From 8e8c969c3c9f7f428aa94ddf4eb276d15217d274 Mon Sep 17 00:00:00 2001 From: Arthur Chan Date: Wed, 26 Jul 2023 18:11:53 +0100 Subject: [PATCH] java-xmlbuilder: initial integration (#10750) Initial integration for project java-xmlbuilder. Signed-off-by: Arthur Chan --- projects/java-xmlbuilder/Dockerfile | 25 ++++++ .../java-xmlbuilder/XmlBuilderFuzzer.java | 79 +++++++++++++++++++ projects/java-xmlbuilder/build.sh | 63 +++++++++++++++ projects/java-xmlbuilder/project.yaml | 11 +++ 4 files changed, 178 insertions(+) create mode 100644 projects/java-xmlbuilder/Dockerfile create mode 100644 projects/java-xmlbuilder/XmlBuilderFuzzer.java create mode 100644 projects/java-xmlbuilder/build.sh create mode 100644 projects/java-xmlbuilder/project.yaml diff --git a/projects/java-xmlbuilder/Dockerfile b/projects/java-xmlbuilder/Dockerfile new file mode 100644 index 000000000000..d72b260f05a4 --- /dev/null +++ b/projects/java-xmlbuilder/Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +########################################################################## +FROM gcr.io/oss-fuzz-base/base-builder-jvm +RUN curl -L https://archive.apache.org/dist/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.zip \ + -o maven.zip && \ + unzip maven.zip -d $SRC/maven && \ + rm maven.zip +ENV MVN $SRC/maven/apache-maven-3.6.3/bin/mvn +RUN git clone --depth 1 https://github.com/google/AFL afl +RUN git clone --depth 1 https://github.com/jmurty/java-xmlbuilder java-xmlbuilder +COPY build.sh *.java $SRC/ +WORKDIR $SRC/java-xmlbuilder diff --git a/projects/java-xmlbuilder/XmlBuilderFuzzer.java b/projects/java-xmlbuilder/XmlBuilderFuzzer.java new file mode 100644 index 000000000000..12bc507b6d3d --- /dev/null +++ b/projects/java-xmlbuilder/XmlBuilderFuzzer.java @@ -0,0 +1,79 @@ +// Copyright 2023 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +/////////////////////////////////////////////////////////////////////////// +import com.code_intelligence.jazzer.api.FuzzedDataProvider; +import com.jamesmurty.utils.XMLBuilder; +import javax.xml.parsers.ParserConfigurationException; +import javax.xml.xpath.XPathExpressionException; +import org.w3c.dom.DOMException; + +public class XmlBuilderFuzzer { + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + try { + int[] choices = data.consumeInts(data.consumeInt(1, 10)); + XMLBuilder builder = XMLBuilder.create(data.consumeString(data.remainingBytes() / 2)); + + for (Integer choice : choices) { + switch (choice % 13) { + case 0: + builder = builder.stripWhitespaceOnlyTextNodes(); + break; + case 1: + builder = builder.up(data.consumeInt()); + break; + case 2: + builder = builder.elem(data.consumeRemainingAsString()); + break; + case 3: + builder = builder.elementBefore(data.consumeRemainingAsString()); + break; + case 4: + builder = builder.attr( + data.consumeString(data.remainingBytes() / 2), data.consumeRemainingAsString()); + break; + case 5: + builder = builder.text(data.consumeRemainingAsString()); + break; + case 6: + builder = builder.data(data.consumeRemainingAsString()); + break; + case 7: + builder = builder.data(data.consumeRemainingAsBytes()); + break; + case 8: + builder = builder.cmnt(data.consumeRemainingAsString()); + break; + case 9: + builder = builder.inst( + data.consumeString(data.remainingBytes() / 2), data.consumeRemainingAsString()); + break; + case 10: + builder = builder.insertInstruction( + data.consumeString(data.remainingBytes() / 2), data.consumeRemainingAsString()); + break; + case 11: + builder = builder.ref(data.consumeRemainingAsString()); + break; + case 12: + builder = builder.ns(data.consumeRemainingAsString()); + break; + } + } + } catch (ParserConfigurationException | XPathExpressionException | DOMException + | IllegalStateException e) { + // Known exception + } + } +} diff --git a/projects/java-xmlbuilder/build.sh b/projects/java-xmlbuilder/build.sh new file mode 100644 index 000000000000..9c4e25c6c229 --- /dev/null +++ b/projects/java-xmlbuilder/build.sh @@ -0,0 +1,63 @@ +#!/bin/bash -eu +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +########################################################################## +$MVN clean package -Dmaven.javadoc.skip=true -DskipTests=true -Dpmd.skip=true \ + -Dencoding=UTF-8 -Dmaven.antrun.skip=true -Dcheckstyle.skip=true \ + -Denforcer.fail=false org.apache.maven.plugins:maven-shade-plugin:3.2.4:shade +CURRENT_VERSION=$($MVN org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate \ + -Dexpression=project.version -q -DforceStdout) + +cp "target/java-xmlbuilder-$CURRENT_VERSION.jar" $OUT/java-xmlbuilder.jar + +ALL_JARS="java-xmlbuilder.jar" + +# The classpath at build-time includes the project jars in $OUT as well as the +# Jazzer API. +BUILD_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "$OUT/%s:"):$JAZZER_API_PATH + +# All .jar and .class files lie in the same directory as the fuzzer at runtime. +RUNTIME_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "\$this_dir/%s:"):\$this_dir + +for fuzzer in $(find $SRC -name '*Fuzzer.java') +do + fuzzer_basename=$(basename -s .java $fuzzer) + javac -cp $BUILD_CLASSPATH $fuzzer + cp $SRC/$fuzzer_basename.class $OUT/ + + # Create an execution wrapper that executes Jazzer with the correct arguments. + echo "#!/bin/bash + + # LLVMFuzzerTestOneInput for fuzzer detection. + this_dir=\$(dirname "\$0") + if [[ "\$@" =~ (^| )-runs=[0-9]+($| ) ]] + then + mem_settings='-Xmx1900m:-Xss900k' + else + mem_settings='-Xmx2048m:-Xss1024k' + fi + + LD_LIBRARY_PATH="$JVM_LD_LIBRARY_PATH":\$this_dir \ + \$this_dir/jazzer_driver \ + --agent_path=\$this_dir/jazzer_agent_deploy.jar \ + --cp=$RUNTIME_CLASSPATH \ + --target_class=$fuzzer_basename \ + --jvm_args="\$mem_settings" \ + \$@" > $OUT/$fuzzer_basename + + chmod u+x $OUT/$fuzzer_basename +done + +cp $SRC/afl/dictionaries/xml.dict $OUT/XmlBuilderFuzzer.dict diff --git a/projects/java-xmlbuilder/project.yaml b/projects/java-xmlbuilder/project.yaml new file mode 100644 index 000000000000..7096a65cf5d1 --- /dev/null +++ b/projects/java-xmlbuilder/project.yaml @@ -0,0 +1,11 @@ +homepage: https://github.com/jmurty/java-xmlbuilder +main_repo: https://github.com/jmurty/java-xmlbuilder +language: jvm +fuzzing_engines: +- libfuzzer +sanitizers: +- address +vendor_ccs: +- david@adalogics.com +- adam@adalogics.com +- arthur.chan@adalogics.com