xref: /aosp_15_r20/external/jazzer-api/examples/BUILD.bazel (revision 33edd6723662ea34453766bfdca85dbfdd5342b8) 
1load("@io_bazel_rules_kotlin//kotlin:jvm.bzl", "kt_jvm_library")
2load("@fmeum_rules_jni//jni:defs.bzl", "java_jni_library")
3load("//bazel:compat.bzl", "SKIP_ON_MACOS", "SKIP_ON_WINDOWS")
4load("//bazel:fuzz_target.bzl", "java_fuzz_target_test")
5load("//bazel:kotlin.bzl", "ktlint")
6
7java_fuzz_target_test(
8    name = "Autofuzz",
9    allowed_findings = ["java.lang.ArrayIndexOutOfBoundsException"],
10    fuzzer_args = [
11        "--autofuzz=com.google.json.JsonSanitizer::sanitize",
12    ],
13    runtime_deps = [
14        "@maven//:com_mikesamuel_json_sanitizer",
15    ],
16)
17
18java_fuzz_target_test(
19    name = "ExampleFuzzer",
20    srcs = ["src/main/java/com/example/ExampleFuzzer.java"],
21    allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium"],
22    hook_jar = "ExampleFuzzerHooks_deploy.jar",
23    target_class = "com.example.ExampleFuzzer",
24    # Does not crash due to not using the hook.
25    verify_crash_reproducer = False,
26)
27
28java_binary(
29    name = "ExampleFuzzerHooks",
30    srcs = ["src/main/java/com/example/ExampleFuzzerHooks.java"],
31    create_executable = False,
32    # Comment out the next line to keep the ExampleFuzzer running indefinitely - without the hook, it will never be able
33    # to pass the comparison with the random number.
34    deploy_manifest_lines = ["Jazzer-Hook-Classes: com.example.ExampleFuzzerHooks"],
35    deps = ["//src/main/java/com/code_intelligence/jazzer/api:hooks"],
36)
37
38java_jni_library(
39    name = "example_fuzzer_with_native_lib",
40    srcs = [
41        "src/main/java/com/example/ExampleFuzzerWithNative.java",
42    ],
43    native_libs = [
44        "//examples/src/main/native/com/example:native_asan",
45        "//examples/src/main/native/com/example:native_ubsan",
46    ],
47    visibility = ["//examples/src/main/native/com/example:__pkg__"],
48    deps = [
49        "//deploy:jazzer-api",
50    ],
51)
52
53java_fuzz_target_test(
54    name = "ExampleFuzzerWithASan",
55    allowed_findings = ["native"],
56    env = {"EXAMPLE_NATIVE_LIB": "native_asan"},
57    env_inherit = ["CC"],
58    fuzzer_args = [
59        "--asan",
60    ],
61    # The shell launcher generated by Jazzer is killed in CI, even with codesigning disabled on the
62    # Java binary. This is not reproducible locally or with JDK 17.
63    tags = ["no-macos-x86_64-jdk8"],
64    target_class = "com.example.ExampleFuzzerWithNative",
65    target_compatible_with = SKIP_ON_WINDOWS,
66    verify_crash_reproducer = False,
67    runtime_deps = [
68        ":example_fuzzer_with_native_lib",
69    ],
70)
71
72java_fuzz_target_test(
73    name = "ExampleFuzzerWithUBSan",
74    allowed_findings = ["native"],
75    env = {"EXAMPLE_NATIVE_LIB": "native_ubsan"},
76    env_inherit = ["CC"],
77    fuzzer_args = [
78        "--ubsan",
79    ],
80    # The shell launcher generated by Jazzer is killed in CI, even with codesigning disabled on the
81    # Java binary. This is not reproducible locally or with JDK 17.
82    tags = ["no-macos-x86_64-jdk8"],
83    target_class = "com.example.ExampleFuzzerWithNative",
84    # Crashes at runtime without an error message.
