Rooba
/
oss-fuzz
mirror of https://github.com/google/oss-fuzz.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Tomcat: Improve fuzz targets (#8393) 

Tomcat: Enhance fuzz targets
This commit is contained in:
Henry Lin 2022-09-02 01:44:30 +02:00 committed by GitHub
parent 6752ebd9af
commit 7b26bfcaa9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
projects/tomcat/ELEvaluationFuzzer.java
View File

@ -31,15 +31,13 @@ public class ELEvaluationFuzzer {
String str = data.consumeRemainingAsString();
try {
evaluateExpression(str);
} catch (ELException | IllegalArgumentException | ArithmeticException e) {
}
evaluateExpression(str); // Fuzz the createValueExpression
try {
ExpressionFactory factory = ExpressionFactory.newInstance();
ELContext context = new ELContextImpl(factory);
MethodExpression me1 = factory.createMethodExpression(context, str, String.class, new Class<?>[] {});
MethodExpression me1 = factory.createMethodExpression(context, str, String.class, new Class<?>[] {}); // Fuzz the createMethodExpression
MethodExpression me2 = factory.createMethodExpression(context, str, String.class, new Class<?>[] { String.class });
MethodExpression me3 = factory.createMethodExpression(context, str, null, new Class<?>[] {});
MethodExpression me4 = factory.createMethodExpression(context, str, null, new Class[]{String.class});
@ -48,7 +46,7 @@ public class ELEvaluationFuzzer {
Object r2 = me2.invoke(context, null);
Object r3 = me3.invoke(context, null);
Object r4 = me4.invoke(context, null);
} catch (ELException e) {
} catch (ELException | IllegalArgumentException | ArithmeticException e) {
}
}

17
projects/tomcat/WsPingPongFuzzer.java
View File

@ -15,7 +15,7 @@
////////////////////////////////////////////////////////////////////////////////
import com.code_intelligence.jazzer.api.FuzzedDataProvider;
import com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh;
import com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow;
import org.apache.tomcat.websocket.*;
@ -40,6 +40,7 @@ import org.apache.catalina.Context;
import org.apache.catalina.servlets.DefaultServlet;
import org.apache.catalina.startup.Tomcat;
import org.apache.catalina.connector.Connector;
import org.apache.catalina.LifecycleException;
import org.apache.tomcat.websocket.TesterMessageCountClient.TesterEndpoint;
import org.apache.tomcat.websocket.TesterMessageCountClient.TesterProgrammaticEndpoint;
@ -57,8 +58,7 @@ public class WsPingPongFuzzer {
tomcat.destroy();
tomcat = null;
System.gc();
} catch (Exception e) {
throw new FuzzerSecurityIssueHigh("Teardown Error!");
} catch (LifecycleException e) {
}
}
@ -75,8 +75,7 @@ public class WsPingPongFuzzer {
try {
tomcat.start();
} catch (Exception e) {
throw new FuzzerSecurityIssueHigh("Tomcat Start error!");
} catch (LifecycleException e) {
}
wsContainer = ContainerProvider.getWebSocketContainer();
@ -93,7 +92,6 @@ public class WsPingPongFuzzer {
wsSession = wsContainer.connectToServer(TesterProgrammaticEndpoint.class, clientEndpointConfig,
new URI("ws://localhost:" + tomcat.getConnector().getLocalPort() + TesterEchoServer.Config.PATH_ASYNC));
} catch (URISyntaxException | DeploymentException | IOException e) {
throw new FuzzerSecurityIssueHigh("wsContainer.connectToServer");
}
CountDownLatch latch = new CountDownLatch(1);
@ -107,22 +105,19 @@ public class WsPingPongFuzzer {
wsSession.getBasicRemote().sendPing(applicationData);
}
} catch (IOException e) {
throw new FuzzerSecurityIssueHigh("getBasicRemote().sendPing");
}
try {
boolean latchResult = handler.getLatch().await(10, TimeUnit.SECONDS);
assert latchResult == true : new FuzzerSecurityIssueHigh("latchResult is not true!");
assert latchResult == true : new FuzzerSecurityIssueLow("latchResult is not true!");
} catch (InterruptedException e) {
throw new FuzzerSecurityIssueHigh("latchResult");
}
assert Arrays.equals(applicationData.array(), (handler.getMessages().peek()).getApplicationData().array()) : new FuzzerSecurityIssueHigh("Not equal!");
assert Arrays.equals(applicationData.array(), (handler.getMessages().peek()).getApplicationData().array()) : new FuzzerSecurityIssueLow("Not equal!");
try {
wsSession.close();
} catch (IOException e) {
throw new FuzzerSecurityIssueHigh("Session close error!");
}
}