Rooba
/
oss-fuzz
mirror of https://github.com/google/oss-fuzz.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

spring-security-crypto: initial integration (#8578)

This commit is contained in:
Patrice.S 2022-09-28 12:59:13 +02:00 committed by GitHub
parent d17cd053ea
commit f46748f307
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 49 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
projects/spring-security/BCryptPasswordEncoderFuzzer.java Normal file
View File

@ -0,0 +1,49 @@
// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
////////////////////////////////////////////////////////////////////////////////
import com.code_intelligence.jazzer.api.FuzzedDataProvider;
import com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh;
import org.springframework.security.crypto.bcrypt.BCrypt;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
public class BCryptPasswordEncoderFuzzer {
public static void fuzzerTestOneInput(FuzzedDataProvider data) {
BCryptPasswordEncoder.BCryptVersion bCryptVersion = data.pickValue(new BCryptPasswordEncoder.BCryptVersion[]
{BCryptPasswordEncoder.BCryptVersion.$2A, BCryptPasswordEncoder.BCryptVersion.$2B, BCryptPasswordEncoder.BCryptVersion.$2Y});
BCryptPasswordEncoder encoder;
try {
if (data.consumeBoolean()) {
encoder = new BCryptPasswordEncoder(bCryptVersion);
} else {
// using MAX_LOG_ROUNDS will slow down the fuzz test
encoder = new BCryptPasswordEncoder(bCryptVersion, data.consumeInt(-1, 10));
}
} catch (IllegalArgumentException ignored) {
return;
}
String password = data.consumeRemainingAsString();
if (password.isEmpty()) {
return;
}
String result = encoder.encode(password);
if (!encoder.matches(password, result)) {
throw new FuzzerSecurityIssueHigh("Password `" + password + "` does not match encoded one `" + result + "`");
}
}
}