85    target_compatible_with = SKIP_ON_WINDOWS,
86    verify_crash_reproducer = False,
87    runtime_deps = [
88        ":example_fuzzer_with_native_lib",
89    ],
90)
91
92java_binary(
93    name = "ExamplePathTraversalFuzzerHooks",
94    srcs = ["src/main/java/com/example/ExamplePathTraversalFuzzerHooks.java"],
95    create_executable = False,
96    deploy_manifest_lines = ["Jazzer-Hook-Classes: com.example.ExamplePathTraversalFuzzerHooks"],
97    deps = ["//src/main/java/com/code_intelligence/jazzer/api:hooks"],
98)
99
100java_fuzz_target_test(
101    name = "ExamplePathTraversalFuzzer",
102    srcs = [
103        "src/main/java/com/example/ExamplePathTraversalFuzzer.java",
104    ],
105    allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh"],
106    hook_jar = "ExamplePathTraversalFuzzerHooks_deploy.jar",
107    target_class = "com.example.ExamplePathTraversalFuzzer",
108    verify_crash_reproducer = False,
109)
110
111java_fuzz_target_test(
112    name = "ExampleValueProfileFuzzer",
113    srcs = [
114        "src/main/java/com/example/ExampleValueProfileFuzzer.java",
115    ],
116    allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"],
117    # Comment out the next line to keep the fuzzer running indefinitely.
118    fuzzer_args = ["-use_value_profile=1"],
119    target_class = "com.example.ExampleValueProfileFuzzer",
120)
121
122java_fuzz_target_test(
123    name = "MazeFuzzer",
124    srcs = [
125        "src/main/java/com/example/MazeFuzzer.java",
126    ],
127    allowed_findings = ["com.example.MazeFuzzer$$TreasureFoundException"],
128    fuzzer_args = ["-use_value_profile=1"],
129    target_class = "com.example.MazeFuzzer",
130)
131
132java_fuzz_target_test(
133    name = "ExampleOutOfMemoryFuzzer",
134    timeout = "short",
135    srcs = [
136        "src/main/java/com/example/ExampleOutOfMemoryFuzzer.java",
137    ],
138    allowed_findings = [
139        "com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow",
140        "java.lang.OutOfMemoryError",
141    ],
142    fuzzer_args = ["--jvm_args=-Xmx512m"],
143    target_class = "com.example.ExampleOutOfMemoryFuzzer",
144)
145
146java_fuzz_target_test(
147    name = "ExampleStackOverflowFuzzer",
148    srcs = [
149        "src/main/java/com/example/ExampleStackOverflowFuzzer.java",
150    ],
151    allowed_findings = [
152        "com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow",
153        "java.lang.StackOverflowError",
154    ],
155    target_class = "com.example.ExampleStackOverflowFuzzer",
156    # Crashes with a segfault before any stack trace printing is reached.
157    target_compatible_with = SKIP_ON_MACOS,
158)
159
160# WARNING: This fuzz target uses a vulnerable version of log4j, which could result in the execution
161# of arbitrary code during fuzzing if executed with an older JDK. Use at your own risk.
162java_fuzz_target_test(
163    name = "Log4jFuzzer",
164    timeout = "long",
165    srcs = [
166        "src/main/java/com/example/Log4jFuzzer.java",
167    ],
168    fuzzer_args = [
169        "-fork=4",
170        "-use_value_profile=1",
171    ],
172    # Finding this bug takes ~5 minutes on a decent laptop, but the GitHub Actions machines are not
173    # powerful enough to run it as part of our test suite.
174    tags = ["manual"],
175    target_class = "com.example.Log4jFuzzer",
176    deps = [
177        "@maven//:org_apache_logging_log4j_log4j_api",
178        "@maven//:org_apache_logging_log4j_log4j_core",
179    ],
180)
181
182# WARNING: This fuzz target uses a vulnerable version of Apache Commons Text, which could result in the execution
183# of arbitrary code during fuzzing if executed with an older JDK. Use at your own risk.
184java_fuzz_target_test(
185    name = "CommonsTextFuzzer",
186    size = "enormous",
187    srcs = [
188        "src/main/java/com/example/CommonsTextFuzzer.java",
189    ],
190    fuzzer_args = [
191        "-fork=8",
192        "-use_value_profile=1",
193    ],
194    tags = ["manual"],
195    target_class = "com.example.CommonsTextFuzzer",
196    verify_crash_reproducer = False,
197    deps = [
198        "@maven//:org_apache_commons_commons_text",
199    ],
200)
201
202java_fuzz_target_test(
203    name = "JpegImageParserFuzzer",
204    size = "enormous",
205    srcs = [
206        "src/main/java/com/example/JpegImageParserFuzzer.java",
207    ],
208    allowed_findings = ["java.lang.NegativeArraySizeException"],
209    fuzzer_args = [
210        "-fork=2",
211    ],
212    tags = ["exclusive-if-local"],
213    target_class = "com.example.JpegImageParserFuzzer",
214    # The exit codes of the forked libFuzzer processes are not picked up correctly.
