From 0ad4a86f21b009159bf9245d03ce7189dba95a7f Mon Sep 17 00:00:00 2001
From: aschaich <108736614+aschaich@users.noreply.github.com>
Date: Thu, 2 Feb 2023 00:11:37 +0900
Subject: [PATCH] [jstl-api] Initial Integration for jstl-api (#9550)
---
projects/jstl-api/0001-support-new-jdk.patch | 12 +++
...void-ConcurrentModificationException.patch | 12 +++
projects/jstl-api/Dockerfile | 59 ++++++++++++
projects/jstl-api/build.sh | 92 ++++++++++++++++++
projects/jstl-api/jstl-api-fuzzer/pom.xml | 95 +++++++++++++++++++
.../jakarta/servlet/jsp/ParserFuzzer.java | 31 ++++++
projects/jstl-api/maven-settings.xml | 3 +
projects/jstl-api/project.yaml | 15 +++
8 files changed, 319 insertions(+)
create mode 100644 projects/jstl-api/0001-support-new-jdk.patch
create mode 100644 projects/jstl-api/0002-avoid-ConcurrentModificationException.patch
create mode 100644 projects/jstl-api/Dockerfile
create mode 100644 projects/jstl-api/build.sh
create mode 100644 projects/jstl-api/jstl-api-fuzzer/pom.xml
create mode 100644 projects/jstl-api/jstl-api-fuzzer/src/main/java/jakarta/servlet/jsp/ParserFuzzer.java
create mode 100644 projects/jstl-api/maven-settings.xml
create mode 100644 projects/jstl-api/project.yaml
diff --git a/projects/jstl-api/0001-support-new-jdk.patch b/projects/jstl-api/0001-support-new-jdk.patch
new file mode 100644
index 000000000..b711965cc
--- /dev/null
+++ b/projects/jstl-api/0001-support-new-jdk.patch
@@ -0,0 +1,12 @@
+diff --git a/jaxrpc-ri/pom.xml b/jaxrpc-ri/pom.xml
+--- a/jaxrpc-ri/pom.xml
++++ b/jaxrpc-ri/pom.xml
+@@ -49,6 +49,8 @@
+ 1.2.16
+ 1.4.2
+ 1.9.13
++ 1.8
++ 1.8
+
+ ${maven.multiModuleProjectDirectory}/..
+
diff --git a/projects/jstl-api/0002-avoid-ConcurrentModificationException.patch b/projects/jstl-api/0002-avoid-ConcurrentModificationException.patch
new file mode 100644
index 000000000..37c38251e
--- /dev/null
+++ b/projects/jstl-api/0002-avoid-ConcurrentModificationException.patch
@@ -0,0 +1,12 @@
+diff --git a/jaxrpc-ri/pom.xml b/jaxrpc-ri/pom.xml
+--- a/jaxrpc-ri/pom.xml
++++ b/jaxrpc-ri/pom.xml
+@@ -147,7 +149,7 @@
+
+ org.apache.felix
+ maven-bundle-plugin
+- 4.2.1
++ 5.1.8
+
+
+ <_removeheaders>Bnd-LastModified,Build-Jdk,Built-By,Include-Resource
diff --git a/projects/jstl-api/Dockerfile b/projects/jstl-api/Dockerfile
new file mode 100644
index 000000000..36c7e3004
--- /dev/null
+++ b/projects/jstl-api/Dockerfile
@@ -0,0 +1,59 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder-jvm
+
+#
+# install maven configuration, which is also used by gradles's publishToMavenLocal
+#
+ADD maven-settings.xml ${SRC}/
+RUN apt-get install -y xmlstarlet
+RUN mkdir -p ~/.m2 && \
+ xmlstarlet ed \
+ -u "settings/localRepository" -v "${OUT}/m2/repository" \
+ < ${SRC}/maven-settings.xml > ~/.m2/settings.xml
+
+#
+# install maven and gradle
+#
+RUN curl -L https://downloads.apache.org/maven/maven-3/3.8.7/binaries/apache-maven-3.8.7-bin.zip -o maven.zip && \
+ unzip maven.zip -d $SRC/maven-3.8.7 && \
+ rm -rf maven.zip
+
+ENV MVN $SRC/maven-3.8.7/apache-maven-3.8.7/bin/mvn
+
+RUN curl -L https://services.gradle.org/distributions/gradle-7.6-bin.zip -o gradle.zip && \
+ unzip gradle.zip -d $SRC/gradle && \
+ rm -rf gradle.zip
+
+ENV GRADLE $SRC/gradle/gradle-7.6/bin/gradle
+
+ENV LIBRARY_NAME jstl-api
+WORKDIR ${SRC}
+#
+# clone repository
+#
+RUN git clone https://github.com/eclipse-ee4j/jstl-api.git ${LIBRARY_NAME}
+
+#
+# apply fixes
+#
+#ADD *.patch ${SRC}/
+#RUN cd ${SRC}/${LIBRARY_NAME} && (for i in ${SRC}/*.patch; do tr -d '\015' < $i | git apply -v; done )
+
+ADD build.sh ${SRC}/
+ADD ${LIBRARY_NAME}-fuzzer ${SRC}/${LIBRARY_NAME}-fuzzer/
+WORKDIR ${SRC}/${LIBRARY_NAME}
\ No newline at end of file
diff --git a/projects/jstl-api/build.sh b/projects/jstl-api/build.sh
new file mode 100644
index 000000000..477ba4cc9
--- /dev/null
+++ b/projects/jstl-api/build.sh
@@ -0,0 +1,92 @@
+#!/bin/bash -eu
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+SRC_SUBDIR=""
+MVN_FLAGS="-Djavac.src.version=15 -Djavac.target.version=15 -DskipTests"
+ALL_JARS=""
+
+# Install the build servers' jazzer-api into the maven repository.
