# This is the 1st commit message:

add a path traversal sanitizer Co-authored-by: Peter Samarin <petersamarin@gmail.com>
CodeIntelligenceTesting · Jan 31, 2025 · 7eeb039 · 7eeb039
1 parent d9c1a09
commit 7eeb039
Show file tree

Hide file tree

Showing 73 changed files with 2,185 additions and 948 deletions.
diff --git a/.github/BUILD.bazel b/.github/BUILD.bazel
@@ -20,7 +20,7 @@ xcode_version(
     version = "14.2.0.14C18",
 )
 
-# Xcode version on public GitHub Actions macos-13 runners
+# Xcode version on public GitHub Actions macos-13 and macos-14 runners
 xcode_version(
     name = "version15_2_0_15C500b",
     aliases = [

diff --git a/.github/workflows/prerelease.yaml b/.github/workflows/prerelease.yaml
@@ -14,7 +14,7 @@ jobs:
         include:
           - os: ubuntu-22.04
             name: linux
-          - os: macos-13
+          - os: macos-14
             name: macos
           - os: windows-2019
             name: windows
@@ -143,7 +143,7 @@ jobs:
           path: _releases/
 
       - name: create release
-        uses: softprops/action-gh-release@4634c16e79c963813287e889244c50009e7f0981
+        uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v2.0.9
         with:
           generate_release_notes: true
           draft: true

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,6 +2,9 @@ name: Release
 
 on:
   workflow_dispatch:
+  release:
+    types: [released]
+
 
 jobs:
 

diff --git a/.github/workflows/run-all-tests-main.yml b/.github/workflows/run-all-tests-main.yml
@@ -36,11 +36,11 @@ jobs:
     name: Build & Test
     strategy:
       matrix:
-        os: [ macos-13, windows-2019 ]
+        os: [ macos-14, windows-2019 ]
         # Test JDK 8 on Windows and mac only on main.
         jdk: [8]
         include:
-          - os: macos-13
+          - os: macos-14
             arch: "macos-arm64"
             bazel_args: "--xcode_version_config=//.github:host_xcodes"
           - os: windows-2019

diff --git a/.github/workflows/run-all-tests-pr.yml b/.github/workflows/run-all-tests-pr.yml
@@ -17,7 +17,7 @@ jobs:
     name: Build & Test
     strategy:
       matrix:
-        os: [ubuntu-22.04, windows-2019, macos-13]
+        os: [ubuntu-22.04, windows-2019, macos-14]
         jdk: [21]
         include:
           - jdk: 21
@@ -29,7 +29,7 @@ jobs:
           - os: ubuntu-22.04
             # Use JDK 8 only on Ubuntu in PRs.
             jdk: 8
-          - os: macos-13
+          - os: macos-14
             arch: "macos-arm64"
             bazel_args: "--xcode_version_config=//.github:host_xcodes"
           - os: windows-2019

diff --git a/MODULE.bazel b/MODULE.bazel
@@ -6,7 +6,7 @@ module(name = "jazzer")
 # Kept up-to-date by Renovate
 ################################################################################
 
-bazel_dep(name = "abseil-cpp", version = "20230802.0.bcr.1")
+bazel_dep(name = "abseil-cpp", version = "20230802.1")
 bazel_dep(name = "apple_support", version = "1.11.1")
 bazel_dep(name = "bazel_jar_jar", version = "0.1.0")
 bazel_dep(name = "bazel_skylib", version = "1.7.1")
@@ -18,11 +18,20 @@ bazel_dep(name = "protobuf")
 bazel_dep(name = "rules_android", version = "0.1.1")
 bazel_dep(name = "rules_android_ndk", version = "0.1.2")
 bazel_dep(name = "rules_foreign_cc", version = "0.11.1")
-bazel_dep(name = "rules_java", version = "7.7.0")
+bazel_dep(name = "rules_java", version = "7.12.2")
 bazel_dep(name = "rules_jni", version = "0.9.1")
-bazel_dep(name = "rules_jvm_external", version = "6.2")
-bazel_dep(name = "rules_kotlin", version = "1.9.5")
-bazel_dep(name = "rules_license", version = "0.0.8")
+bazel_dep(name = "rules_jvm_external")
+
+# TODO: Remove after the next release.
+archive_override(
+    module_name = "rules_jvm_external",
+    integrity = "sha256-7AerLOLhQ+oIDH2id7OE8WJmbH01MqBWV4CbqJ6Nh68=",
+    strip_prefix = "rules_jvm_external-a1d4e4f4267c1797b686719aa385e707b732c541",
+    urls = ["https://github.com/bazelbuild/rules_jvm_external/archive/a1d4e4f4267c1797b686719aa385e707b732c541.tar.gz"],
+)
+
+bazel_dep(name = "rules_kotlin", version = "1.9.6")
+bazel_dep(name = "rules_license", version = "1.0.0")
 bazel_dep(name = "rules_pkg", version = "0.9.1")
 bazel_dep(name = "toolchains_llvm", version = "0.10.3")
 