215    target_compatible_with = SKIP_ON_MACOS,
216    deps = [
217        "@maven//:org_apache_commons_commons_imaging",
218    ],
219)
220
221java_fuzz_target_test(
222    name = "GifImageParserFuzzer",
223    srcs = [
224        "src/main/java/com/example/GifImageParserFuzzer.java",
225    ],
226    allowed_findings = [
227        "java.lang.ArrayIndexOutOfBoundsException",
228        "java.lang.IllegalArgumentException",
229        "java.lang.OutOfMemoryError",
230    ],
231    target_class = "com.example.GifImageParserFuzzer",
232    deps = [
233        "@maven//:org_apache_commons_commons_imaging",
234    ],
235)
236
237java_fuzz_target_test(
238    name = "TiffImageParserFuzzer",
239    srcs = [
240        "src/main/java/com/example/TiffImageParserFuzzer.java",
241    ],
242    tags = ["manual"],
243    target_class = "com.example.TiffImageParserFuzzer",
244    deps = [
245        "@maven//:org_apache_commons_commons_imaging",
246    ],
247)
248
249java_fuzz_target_test(
250    name = "JsonSanitizerCrashFuzzer",
251    srcs = [
252        "src/main/java/com/example/JsonSanitizerCrashFuzzer.java",
253    ],
254    allowed_findings = ["java.lang.IndexOutOfBoundsException"],
255    target_class = "com.example.JsonSanitizerCrashFuzzer",
256    deps = [
257        "@maven//:com_mikesamuel_json_sanitizer",
258    ],
259)
260
261java_fuzz_target_test(
262    name = "JsonSanitizerDenylistFuzzer",
263    srcs = [
264        "src/main/java/com/example/JsonSanitizerDenylistFuzzer.java",
265    ],
266    allowed_findings = ["java.lang.AssertionError"],
267    target_class = "com.example.JsonSanitizerDenylistFuzzer",
268    deps = [
269        "@maven//:com_mikesamuel_json_sanitizer",
270    ],
271)
272
273java_binary(
274    name = "JsonSanitizerReplayerCrash",
275    data = [
276        ":json_sanitizer_denylist_crash",
277    ],
278    main_class = "com.code_intelligence.jazzer.replay.Replayer",
279    runtime_deps = [
280        ":JsonSanitizerDenylistFuzzer_target_deploy.jar",
281        "//src/main/java/com/code_intelligence/jazzer/replay:Replayer_deploy.jar",
282    ],
283)
284
285sh_test(
286    name = "JsonSanitizerReplayerCrashTest",
287    srcs = ["check_for_finding.sh"],
288    args = [
289        "jazzer/$(rootpath :JsonSanitizerReplayerCrash)",
290        "com.example.JsonSanitizerDenylistFuzzer",
291        "jazzer/$(rootpath :json_sanitizer_denylist_crash)",
292    ],
293    data = [
294        ":JsonSanitizerReplayerCrash",
295        ":json_sanitizer_denylist_crash",
296    ],
297    deps = [
298        "@bazel_tools//tools/bash/runfiles",
299    ],
300)
301
302java_fuzz_target_test(
303    name = "JsonSanitizerIdempotenceFuzzer",
304    srcs = [
305        "src/main/java/com/example/JsonSanitizerIdempotenceFuzzer.java",
306    ],
307    allowed_findings = ["java.lang.AssertionError"],
308    target_class = "com.example.JsonSanitizerIdempotenceFuzzer",
309    deps = [
310        "@maven//:com_mikesamuel_json_sanitizer",
311    ],
312)
313
314java_fuzz_target_test(
315    name = "JsonSanitizerValidJsonFuzzer",
316    srcs = [
317        "src/main/java/com/example/JsonSanitizerValidJsonFuzzer.java",
318    ],
319    allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"],
320    target_class = "com.example.JsonSanitizerValidJsonFuzzer",
321    deps = [
322        "@maven//:com_google_code_gson_gson",
323        "@maven//:com_mikesamuel_json_sanitizer",
324    ],
325)
326
327java_fuzz_target_test(
328    name = "JacksonCborFuzzer",
329    srcs = [
330        "src/main/java/com/example/JacksonCborFuzzer.java",
331    ],
332    allowed_findings = ["java.lang.NullPointerException"],
333    target_class = "com.example.JacksonCborFuzzer",
334    deps = [
335        "@maven//:com_fasterxml_jackson_core_jackson_core",
336        "@maven//:com_fasterxml_jackson_core_jackson_databind",
337        "@maven//:com_fasterxml_jackson_dataformat_jackson_dataformat_cbor",
338    ],
339)
