Annotates the findings of the various json-sanitizer fuzzers with
severities as follows:
* XSS: High
* Comment injection: Medium
* Invalid JSON: Low
* Failure to be idempotent: Not a security issue
* Undeclared exceptions: Not a security issue
This commit takes advantage of the support for severity markers in stack
traces introduced in https://github.com/google/clusterfuzz/pull/2270.
Prior to this change, native library loading failed for
two reasons:
1. Loading from current working directory instead of the fuzzer's
directory.
2. Using ASAN_OPTIONS=handle_segv=2.
Fix these issues by doing the following.
1. Adding the fuzzer's directory to LD_LIBRARY_PATH instead of "."
2. Specifying handle_segv=1 in ASAN_OPTIONS.
Related: https://github.com/google/oss-fuzz/issues/5178
Jazzer has made fuzzerTestOneInput return void instead of boolean.
This commit adapts the existing Jazzer fuzz targets to this change.
Previously, returning true from a fuzz target would be recorded as a
crash. However, since there is no stack trace in that case, such crashes
cause issues with deduplication. Additionally, the behavior is easy to
replicate with assert or a an if with a throw statement.
This is a speculative fix for an issue we've seen where the class
fails to load.
A simpler approach I did not use is cd-ing into $this_dir. I didn't
use this approach because it will break things if relative paths
are passed to the fuzzer by ClusterFuzz.
The other reason that I think could be responsible for the missing
class issues is not unpacking the zipfile fully.
json-sanitizer uses Maven and has no native dependencies.
The build file is loosely divided into two parts. The first part is
project-specific, the second one can serve as a template for JVM fuzz
targets without native dependencies.
The following three fuzz targets are added to OSS-Fuzz and can later be
moved into the json-sanitizer tree:
* DenylistFuzzer verifies that the output of json-sanitizer never
contains certain substrings that can lead to HTML or XML injections.
* IdempotenceFuzzer verifies that json-sanitizer is idempotent.
* ValidJsonFuzzer verifies that the output of json-sanitizer is valid
JSON by passing it into gson.
jonathanmetzman