From 1d505842f3d063dfb12a8e7b891a209c7a333ff3 Mon Sep 17 00:00:00 2001 From: Henry Lin Date: Thu, 10 Nov 2022 06:04:55 +0100 Subject: [PATCH] Tomcat: Remove fuzz targets that produce large number of false positive (#8958) --- projects/tomcat/ELEvaluationFuzzer.java | 61 ------------- .../tomcat/SsiExpressionParseTreeFuzzer.java | 88 ------------------- 2 files changed, 149 deletions(-) delete mode 100644 projects/tomcat/ELEvaluationFuzzer.java delete mode 100644 projects/tomcat/SsiExpressionParseTreeFuzzer.java diff --git a/projects/tomcat/ELEvaluationFuzzer.java b/projects/tomcat/ELEvaluationFuzzer.java deleted file mode 100644 index 7f956f906..000000000 --- a/projects/tomcat/ELEvaluationFuzzer.java +++ /dev/null @@ -1,61 +0,0 @@ -// Copyright 2022 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -//////////////////////////////////////////////////////////////////////////////// - -import com.code_intelligence.jazzer.api.FuzzedDataProvider; -import com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh; - -import jakarta.el.ExpressionFactory; -import jakarta.el.ELException; -import jakarta.el.ELContext; -import jakarta.el.ValueExpression; -import jakarta.el.MethodExpression; - -import org.apache.el.lang.ELSupport; -import org.apache.jasper.el.ELContextImpl; - -public class ELEvaluationFuzzer { - public static void fuzzerTestOneInput(FuzzedDataProvider data) { - String str = data.consumeRemainingAsString(); - - try { - evaluateExpression(str); // Fuzz the createValueExpression - - - ExpressionFactory factory = ExpressionFactory.newInstance(); - ELContext context = new ELContextImpl(factory); - - MethodExpression me1 = factory.createMethodExpression(context, str, String.class, new Class[] {}); // Fuzz the createMethodExpression - MethodExpression me2 = factory.createMethodExpression(context, str, String.class, new Class[] { String.class }); - MethodExpression me3 = factory.createMethodExpression(context, str, null, new Class[] {}); - MethodExpression me4 = factory.createMethodExpression(context, str, null, new Class[]{String.class}); - - Object r1 = me1.invoke(context, null); - Object r2 = me2.invoke(context, null); - Object r3 = me3.invoke(context, null); - Object r4 = me4.invoke(context, null); - } catch (ELException | IllegalArgumentException | ArithmeticException e) { - } - - } - - public static String evaluateExpression(String expression) { - ExpressionFactory exprFactory = ExpressionFactory.newInstance(); - - ELContextImpl ctx = new ELContextImpl(exprFactory); - ValueExpression ve = exprFactory.createValueExpression(ctx, expression, String.class); - return (String) ve.getValue(ctx); - } -} \ No newline at end of file diff --git a/projects/tomcat/SsiExpressionParseTreeFuzzer.java b/projects/tomcat/SsiExpressionParseTreeFuzzer.java deleted file mode 100644 index 55522173a..000000000 --- a/projects/tomcat/SsiExpressionParseTreeFuzzer.java +++ /dev/null @@ -1,88 +0,0 @@ -// Copyright 2022 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -//////////////////////////////////////////////////////////////////////////////// - -import com.code_intelligence.jazzer.api.FuzzedDataProvider; -import com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh; - -import org.apache.catalina.ssi.*; - -import java.io.IOException; -import java.util.Collection; -import java.util.Date; -import java.util.HashMap; -import java.util.Map; -import java.util.regex.Pattern; - -public class SsiExpressionParseTreeFuzzer { - static final long LAST_MODIFIED = 60 * 60 * 24 * 1000; - - public static void fuzzerTestOneInput(FuzzedDataProvider data) { - String str = data.consumeRemainingAsString(); - - try { - SSIMediator mediator = new SSIMediator(new TesterSSIExternalResolver(), LAST_MODIFIED); - ExpressionParseTree ept = new ExpressionParseTree(str, mediator); - ExpressionParseTree ept2 = new ExpressionParseTree(Pattern.quote(str), mediator); - ept.evaluateTree(); - ept2.evaluateTree(); - } catch (Exception e) { - } - } - - public static class TesterSSIExternalResolver implements SSIExternalResolver { - private Map variables = new HashMap<>(); - - @Override - public void addVariableNames(Collection variableNames) { - // NO-OP - } - - @Override - public String getVariableValue(String name) { - return variables.get(name); - } - - @Override - public void setVariableValue(String name, String value) { - variables.put(name, value); - } - - @Override - public Date getCurrentDate() { - return null; - } - - @Override - public long getFileSize(String path, boolean virtual) throws IOException { - return 0; - } - - @Override - public long getFileLastModified(String path, boolean virtual) throws IOException { - return 0; - } - - @Override - public String getFileText(String path, boolean virtual) throws IOException { - return null; - } - - @Override - public void log(String message, Throwable throwable) { - // NO-OP - } - } -} \ No newline at end of file