| load("//bazel:fuzz_target.bzl", "java_fuzz_target_test") |
| load("//bazel:compat.bzl", "SKIP_ON_MACOS") |
| |
| java_fuzz_target_test( |
| name = "ObjectInputStreamDeserialization", |
| srcs = [ |
| "ObjectInputStreamDeserialization.java", |
| ], |
| allowed_findings = [ |
| "com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh", |
| "java.lang.ExceptionInInitializerError", |
| ], |
| target_class = "com.example.ObjectInputStreamDeserialization", |
| ) |
| |
| java_fuzz_target_test( |
| name = "ReflectiveCall", |
| srcs = [ |
| "ReflectiveCall.java", |
| ], |
| allowed_findings = [ |
| "com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh", |
| "java.lang.ExceptionInInitializerError", |
| ], |
| target_class = "com.example.ReflectiveCall", |
| ) |
| |
| java_fuzz_target_test( |
| name = "LibraryLoad", |
| srcs = [ |
| "LibraryLoad.java", |
| ], |
| allowed_findings = [ |
| "com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh", |
| ], |
| target_class = "com.example.LibraryLoad", |
| # loading of native libraries is very slow on macos, |
| # especially using Java 17 |
| target_compatible_with = SKIP_ON_MACOS, |
| # The reproducer doesn't contain the sanitizer and thus runs into an ordinary ignored |
| # UnsatisfiedLinkError. |
| verify_crash_reproducer = False, |
| ) |
| |
| java_fuzz_target_test( |
| name = "ExpressionLanguageInjection", |
| srcs = [ |
| "ExpressionLanguageInjection.java", |
| ], |
| allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh"], |
| target_class = "com.example.ExpressionLanguageInjection", |
| # The reproducer can't find jaz.Zer and thus doesn't crash. |
| verify_crash_reproducer = False, |
| deps = [ |
| "//sanitizers/src/test/java/com/example/el:ExpressionLanguageExample", |
| "@maven//:javax_validation_validation_api", |
| ], |
| ) |
| |
| java_fuzz_target_test( |
| name = "OsCommandInjectionProcessBuilder", |
| srcs = [ |
| "OsCommandInjectionProcessBuilder.java", |
| ], |
| allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueCritical"], |
| target_class = "com.example.OsCommandInjectionProcessBuilder", |
| verify_crash_reproducer = False, |
| ) |
| |
| java_fuzz_target_test( |
| name = "OsCommandInjectionRuntimeExec", |
| srcs = [ |
| "OsCommandInjectionRuntimeExec.java", |
| ], |
| allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueCritical"], |
| target_class = "com.example.OsCommandInjectionRuntimeExec", |
| verify_crash_reproducer = False, |
| ) |
| |
| java_fuzz_target_test( |
| name = "LdapSearchInjection", |
| srcs = [ |
| "LdapSearchInjection.java", |
| "ldap/MockLdapContext.java", |
| ], |
| allowed_findings = [ |
| "com.code_intelligence.jazzer.api.FuzzerSecurityIssueCritical", |
| # The crashing input encoded by the replayer does not have valid syntax, but no hook. |
| "javax.naming.directory.InvalidSearchFilterException", |
| ], |
| target_class = "com.example.LdapSearchInjection", |
| deps = [ |
| "@maven//:com_unboundid_unboundid_ldapsdk", |
| ], |
| ) |
| |
| java_fuzz_target_test( |
| name = "LdapDnInjection", |
| srcs = [ |
| "LdapDnInjection.java", |
| "ldap/MockLdapContext.java", |
| ], |
| allowed_findings = [ |
| "com.code_intelligence.jazzer.api.FuzzerSecurityIssueCritical", |
| # The crashing input encoded by the reproducer does not have valid syntax, but no hook. |
| "javax.naming.NamingException", |
| ], |
| target_class = "com.example.LdapDnInjection", |
| deps = [ |
| "@maven//:com_unboundid_unboundid_ldapsdk", |
| ], |
| ) |
| |
| java_fuzz_target_test( |
| name = "RegexInsecureQuoteInjection", |
| srcs = ["RegexInsecureQuoteInjection.java"], |
| allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], |
| target_class = "com.example.RegexInsecureQuoteInjection", |
| verify_crash_reproducer = False, |
| ) |
| |
| java_fuzz_target_test( |
| name = "RegexCanonEqInjection", |
| srcs = [ |
| "RegexCanonEqInjection.java", |