diff --git a/README.md b/README.md
@@ -114,11 +114,6 @@ See [the README](https://github.com/bazelbuild/rules_fuzzing#java-fuzzing) for i
 [Code Intelligence](https://code-intelligence.com) and Google have teamed up to bring support for Java, Kotlin, and other JVM-based languages to [OSS-Fuzz](https://github.com/google/oss-fuzz), Google's project for large-scale fuzzing of open-source software.
 Read [the OSS-Fuzz guide](https://google.github.io/oss-fuzz/getting-started/new-project-guide/jvm-lang/) to learn how to set up a Java project.
 
-**Note**: Open source projects can use Jazzer for free and benefit from the 
-OSS-Fuzz infrastructure, including ClusterFuzzLite and OSS-Fuzz-Gen for
-automated analysis and continuous integration. There is no risk of accidental 
-license violation as long as Jazzer is used for testing open-source code.
-
 ## Building from source
 
 Information on building and testing Jazzer for development can be found in [CONTRIBUTING.md](CONTRIBUTING.md)

diff --git a/deploy/BUILD.bazel b/deploy/BUILD.bazel
@@ -38,10 +38,13 @@ java_export(
     ],
     maven_coordinates = "com.code-intelligence:jazzer-api:$(JAZZER_VERSION)",
     pom_template = "//deploy:jazzer-api.pom",
-    tags = ["no-sources"],
     toolchains = [":jazzer_version"],
     visibility = ["//visibility:public"],
-    runtime_deps = ["//src/main/java/com/code_intelligence/jazzer/api"],
+    exports = [
+        "//src/main/java/com/code_intelligence/jazzer/api",
+        "//src/main/java/com/code_intelligence/jazzer/mutation/annotation",
+        "//src/main/java/com/code_intelligence/jazzer/mutation/annotation/proto",
+    ],
 )
 
 java_export(
@@ -73,9 +76,14 @@ alias(
 
 java_export(
     name = "jazzer-junit",
-    # Exclude the unshaded classes comprising com.code-intelligence:jazzer since the java_library
-    # target comprising jazzer-junit depend on the individual libraries, not the shaded jar.
-    deploy_env = ["//src/main/java/com/code_intelligence/jazzer:jazzer_lib"],
+    deploy_env = [
+        # Exclude the unshaded classes comprising com.code-intelligence:jazzer since the java_library
+        # target comprising jazzer-junit depend on the individual libraries, not the shaded jar.
+        "//src/main/java/com/code_intelligence/jazzer:jazzer_lib",
+        # Spring dependencies are required for javadoc but should be excluded from the jar.
+        "@maven//:org_springframework_spring_test",
+        "@maven//:org_springframework_spring_web",
+    ],
     doc_deps = [
         ":jazzer-api-docs",
         ":jazzer-docs",
@@ -89,21 +97,18 @@ java_export(
     ],
     maven_coordinates = "com.code-intelligence:jazzer-junit:$(JAZZER_VERSION)",
     pom_template = "jazzer-junit.pom",
-    tags = [
-        "no-sources",
-        # Generating javadocs breaks the build due to weird dependency issues.
-        # Deactivate it for now.
-        "no-javadocs",
-    ],
     toolchains = [":jazzer_version"],
     visibility = ["//visibility:public"],
-    runtime_deps = [
-        # These deps' only effect is to include a dependency on the 'jazzer' and 'jazzer-api' Maven artifacts in the
-        # POM.
-        "//deploy:jazzer",
+    exports = [
+        # Maven users should not need to depend on jazzer-api directly if they already directly depend on jazzer-junit,
+        # both for convenience and backwards compatibility.
         "//deploy:jazzer-api",
         "//src/main/java/com/code_intelligence/jazzer/junit",
     ],
+    runtime_deps = [
+        # This dep's only effect is to include a dependency on the 'jazzer' Maven artifacts in the POM.
+        "//deploy:jazzer",
+    ],
 )
 
