oss-fuzz/projects/json-sanitizer/DenylistFuzzer.java

// Copyright 2021 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
////////////////////////////////////////////////////////////////////////////////

import com.code_intelligence.jazzer.api.FuzzedDataProvider;
import com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh;
import com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium;
import com.google.json.JsonSanitizer;

public class DenylistFuzzer {
  public static void fuzzerTestOneInput(FuzzedDataProvider data) {
    String input = data.consumeRemainingAsString();
    String output;
    try {
      output = JsonSanitizer.sanitize(input, 10);
    } catch (ArrayIndexOutOfBoundsException e) {
      // ArrayIndexOutOfBoundsException is expected if nesting depth is
      // exceeded.
      return;
    }

    // Check for forbidden substrings. As these would enable Cross-Site
    // Scripting, treat every finding as a high severity vulnerability.
    assert !output.contains("</script")
        : new FuzzerSecurityIssueHigh("Output contains </script");
    assert !output.contains("]]>")
        : new FuzzerSecurityIssueHigh("Output contains ]]>");

    // Check for more forbidden substrings. As these would not directly enable
    // Cross-Site Scripting in general, but may impact script execution on the
    // embedding page, treat each finding as a medium severity vulnerability.
    assert !output.contains("<script")
        : new FuzzerSecurityIssueMedium("Output contains <script");
    assert !output.contains("<!--")
        : new FuzzerSecurityIssueMedium("Output contains <!--");
  }
}
[jazzer][json-sanitizer] Add json-sanitizer as the first JVM project (#5186) json-sanitizer uses Maven and has no native dependencies. The build file is loosely divided into two parts. The first part is project-specific, the second one can serve as a template for JVM fuzz targets without native dependencies. The following three fuzz targets are added to OSS-Fuzz and can later be moved into the json-sanitizer tree: * DenylistFuzzer verifies that the output of json-sanitizer never contains certain substrings that can lead to HTML or XML injections. * IdempotenceFuzzer verifies that json-sanitizer is idempotent. * ValidJsonFuzzer verifies that the output of json-sanitizer is valid JSON by passing it into gson. 2021-02-16 18:13:29 +00:00			`// Copyright 2021 Google LLC`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`
			`//`
			`////////////////////////////////////////////////////////////////////////////////`

			`import com.code_intelligence.jazzer.api.FuzzedDataProvider;`
[json-sanitizer] Add severity markup (#5350) Annotates the findings of the various json-sanitizer fuzzers with severities as follows: * XSS: High * Comment injection: Medium * Invalid JSON: Low * Failure to be idempotent: Not a security issue * Undeclared exceptions: Not a security issue This commit takes advantage of the support for severity markers in stack traces introduced in https://github.com/google/clusterfuzz/pull/2270. 2021-03-10 21:28:02 +00:00			`import com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh;`
			`import com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium;`
[jazzer][json-sanitizer] Add json-sanitizer as the first JVM project (#5186) json-sanitizer uses Maven and has no native dependencies. The build file is loosely divided into two parts. The first part is project-specific, the second one can serve as a template for JVM fuzz targets without native dependencies. The following three fuzz targets are added to OSS-Fuzz and can later be moved into the json-sanitizer tree: * DenylistFuzzer verifies that the output of json-sanitizer never contains certain substrings that can lead to HTML or XML injections. * IdempotenceFuzzer verifies that json-sanitizer is idempotent. * ValidJsonFuzzer verifies that the output of json-sanitizer is valid JSON by passing it into gson. 2021-02-16 18:13:29 +00:00			`import com.google.json.JsonSanitizer;`