+pushd "/tmp"
+ ${MVN} install:install-file -Dfile=${JAZZER_API_PATH} \
+ -DgroupId="com.code-intelligence" \
+ -DartifactId="jazzer-api" \
+ -Dversion="0.14.0" \
+ -Dpackaging=jar
+popd
+
+pushd "${SRC}/${LIBRARY_NAME}/${SRC_SUBDIR}"
+ ${MVN} install ${MVN_FLAGS}
+ CURRENT_VERSION=$(${MVN} org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout)
+popd
+
+#this package uses multiple versions [...]
+pushd "${SRC}/${LIBRARY_NAME}/api"
+ CURRENT_VERSION_API=$(${MVN} org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout)
+popd
+pushd "${SRC}/${LIBRARY_NAME}/impl"
+ CURRENT_VERSION_IMPL=$(${MVN} org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout)
+popd
+
+pushd "${SRC}/${LIBRARY_NAME}-fuzzer"
+ ${MVN} package -DfuzzedLibaryVersion="${CURRENT_VERSION}" \
+ -DapiVersion="${CURRENT_VERSION_API}" \
+ -DimplVersion="${CURRENT_VERSION_IMPL}" \
+ ${MVN_FLAGS}
+ install -v target/${LIBRARY_NAME}-fuzzer-${CURRENT_VERSION}.jar ${OUT}/${LIBRARY_NAME}-fuzzer-${CURRENT_VERSION}.jar
+ ALL_JARS="${ALL_JARS} ${LIBRARY_NAME}-fuzzer-${CURRENT_VERSION}.jar"
+popd
+
+
+
+# The classpath at build-time includes the project jars in $OUT as well as the
+# Jazzer API.
+BUILD_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "$OUT/%s:"):$JAZZER_API_PATH
+
+# All .jar and .class files lie in the same directory as the fuzzer at runtime.
+RUNTIME_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "\$this_dir/%s:"):\$this_dir
+
+MVN_FUZZERS_PREFIX="src/main/java"
+
+for fuzzer in $(find ${SRC} -name '*Fuzzer.java'); do
+ # Find our fuzzer inside the maven structure
+ stripped_path=$(echo ${fuzzer} | sed \
+ -e 's|^.*src/main/java/\(.*\).java$|\1|' \
+ -e 's|^.*src/test/java/\(.*\).java$|\1|' \
+ );
+ # The .java suffix was stripped by sed.
+ if (echo ${stripped_path} | grep ".java$"); then
+ continue;
+ fi
+
+ fuzzer_basename=$(basename -s .java $fuzzer)
+ fuzzer_classname=$(echo ${stripped_path} | sed 's|/|.|g');
+
+ # Create an execution wrapper that executes Jazzer with the correct arguments.
