 8 --log4j-version 2.12.2 [Non vulnerable]
        run: |
          #!/bin/sh
          set -x
          python log4shell_validator.py  --java-version 8 --log4j-version 2.12.2 --debug 2>&1 | tee output.txt
          grep "not vulnerable to CVE-2021-44228" output.txt
          rm output.txt

      - name: Test the exploit lab using the python cli with --java-version 8 --log4j-version 2.15.0 [Non vulnerable]
        run: |
          #!/bin/sh
          set -x
          python log4shell_validator.py  --java-version 8 --log4j-version 2.15.0 --debug  2>&1 | tee output.txt
          grep "not vulnerable to CVE-2021-44228" output.txt
          rm output.txt


      # Simple vulnerable scenarios
      - name: Test the exploit lab using the python cli with --java-version 8 --log4j-version 2.12.1 [vulnerable]
        run: |
          #!/bin/sh
          set -x
          python log4shell_validator.py  --java-version 8 --log4j-version 2.12.1 --debug  2>&1 | tee output.txt
          grep -v "not vulnerable to CVE-2021-44228" output.txt
          rm output.txt
        
      - name: Test the exploit lab using the python cli with --java-version 8 --log4j-version 2.14.0 [vulnerable]
        run: |
          #!/bin/sh
          set -x
          python log4shell_validator.py  --java-version 8 --log4j-version 2.14.0 --debug  2>&1 | tee output.txt
          grep -v "not vulnerable to CVE-2021-44228" output.txt
          rm output.txt
        

      # Testing Disable message lookup mitigation
      - name: Test Disable message lookup mitigation with --java-version 8 --log4j-version 2.14.0 (java8) [Not vulnerable]
        run: |
          #!/bin/sh
          set -x
          python log4shell_validator.py  --java-version 8 --log4j-version 2.14.0 --debug --disable-message-lookup  2>&1 | tee output.txt
          grep "not vulnerable to CVE-2021-44228" output.txt
          rm output.txt
      - name: Test Disable message lookup mitigation with --java-version 8 --log4j-version 2.9.0  (java8) [Vulnerable]
        run: |
          #!/bin/sh
          set -x
          python log4shell_validator.py  --java-version 8 --log4j-version 2.9.0 --debug --disable-message-lookup  2>&1 | tee output.txt
          grep -v "not vulnerable to CVE-2021-44228" output.txt
          rm output.txt

      # Testing Remove JNDI lookup class mitigation
      - name: Test Remove JNDI lookup class mitigation with --java-version 8 --log4j-version 2.14.0 [Not vulnerable]
        run: |
          #!/bin/sh
          set -x
          python log4shell_validator.py  --java-version 8 --log4j-version 2.14.0 --remove-jndi-lookup-class  2>&1 | tee output.txt
          grep "not vulnerable to CVE-2021-44228" output.txt
          rm output.txt
      - name: Test Thread Context exploit --java-version 8 --log4j-version 2.14.0 [Not vulnerable]
        run: |
          #!/bin/sh
          set -x
          python log4shell_validator.py  --java-version 8 --log4j-version 2.14.0 --remove-jndi-lookup-class --exploit-via-thread-context  2>&1 | tee output.txt
          grep -v "not vulnerable to CVE-2021-44228" output.txt
          grep "vulnerable to CVE-2021-44228" output.txt
          rm output.txt  

      # Testing com.sun.jndi.ldap.object.trustURLCodebase mitigation
      - name: Test com.sun.jndi.ldap.object.trustURLCodebase mitigation with --java-version 8 --log4j-version 2.14.0 (java8) [vulnerable to exfil (at least)]
        run: |
          #!/bin/sh
          set -x
          python log4shell_validator.py  --java-version 8 --log4j-version 2.14.0  --disable-trust-url  2>&1 | tee output.txt
          grep "Possible exfiltration" output.txt
          grep "not vulnerable to CVE-2021-44228" output.txt
          rm output.txt
      - name: Test com.sun.jndi.ldap.object.trustURLCodebase mitigation with --java-version 8 --log4j-version 2.3.0 (java8) [Not vulnerable]
        run: |
          #!/bin/sh
          set -x
          python log4shell_validator.py  --java-version 8 --log4j-version 2.9.1  --disable-trust-url  2>&1 | tee output.txt
          grep "not vulnerable to CVE-2021-44228" output.txt
          rm output.txt
      
      # Testing a error handling for non existing log4j versions:
      - name: Testing a error handling for non existing log4j versions
        run: |
          #!/bin/sh
          set -x
          python log4shell_validator.py  --java-version 8 --log4j-version 2.8.0  --disable-trust-url  2>&1 | tee output.txt
          grep "The version of log4j you specified does not seem to exist" output.txt
          rm output.txt