			`public class DenylistFuzzer {`
[jazzer] Migrate projects to new void fuzzerTestOneInput (#5251) Jazzer has made fuzzerTestOneInput return void instead of boolean. This commit adapts the existing Jazzer fuzz targets to this change. Previously, returning true from a fuzz target would be recorded as a crash. However, since there is no stack trace in that case, such crashes cause issues with deduplication. Additionally, the behavior is easy to replicate with assert or a an if with a throw statement. 2021-02-24 16:33:58 +00:00			`public static void fuzzerTestOneInput(FuzzedDataProvider data) {`
[jazzer][json-sanitizer] Add json-sanitizer as the first JVM project (#5186) json-sanitizer uses Maven and has no native dependencies. The build file is loosely divided into two parts. The first part is project-specific, the second one can serve as a template for JVM fuzz targets without native dependencies. The following three fuzz targets are added to OSS-Fuzz and can later be moved into the json-sanitizer tree: * DenylistFuzzer verifies that the output of json-sanitizer never contains certain substrings that can lead to HTML or XML injections. * IdempotenceFuzzer verifies that json-sanitizer is idempotent. * ValidJsonFuzzer verifies that the output of json-sanitizer is valid JSON by passing it into gson. 2021-02-16 18:13:29 +00:00			`String input = data.consumeRemainingAsString();`
			`String output;`
			`try {`
			`output = JsonSanitizer.sanitize(input, 10);`
			`} catch (ArrayIndexOutOfBoundsException e) {`
			`// ArrayIndexOutOfBoundsException is expected if nesting depth is`
			`// exceeded.`
[jazzer] Migrate projects to new void fuzzerTestOneInput (#5251) Jazzer has made fuzzerTestOneInput return void instead of boolean. This commit adapts the existing Jazzer fuzz targets to this change. Previously, returning true from a fuzz target would be recorded as a crash. However, since there is no stack trace in that case, such crashes cause issues with deduplication. Additionally, the behavior is easy to replicate with assert or a an if with a throw statement. 2021-02-24 16:33:58 +00:00			`return;`
[jazzer][json-sanitizer] Add json-sanitizer as the first JVM project (#5186) json-sanitizer uses Maven and has no native dependencies. The build file is loosely divided into two parts. The first part is project-specific, the second one can serve as a template for JVM fuzz targets without native dependencies. The following three fuzz targets are added to OSS-Fuzz and can later be moved into the json-sanitizer tree: * DenylistFuzzer verifies that the output of json-sanitizer never contains certain substrings that can lead to HTML or XML injections. * IdempotenceFuzzer verifies that json-sanitizer is idempotent. * ValidJsonFuzzer verifies that the output of json-sanitizer is valid JSON by passing it into gson. 2021-02-16 18:13:29 +00:00			`}`
[json-sanitizer] Add severity markup (#5350) Annotates the findings of the various json-sanitizer fuzzers with severities as follows: * XSS: High * Comment injection: Medium * Invalid JSON: Low * Failure to be idempotent: Not a security issue * Undeclared exceptions: Not a security issue This commit takes advantage of the support for severity markers in stack traces introduced in https://github.com/google/clusterfuzz/pull/2270. 2021-03-10 21:28:02 +00:00
			`// Check for forbidden substrings. As these would enable Cross-Site`
			`// Scripting, treat every finding as a high severity vulnerability.`
			`assert !output.contains("</script")`
			`: new FuzzerSecurityIssueHigh("Output contains </script");`
			`assert !output.contains("]]>")`
			`: new FuzzerSecurityIssueHigh("Output contains ]]>");`

			`// Check for more forbidden substrings. As these would not directly enable`
			`// Cross-Site Scripting in general, but may impact script execution on the`
			`// embedding page, treat each finding as a medium severity vulnerability.`
			`assert !output.contains("<script")`
			`: new FuzzerSecurityIssueMedium("Output contains <script");`
			`assert !output.contains("<!--")`
			`: new FuzzerSecurityIssueMedium("Output contains <!--");`
[jazzer][json-sanitizer] Add json-sanitizer as the first JVM project (#5186) json-sanitizer uses Maven and has no native dependencies. The build file is loosely divided into two parts. The first part is project-specific, the second one can serve as a template for JVM fuzz targets without native dependencies. The following three fuzz targets are added to OSS-Fuzz and can later be moved into the json-sanitizer tree: * DenylistFuzzer verifies that the output of json-sanitizer never contains certain substrings that can lead to HTML or XML injections. * IdempotenceFuzzer verifies that json-sanitizer is idempotent. * ValidJsonFuzzer verifies that the output of json-sanitizer is valid JSON by passing it into gson. 2021-02-16 18:13:29 +00:00			`}`
			`}`