 sh_test(

diff --git a/deploy/jazzer-api.pom b/deploy/jazzer-api.pom
@@ -38,4 +38,25 @@
     <scm>
         <url>https://github.com/CodeIntelligenceTesting/jazzer</url>
     </scm>
+
+    <licenses>
+        <license>
+            <name>Apache-2.0</name>
+        </license>
+    </licenses>
+
+    <developers>
+        <developer>
+            <name>Fabian Meumertzheim</name>
+        </developer>
+        <developer>
+            <name>Norbert Schneider</name>
+        </developer>
+        <developer>
+            <name>Khaled Yakdan</name>
+        </developer>
+        <developer>
+            <name>Peter Samarin</name>
+        </developer>
+    </developers>
 </project>
diff --git a/deploy/jazzer-api_artifact_test.sh b/deploy/jazzer-api_artifact_test.sh
@@ -27,6 +27,9 @@ JAR="$2/bin/jar"
     -e '^com/code_intelligence/$' \
     -e '^com/code_intelligence/jazzer/$' \
     -e '^com/code_intelligence/jazzer/api/' \
+    -e '^com/code_intelligence/jazzer/mutation/$' \
+    -e '^com/code_intelligence/jazzer/mutation/annotation/' \
+    -e '^com/code_intelligence/jazzer/mutation/utils/' \
     -e '^jaz/' \
     -e '^META-INF/$' \
     -e '^META-INF/MANIFEST.MF$'
diff --git a/deploy/jazzer-junit.pom b/deploy/jazzer-junit.pom
@@ -37,4 +37,25 @@
     <scm>
         <url>https://github.com/CodeIntelligenceTesting/jazzer</url>
     </scm>
+
+    <licenses>
+        <license>
+            <name>Apache-2.0</name>
+        </license>
+    </licenses>
+
+    <developers>
+        <developer>
+            <name>Fabian Meumertzheim</name>
+        </developer>
+        <developer>
+            <name>Norbert Schneider</name>
+        </developer>
+        <developer>
+            <name>Khaled Yakdan</name>
+        </developer>
+        <developer>
+            <name>Peter Samarin</name>
+        </developer>
+    </developers>
 </project>
diff --git a/deploy/jazzer.pom b/deploy/jazzer.pom
@@ -37,4 +37,25 @@
     <scm>
         <url>https://github.com/CodeIntelligenceTesting/jazzer</url>
     </scm>
+
+    <licenses>
+        <license>
+            <name>Apache-2.0</name>
+        </license>
+    </licenses>
+
+    <developers>
+        <developer>
+            <name>Fabian Meumertzheim</name>
+        </developer>
+        <developer>
+            <name>Norbert Schneider</name>
+        </developer>
+        <developer>
+            <name>Khaled Yakdan</name>
+        </developer>
+        <developer>
+            <name>Peter Samarin</name>
+        </developer>
+    </developers>
 </project>
diff --git a/examples/src/main/java/com/example/ExampleKotlinFuzzer.kt b/examples/src/main/java/com/example/ExampleKotlinFuzzer.kt
@@ -20,13 +20,16 @@ import com.code_intelligence.jazzer.api.FuzzedDataProvider
 import com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium
 
 object ExampleKotlinFuzzer {
-
     @JvmStatic
     fun fuzzerTestOneInput(data: FuzzedDataProvider) {
         exploreMe(data.consumeString(8), data.consumeInt(), data.consumeRemainingAsString())
     }
 
-    private fun exploreMe(prefix: String, n: Int, suffix: String) {
+    private fun exploreMe(
+        prefix: String,
+        n: Int,
+        suffix: String,
+    ) {
         if (prefix.findAnyOf(arrayListOf("Fuzz", "Test")) != null) {
             if (n >= 2000000) {
                 if (suffix.startsWith("@")) {

diff --git a/examples/src/main/java/com/example/ExampleKotlinValueProfileFuzzer.kt b/examples/src/main/java/com/example/ExampleKotlinValueProfileFuzzer.kt
@@ -20,7 +20,6 @@ import com.code_intelligence.jazzer.api.FuzzedDataProvider
 import com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium
 
 object ExampleKotlinValueProfileFuzzer {
-
     @JvmStatic
     fun fuzzerTestOneInput(data: FuzzedDataProvider) {
         if (data.consumeInt().compareTo(0x11223344) != 0) {
@@ -33,7 +32,5 @@ object ExampleKotlinValueProfileFuzzer {
         }
     }
 
-    private fun encrypt(n: Long): Long {
-        return n.xor(0x1122334455667788)
-    }
+    private fun encrypt(n: Long): Long = n.xor(0x1122334455667788)
 }
diff --git a/examples/src/main/java/com/example/KlaxonFuzzer.kt b/examples/src/main/java/com/example/KlaxonFuzzer.kt
@@ -22,7 +22,6 @@ import com.code_intelligence.jazzer.api.FuzzedDataProvider
 
