diff options
Diffstat (limited to 'sanitizers/src/test/java/com/example/DisabledHooksTest.java')
-rw-r--r-- | sanitizers/src/test/java/com/example/DisabledHooksTest.java | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/sanitizers/src/test/java/com/example/DisabledHooksTest.java b/sanitizers/src/test/java/com/example/DisabledHooksTest.java new file mode 100644 index 00000000..763cd637 --- /dev/null +++ b/sanitizers/src/test/java/com/example/DisabledHooksTest.java @@ -0,0 +1,110 @@ +// Copyright 2022 Code Intelligence GmbH +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.example; + +import com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh; +import java.io.*; +import java.lang.reflect.InvocationTargetException; +import java.util.Base64; +import org.junit.After; +import org.junit.Test; + +public class DisabledHooksTest { + public static void triggerReflectiveCallSanitizer() { + try { + Class.forName("jaz.Zer").newInstance(); + } catch (ClassNotFoundException | IllegalAccessException | InstantiationException ignored) { + } + } + + public static void triggerExpressionLanguageInjectionSanitizer() throws Throwable { + try { + Class.forName("jaz.Zer").getMethod("el").invoke(null); + } catch (InvocationTargetException e) { + throw e.getCause(); + } catch (IllegalAccessException | ClassNotFoundException | NoSuchMethodException ignore) { + } + } + + public static void triggerDeserializationSanitizer() { + byte[] data = + Base64.getDecoder().decode("rO0ABXNyAAdqYXouWmVyAAAAAAAAACoCAAFCAAlzYW5pdGl6ZXJ4cAEK"); + try { + ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data)); + System.out.println(ois.readObject()); + } catch (IOException | ClassNotFoundException ignore) { + } + } + + @After + public void resetDisabledHooksProperty() { + System.clearProperty("jazzer.disabled_hooks"); + } + + @Test(expected = FuzzerSecurityIssueHigh.class) + public void enableReflectiveCallSanitizer() { + triggerReflectiveCallSanitizer(); + } + + @Test(expected = FuzzerSecurityIssueHigh.class) + public void enableDeserializationSanitizer() { + triggerDeserializationSanitizer(); + } + + @Test(expected = FuzzerSecurityIssueHigh.class) + public void enableExpressionLanguageInjectionSanitizer() throws Throwable { + triggerExpressionLanguageInjectionSanitizer(); + } + + @Test + public void disableReflectiveCallSanitizer() { + System.setProperty( + "jazzer.disabled_hooks", "com.code_intelligence.jazzer.sanitizers.ReflectiveCall"); + triggerReflectiveCallSanitizer(); + } + + @Test + public void disableDeserializationSanitizer() { + System.setProperty( + "jazzer.disabled_hooks", "com.code_intelligence.jazzer.sanitizers.Deserialization"); + triggerDeserializationSanitizer(); + } + + @Test + public void disableExpressionLanguageSanitizer() throws Throwable { + System.setProperty("jazzer.disabled_hooks", + "com.code_intelligence.jazzer.sanitizers.ExpressionLanguageInjection"); + triggerExpressionLanguageInjectionSanitizer(); + } + + @Test(expected = FuzzerSecurityIssueHigh.class) + public void disableReflectiveCallAndEnableDeserialization() { + System.setProperty( + "jazzer.disabled_hooks", "com.code_intelligence.jazzer.sanitizers.ReflectiveCall"); + triggerReflectiveCallSanitizer(); + triggerDeserializationSanitizer(); + } + + @Test + public void disableAllSanitizers() throws Throwable { + System.setProperty("jazzer.disabled_hooks", + "com.code_intelligence.jazzer.sanitizers.ReflectiveCall," + + "com.code_intelligence.jazzer.sanitizers.Deserialization," + + "com.code_intelligence.jazzer.sanitizers.ExpressionLanguageInjection"); + triggerReflectiveCallSanitizer(); + triggerExpressionLanguageInjectionSanitizer(); + triggerDeserializationSanitizer(); + } +} |