340
341java_fuzz_target_test(
342    name = "FastJsonFuzzer",
343    srcs = [
344        "src/main/java/com/example/FastJsonFuzzer.java",
345    ],
346    allowed_findings = ["java.lang.NumberFormatException"],
347    target_class = "com.example.FastJsonFuzzer",
348    deps = [
349        "@maven//:com_alibaba_fastjson",
350    ],
351)
352
353kt_jvm_library(
354    name = "KlaxonFuzzTarget",
355    srcs = [
356        "src/main/java/com/example/KlaxonFuzzer.kt",
357    ],
358    deps = [
359        "//deploy:jazzer-api",
360        "@maven//:com_beust_klaxon",
361    ],
362)
363
364java_fuzz_target_test(
365    name = "KlaxonFuzzer",
366    allowed_findings = [
367        "java.lang.ClassCastException",
368        "java.lang.IllegalStateException",
369        "java.lang.NumberFormatException",
370        "java.lang.NullPointerException",
371    ],
372    fuzzer_args = [
373        "--keep_going=7",
374    ],
375    target_class = "com.example.KlaxonFuzzer",
376    runtime_deps = [":KlaxonFuzzTarget"],
377)
378
379kt_jvm_library(
380    name = "ExampleKotlinFuzzTarget",
381    srcs = [
382        "src/main/java/com/example/ExampleKotlinFuzzer.kt",
383    ],
384    deps = [
385        "//deploy:jazzer-api",
386    ],
387)
388
389java_fuzz_target_test(
390    name = "ExampleKotlinFuzzer",
391    allowed_findings = [
392        "com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium",
393    ],
394    target_class = "com.example.ExampleKotlinFuzzer",
395    runtime_deps = [":ExampleKotlinFuzzTarget"],
396)
397
398kt_jvm_library(
399    name = "ExampleKotlinValueProfileFuzzTarget",
400    srcs = [
401        "src/main/java/com/example/ExampleKotlinValueProfileFuzzer.kt",
402    ],
403    deps = [
404        "//deploy:jazzer-api",
405    ],
406)
407
408java_fuzz_target_test(
409    name = "ExampleKotlinValueProfileFuzzer",
410    allowed_findings = [
411        "com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium",
412    ],
413    fuzzer_args = [
414        "-use_value_profile=1",
415    ],
416    target_class = "com.example.ExampleKotlinValueProfileFuzzer",
417    runtime_deps = [":ExampleKotlinValueProfileFuzzTarget"],
418)
419
420java_fuzz_target_test(
421    name = "TurboJpegFuzzer",
422    srcs = [
423        "src/main/java/com/example/TurboJpegFuzzer.java",
424    ],
425    data = [
426        "@libjpeg_turbo//:turbojpeg_native",
427    ],
428    fuzzer_args = [
429        "-rss_limit_mb=8196",
430        "--jvm_args=-Djava.library.path=../libjpeg_turbo",
431        "--ubsan",
432    ],
433    tags = ["manual"],
434    target_class = "com.example.TurboJpegFuzzer",
435    deps = [
436        "@libjpeg_turbo//:turbojpeg_java",
437    ],
438)
439
440java_fuzz_target_test(
441    name = "BatikTranscoderFuzzer",
442    srcs = [
443        "src/main/java/com/example/BatikTranscoderFuzzer.java",
444    ],
445    allowed_findings = [
446        "com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium",
447    ],
448    target_class = "com.example.BatikTranscoderFuzzer",
449    verify_crash_reproducer = False,
450    deps = [
451        "@maven//:org_apache_xmlgraphics_batik_anim",
452        "@maven//:org_apache_xmlgraphics_batik_bridge",
453        "@maven//:org_apache_xmlgraphics_batik_css",
454        "@maven//:org_apache_xmlgraphics_batik_transcoder",
455        "@maven//:org_apache_xmlgraphics_batik_util",
456    ],
457)
458
459java_binary(
460    name = "examples",
461    create_executable = False,
462    visibility = ["//visibility:public"],
463    runtime_deps = [
464        ":BatikTranscoderFuzzer_target_deploy.jar",
465        ":ExampleFuzzer_target_deploy.jar",
466        ":ExampleValueProfileFuzzer_target_deploy.jar",
467        ":FastJsonFuzzer_target_deploy.jar",
468        ":JacksonCborFuzzer_target_deploy.jar",
469        ":JpegImageParserFuzzer_target_deploy.jar",
470        ":JsonSanitizerDenylistFuzzer_target_deploy.jar",
471    ],
472)
473
474ktlint()
475