 // Reproduces https://github.com/cbeust/klaxon/pull/330
 object KlaxonFuzzer {
-
     @JvmStatic
     fun fuzzerTestOneInput(data: FuzzedDataProvider) {
         try {

diff --git a/format.sh b/format.sh
@@ -35,9 +35,9 @@ if [[ "${CI:-0}" == 0 ]]; then
     # Check which ktlint_tests failed and run the corresponding fix targets. This is much faster than
     # running all ktlint_fix targets when e.g. only a few or no .kt files changed.
     # shellcheck disable=SC2046
-    TARGETS_TO_RUN=$(bazel test --config=quiet $(bazel query --config=quiet 'kind(ktlint_test, //...)') | { grep FAILED || true; } | cut -f1 -d' ' | sed -e 's/:ktlint_test/:ktlint_fix/g')
+    TARGETS_TO_RUN=$(bazel test --config=quiet $(bazel query --config=quiet 'kind(ktlint_test, //...)') | { grep FAILED || true; } | cut -f1 -d' ' | sed -e 's/:ktlint_test/:ktlint_fix/g' || true)
     if [[ -n "${TARGETS_TO_RUN}" ]]; then
-        echo "$TARGETS_TO_RUN" | xargs -n 1 bazel run --config=quiet
+        echo "$TARGETS_TO_RUN" | xargs -I '{}' -n 1 bazel run --config=quiet {} -- --format
     fi
 
     # BUILD files

diff --git a/sanitizers/sanitizers.bzl b/sanitizers/sanitizers.bzl
@@ -21,6 +21,7 @@ _sanitizer_class_names = [
     "ClojureLangHooks",
     "Deserialization",
     "ExpressionLanguageInjection",
+    "FilePathTraversal",
     "LdapInjection",
     "NamingContextLookup",
     "OsCommandInjection",

diff --git a/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/BUILD.bazel b/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/BUILD.bazel
@@ -9,6 +9,12 @@ java_library(
     deps = ["//src/main/java/com/code_intelligence/jazzer/api:hooks"],
 )
 
+java_library(
+    name = "file_path_traversal",
+    srcs = ["FilePathTraversal.java"],
+    deps = ["//src/main/java/com/code_intelligence/jazzer/api:hooks"],
+)
+
 java_library(
     name = "regex_roadblocks",
     srcs = ["RegexRoadblocks.java"],
@@ -58,6 +64,7 @@ kt_jvm_library(
     visibility = ["//sanitizers:__pkg__"],
     runtime_deps = [
         ":clojure_lang_hooks",
+        ":file_path_traversal",
         ":regex_roadblocks",
         ":script_engine_injection",
         ":server_side_request_forgery",

diff --git a/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/Deserialization.kt b/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/Deserialization.kt
@@ -33,7 +33,6 @@ import java.util.WeakHashMap
  */
 @Suppress("unused_parameter", "unused")
 object Deserialization {
-
     private val OBJECT_INPUT_STREAM_HEADER =
         ObjectStreamConstants.STREAM_MAGIC.toBytes() + ObjectStreamConstants.STREAM_VERSION.toBytes()
 
@@ -88,13 +87,19 @@ object Deserialization {
         targetMethodDescriptor = "(Ljava/io/InputStream;)V",
     )
     @JvmStatic
-    fun objectInputStreamInitBeforeHook(method: MethodHandle?, alwaysNull: Any?, args: Array<Any?>, hookId: Int) {
+    fun objectInputStreamInitBeforeHook(
+        method: MethodHandle?,
+        alwaysNull: Any?,
+        args: Array<Any?>,
+        hookId: Int,
+    ) {
         val originalInputStream = args[0] as? InputStream ?: return
-        val fixedInputStream = if (originalInputStream.markSupported()) {
-            originalInputStream
-        } else {
-            BufferedInputStream(originalInputStream)
-        }
+        val fixedInputStream =
+            if (originalInputStream.markSupported()) {
+                originalInputStream
+            } else {
+                BufferedInputStream(originalInputStream)
+            }
         args[0] = fixedInputStream
         guideMarkableInputStreamTowardsEquality(fixedInputStream, OBJECT_INPUT_STREAM_HEADER, hookId)
     }
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,6 +2,9 @@ name: Release @@
     on:
       workflow_dispatch:
+      release:
+        types: [released]
     jobs:
@@ Expand Down @@