+
+ echo "#!/bin/sh
+# LLVMFuzzerTestOneInput Magic String required for infra/base-images/base-runner/test_all.py. DO NOT REMOVE
+
+
+this_dir=\$(dirname \"\$0\")
+LD_LIBRARY_PATH=\"\$JVM_LD_LIBRARY_PATH\":\$this_dir \
+\$this_dir/jazzer_driver --agent_path=\$this_dir/jazzer_agent_deploy.jar \
+--cp=${RUNTIME_CLASSPATH} \
+--target_class=${fuzzer_classname} \
+--jvm_args=\"-Xmx2048m\" \
+\$@" > $OUT/${fuzzer_basename}
+ chmod u+x $OUT/${fuzzer_basename}
+done
\ No newline at end of file
diff --git a/projects/jstl-api/jstl-api-fuzzer/pom.xml b/projects/jstl-api/jstl-api-fuzzer/pom.xml
new file mode 100644
index 000000000..939589ddc
--- /dev/null
+++ b/projects/jstl-api/jstl-api-fuzzer/pom.xml
@@ -0,0 +1,95 @@
+
+ 4.0.0
+
+ ossfuzz
+ jstl-api-fuzzer
+ ${fuzzedLibaryVersion}
+ jar
+
+
+ 15
+ 15
+ UTF-8
+ 3.0.0
+ com.sun.xml.rpc.processor.modeler.rmi.SOAPSimpleTypeCreatorFuzzer
+
+
+
+
+
+
+
+ com.code-intelligence
+ jazzer-api
+ 0.14.0
+
+
+ jakarta.servlet.jsp.jstl
+ jakarta.servlet.jsp.jstl-api
+ ${apiVersion}
+
+
+ org.glassfish.web
+ jakarta.servlet.jsp.jstl
+ ${implVersion}
+
+
+
+
+ jakarta.servlet
+ jakarta.servlet-api
+ 6.0.0
+
+
+ jakarta.servlet.jsp
+ jakarta.servlet.jsp-api
+ 3.1.0
+
+
+ jakarta.el
+ jakarta.el-api
+ 5.0.0
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-shade-plugin
+ 3.3.0
+
+
+
+ *:*
+
+ META-INF/*.SF
+ META-INF/*.DSA
+ META-INF/*.RSA
+
+
+
+
+
+
+ package
+
+ shade
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/projects/jstl-api/jstl-api-fuzzer/src/main/java/jakarta/servlet/jsp/ParserFuzzer.java b/projects/jstl-api/jstl-api-fuzzer/src/main/java/jakarta/servlet/jsp/ParserFuzzer.java
new file mode 100644
index 000000000..310065c1d
--- /dev/null
+++ b/projects/jstl-api/jstl-api-fuzzer/src/main/java/jakarta/servlet/jsp/ParserFuzzer.java
@@ -0,0 +1,31 @@
+package jakarta.servlet.jsp;
+
+import org.apache.taglibs.standard.lang.jstl.Evaluator;
+
+import com.code_intelligence.jazzer.api.FuzzedDataProvider;
+
+
+public class ParserFuzzer {
+
+ private FuzzedDataProvider fuzzedDataProvider;
+
+ public ParserFuzzer(FuzzedDataProvider fuzzedDataProvider) throws Exception {
+ this.fuzzedDataProvider = fuzzedDataProvider;
+ }
+
+ void test() {
+ try {
+ String result = Evaluator.parseAndRender(fuzzedDataProvider.consumeRemainingAsString());
+ } catch (JspException ex) {
+ /* documented, ignore */
+ } catch (IllegalArgumentException ex) {
+ /* general purpose, ignore */
+ }
+ }
+
+ public static void fuzzerTestOneInput(FuzzedDataProvider fuzzedDataProvider) throws Exception {
+
+ ParserFuzzer fixture = new ParserFuzzer(fuzzedDataProvider);
+ fixture.test();
+ }
+}
\ No newline at end of file
diff --git a/projects/jstl-api/maven-settings.xml b/projects/jstl-api/maven-settings.xml
new file mode 100644
index 000000000..4359e57ec
--- /dev/null
+++ b/projects/jstl-api/maven-settings.xml
@@ -0,0 +1,3 @@
+
+ ${user.home}/.m2/repository
+
\ No newline at end of file
diff --git a/projects/jstl-api/project.yaml b/projects/jstl-api/project.yaml
new file mode 100644
index 000000000..323d62c74
--- /dev/null
+++ b/projects/jstl-api/project.yaml
@@ -0,0 +1,15 @@
+homepage: "https://github.com/eclipse-ee4j/jstl-api"
+language: jvm
+main_repo: "https://github.com/eclipse-ee4j/jstl-api.git"
+fuzzing_engines:
+ - libfuzzer
+sanitizers:
+ - address
+vendor_ccs:
+ - "wagner@code-intelligence.com"
+ - "yakdan@code-intelligence.com"
+ - "glendowne@code-intelligence.com"
+ - "patrice.salathe@code-intelligence.com"
+ - "hlin@code-intelligence.com"
+ - "schaich@code-intelligence.com"
+ - "bug-disclosure@code-intelligence.com"