1load("//bazel:fuzz_target.bzl", "java_fuzz_target_test") 2load("//bazel:compat.bzl", "SKIP_ON_MACOS") 3 4java_fuzz_target_test( 5 name = "ObjectInputStreamDeserialization", 6 srcs = [ 7 "ObjectInputStreamDeserialization.java", 8 ], 9 allowed_findings = [ 10 "com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh", 11 "java.lang.ExceptionInInitializerError", 12 ], 13 target_class = "com.example.ObjectInputStreamDeserialization", 14) 15 16java_fuzz_target_test( 17 name = "ReflectiveCall", 18 srcs = [ 19 "ReflectiveCall.java", 20 ], 21 allowed_findings = [ 22 "com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh", 23 "java.lang.ExceptionInInitializerError", 24 ], 25 target_class = "com.example.ReflectiveCall", 26) 27 28java_fuzz_target_test( 29 name = "LibraryLoad", 30 srcs = [ 31 "LibraryLoad.java", 32 ], 33 allowed_findings = [ 34 "com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh", 35 ], 36 target_class = "com.example.LibraryLoad", 37 # loading of native libraries is very slow on macos, 38 # especially using Java 17 39 target_compatible_with = SKIP_ON_MACOS, 40 # The reproducer doesn't contain the sanitizer and thus runs into an ordinary ignored 41 # UnsatisfiedLinkError. 42 verify_crash_reproducer = False, 43) 44 45java_fuzz_target_test( 46 name = "ExpressionLanguageInjection", 47 srcs = [ 48 "ExpressionLanguageInjection.java", 49 ], 50 allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh"], 51 target_class = "com.example.ExpressionLanguageInjection", 52 # The reproducer can't find jaz.Zer and thus doesn't crash. 53 verify_crash_reproducer = False, 54 deps = [ 55 "//sanitizers/src/test/java/com/example/el:ExpressionLanguageExample", 56 "@maven//:javax_validation_validation_api", 57 ], 58) 59 60java_fuzz_target_test( 61 name = "OsCommandInjectionProcessBuilder", 62 srcs = [ 63 "OsCommandInjectionProcessBuilder.java", 64 ], 65 allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueCritical"], 66 target_class = "com.example.OsCommandInjectionProcessBuilder", 67 verify_crash_reproducer = False, 68) 69 70java_fuzz_target_test( 71 name = "OsCommandInjectionRuntimeExec", 72 srcs = [ 73 "OsCommandInjectionRuntimeExec.java", 74 ], 75 allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueCritical"], 76 target_class = "com.example.OsCommandInjectionRuntimeExec", 77 verify_crash_reproducer = False, 78) 79 80java_fuzz_target_test( 81 name = "LdapSearchInjection", 82 srcs = [ 83 "LdapSearchInjection.java", 84 "ldap/MockLdapContext.java", 85 ], 86 allowed_findings = [ 87 "com.code_intelligence.jazzer.api.FuzzerSecurityIssueCritical", 88 # The crashing input encoded by the replayer does not have valid syntax, but no hook. 89 "javax.naming.directory.InvalidSearchFilterException", 90 ], 91 target_class = "com.example.LdapSearchInjection", 92 deps = [ 93 "@maven//:com_unboundid_unboundid_ldapsdk", 94 ], 95) 96 97java_fuzz_target_test( 98 name = "LdapDnInjection", 99 srcs = [ 100 "LdapDnInjection.java", 101 "ldap/MockLdapContext.java", 102 ], 103 allowed_findings = [ 104 "com.code_intelligence.jazzer.api.FuzzerSecurityIssueCritical", 105 # The crashing input encoded by the reproducer does not have valid syntax, but no hook. 106 "javax.naming.NamingException", 107 ], 108 target_class = "com.example.LdapDnInjection", 109 deps = [ 110 "@maven//:com_unboundid_unboundid_ldapsdk", 111 ], 112) 113 114java_fuzz_target_test( 115 name = "RegexInsecureQuoteInjection", 116 srcs = ["RegexInsecureQuoteInjection.java"], 117 allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], 118 target_class = "com.example.RegexInsecureQuoteInjection", 119 verify_crash_reproducer = False, 120) 121 122java_fuzz_target_test( 123 name = "RegexCanonEqInjection", 124 srcs = [ 125 "RegexCanonEqInjection.java", 126 ], 127 allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], 128 target_class = "com.example.RegexCanonEqInjection", 129 verify_crash_reproducer = False, 130) 131 132java_fuzz_target_test( 133 name = "ClassLoaderLoadClass", 134 srcs = [ 135 "ClassLoaderLoadClass.java", 136 ], 137 allowed_findings = [ 138 "com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh", 139 # Reproducer does not find the honeypot library and doesn't have the hook. 140 "java.lang.ExceptionInInitializerError", 141 ], 142 target_class = "com.example.ClassLoaderLoadClass", 143) 144 145java_fuzz_target_test( 146 name = "RegexRoadblocks", 147 srcs = ["RegexRoadblocks.java"], 148 allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], 149 fuzzer_args = [ 150 # Limit the number of runs to verify that the regex roadblocks are 151 # cleared quickly. 152 "-runs=22000", 153 ], 154 target_class = "com.example.RegexRoadblocks", 155 verify_crash_reproducer = False, 156) 157 158# Catching StackOverflowErrors doesn't work reliably across all systems and JDK versions. 159# It may lead to a native crash before we can handle the exception in Java, therefore the 160# test is set to manual execution. 161java_fuzz_target_test( 162 name = "StackOverflowRegexInjection", 163 srcs = ["StackOverflowRegexInjection.java"], 164 allowed_findings = ["java.util.regex.PatternSyntaxException"], 165 fuzzer_args = [ 166 "-runs=1", 167 ], 168 tags = ["manual"], 169 target_class = "com.example.StackOverflowRegexInjection", 170 verify_crash_reproducer = False, 171) 172 173java_fuzz_target_test( 174 name = "SqlInjection", 175 srcs = [ 176 "SqlInjection.java", 177 ], 178 allowed_findings = [ 179 "com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh", 180 "org.h2.jdbc.JdbcSQLSyntaxErrorException", 181 ], 182 target_class = "com.example.SqlInjection", 183 deps = [ 184 "@maven//:com_h2database_h2", 185 ], 186) 187 188java_test( 189 name = "DisabledHooksTest", 190 size = "small", 191 srcs = [ 192 "DisabledHooksTest.java", 193 ], 194 test_class = "com.example.DisabledHooksTest", 195 deps = [ 196 "//src/main/java/com/code_intelligence/jazzer/api", 197 "//src/main/java/com/code_intelligence/jazzer/api:hooks", 198 ], 199) 200 201java_fuzz_target_test( 202 name = "XPathInjection", 203 srcs = [ 204 "XPathInjection.java", 205 ], 206 allowed_findings = [ 207 "com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh", 208 ], 209 target_class = "com.example.XPathInjection", 210 # Fuzz target catches the syntax exception triggered by the reproducer without the sanitizer. 211 verify_crash_reproducer = False, 212) 213 214java_fuzz_target_test( 215 name = "SsrfSocketConnect", 216 srcs = [ 217 "SsrfSocketConnect.java", 218 ], 219 allowed_findings = [ 220 "com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium", 221 ], 222 target_class = "com.example.SsrfSocketConnect", 223 verify_crash_reproducer = False, 224) 225 226java_fuzz_target_test( 227 name = "SsrfSocketConnectToHost", 228 srcs = [ 229 "SsrfSocketConnectToHost.java", 230 ], 231 allowed_findings = [ 232 "com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium", 233 ], 234 target_class = "com.example.SsrfSocketConnectToHost", 235 verify_crash_reproducer = False, 236) 237 238java_fuzz_target_test( 239 name = "SsrfUrlConnection", 240 srcs = [ 241 "SsrfUrlConnection.java", 242 ], 243 allowed_findings = [ 244 "com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium", 245 ], 246 target_class = "com.example.SsrfUrlConnection", 247 verify_crash_reproducer = False, 248) 249 250java_fuzz_target_test( 251 name = "SsrfHttpClient", 252 srcs = [ 253 "SsrfHttpClient.java", 254 ], 255 allowed_findings = [ 256 "com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium", 257 ], 258 tags = ["no-jdk8"], 259 target_class = "com.example.SsrfHttpClient", 260 verify_crash_reproducer = False, 261) 262 263java_fuzz_target_test( 264 name = "ScriptEngineInjection", 265 srcs = [ 266 "ScriptEngineInjection.java", 267 ], 268 allowed_findings = [ 269 "com.code_intelligence.jazzer.api.FuzzerSecurityIssueCritical", 270 ], 271 target_class = "com.example.ScriptEngineInjection", 272 verify_crash_reproducer = False, 273) 274