| ], |
| allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], |
| target_class = "com.example.RegexCanonEqInjection", |
| verify_crash_reproducer = False, |
| ) |
| |
| java_fuzz_target_test( |
| name = "ClassLoaderLoadClass", |
| srcs = [ |
| "ClassLoaderLoadClass.java", |
| ], |
| allowed_findings = [ |
| "com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh", |
| # Reproducer does not find the honeypot library and doesn't have the hook. |
| "java.lang.ExceptionInInitializerError", |
| ], |
| target_class = "com.example.ClassLoaderLoadClass", |
| ) |
| |
| java_fuzz_target_test( |
| name = "RegexRoadblocks", |
| srcs = ["RegexRoadblocks.java"], |
| allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], |
| fuzzer_args = [ |
| # Limit the number of runs to verify that the regex roadblocks are |
| # cleared quickly. |
| "-runs=22000", |
| ], |
| target_class = "com.example.RegexRoadblocks", |
| verify_crash_reproducer = False, |
| ) |
| |
| # Catching StackOverflowErrors doesn't work reliably across all systems and JDK versions. |
| # It may lead to a native crash before we can handle the exception in Java, therefore the |
| # test is set to manual execution. |
| java_fuzz_target_test( |
| name = "StackOverflowRegexInjection", |
| srcs = ["StackOverflowRegexInjection.java"], |
| allowed_findings = ["java.util.regex.PatternSyntaxException"], |
| fuzzer_args = [ |
| "-runs=1", |
| ], |
| tags = ["manual"], |
| target_class = "com.example.StackOverflowRegexInjection", |
| verify_crash_reproducer = False, |
| ) |
| |
| java_fuzz_target_test( |
| name = "SqlInjection", |
| srcs = [ |
| "SqlInjection.java", |
| ], |
| allowed_findings = [ |
| "com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh", |
| "org.h2.jdbc.JdbcSQLSyntaxErrorException", |
| ], |
| target_class = "com.example.SqlInjection", |
| deps = [ |
| "@maven//:com_h2database_h2", |
| ], |
| ) |
| |
| java_test( |
| name = "DisabledHooksTest", |
| size = "small", |
| srcs = [ |
| "DisabledHooksTest.java", |
| ], |
| test_class = "com.example.DisabledHooksTest", |
| deps = [ |
| "//src/main/java/com/code_intelligence/jazzer/api", |
| "//src/main/java/com/code_intelligence/jazzer/api:hooks", |
| ], |
| ) |
| |
| java_fuzz_target_test( |
| name = "XPathInjection", |
| srcs = [ |
| "XPathInjection.java", |
| ], |
| allowed_findings = [ |
| "com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh", |
| ], |
| target_class = "com.example.XPathInjection", |
| # Fuzz target catches the syntax exception triggered by the reproducer without the sanitizer. |
| verify_crash_reproducer = False, |
| ) |
| |
| java_fuzz_target_test( |
| name = "SsrfSocketConnect", |
| srcs = [ |
| "SsrfSocketConnect.java", |
| ], |
| allowed_findings = [ |
| "com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium", |
| ], |
| target_class = "com.example.SsrfSocketConnect", |
| verify_crash_reproducer = False, |
| ) |
| |
| java_fuzz_target_test( |
| name = "SsrfSocketConnectToHost", |
| srcs = [ |
| "SsrfSocketConnectToHost.java", |
| ], |
| allowed_findings = [ |
| "com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium", |
| ], |
| target_class = "com.example.SsrfSocketConnectToHost", |
| verify_crash_reproducer = False, |
| ) |
| |
| java_fuzz_target_test( |
| name = "SsrfUrlConnection", |
| srcs = [ |
| "SsrfUrlConnection.java", |
| ], |
| allowed_findings = [ |
| "com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium", |
| ], |
| target_class = "com.example.SsrfUrlConnection", |
| verify_crash_reproducer = False, |
| ) |
| |
| java_fuzz_target_test( |
| name = "SsrfHttpClient", |
| srcs = [ |
| "SsrfHttpClient.java", |
| ], |
| allowed_findings = [ |
| "com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium", |
| ], |
| tags = ["no-jdk8"], |
| target_class = "com.example.SsrfHttpClient", |
| verify_crash_reproducer = False, |
| ) |