src/main/java/jaz/Zer.java - platform/external/jazzer-api - Git at Google

 // Copyright 2021 Code Intelligence GmbH
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package jaz;

 import com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh;
 import com.code_intelligence.jazzer.api.Jazzer;
 import java.io.*;
 import java.util.*;
 import java.util.concurrent.Callable;
 import java.util.function.Function;

 /**
  * A honeypot class that reports a finding on initialization.
  *
  * Class loading based on externally controlled data could lead to RCE
  * depending on available classes on the classpath. Even if no applicable
  * gadget class is available, allowing input to control class loading is a bad
  * idea and should be prevented. A finding is generated whenever the class
  * is loaded and initialized, regardless of its further use.
  * <p>
  * This class needs to implement {@link Serializable} to be considered in
  * deserialization scenarios. It also implements common constructors, getter
  * and setter and common interfaces to increase chances of passing
  * deserialization checks.
  * <p>
  * <b>Note</b>: Jackson provides a nice list of "nasty classes" at
  * <a
  * href=https://github.com/FasterXML/jackson-databind/blob/2.14/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java>SubTypeValidator</a>.
  * <p>
  * <b>Note</b>: This class must not be referenced in any way by the rest of the code, not even
  * statically. When referring to it, always use its hardcoded class name {@code jaz.Zer}.
  */
 @SuppressWarnings({"rawtypes", "unused"})
 public class Zer
     implements Serializable, Cloneable, Comparable<Zer>, Comparator, Closeable, Flushable, Iterable,
                Iterator, Runnable, Callable, Function, Collection, List {
   static final long serialVersionUID = 42L;

   // serialized size is 41 bytes
   private static final byte REFLECTIVE_CALL_SANITIZER_ID = 0;
   private static final byte DESERIALIZATION_SANITIZER_ID = 1;
   private static final byte EXPRESSION_LANGUAGE_SANITIZER_ID = 2;

   // A byte representing the relevant sanitizer for a given jaz.Zer instance. It is used to check
   // whether the corresponding sanitizer is disabled and jaz.Zer will not report a finding in this
   // case. Each sanitizer which relies on this class must set this byte accordingly. We choose a
   // single byte to represent the sanitizer in order to keep the serialized version of jaz.Zer
   // objects small (currently 41 bytes) so that it fits in the 64 byte limit of the words that can
   // be used with Jazzer's methods that guide the fuzzer towards generating inputs that contain or
   // are equal to target strings. This limit comes from the corresponding libFuzzer hooks that
   // Jazzer uses under the hood.
   private byte sanitizer = REFLECTIVE_CALL_SANITIZER_ID;

   // Common constructors
   public Zer() {
     reportFindingIfEnabled();
   }

   public Zer(String arg1) {
     reportFindingIfEnabled();
   }

   public Zer(String arg1, Throwable arg2) {
     reportFindingIfEnabled();
   }

   public Zer(byte sanitizer) {
     this.sanitizer = sanitizer;
     reportFindingIfEnabled();
   }

   // A special static method that is called by the expression language injection sanitizer. We
   // choose a parameterless method to keep the string that the sanitizer guides the fuzzer to
   // generate within the 64-byte boundary required by the corresponding guiding methods.
   public static void el() {
     if (isSanitizerEnabled(EXPRESSION_LANGUAGE_SANITIZER_ID)) {
       reportFinding();
     }
   }

   private void reportFindingIfEnabled() {
     if (isSanitizerEnabled(sanitizer)) {
       reportFinding();
     }
   }

   private static void reportFinding() {
     Jazzer.reportFindingFromHook(new FuzzerSecurityIssueHigh("Remote Code Execution\n"
         + "Unrestricted class/object creation based on externally controlled data may allow\n"
         + "remote code execution depending on available classes on the classpath."));
   }

   private static boolean isSanitizerEnabled(byte sanitizerId) {
     String allDisabledHooks = System.getProperty("jazzer.disabled_hooks");
     if (allDisabledHooks == null || allDisabledHooks.equals("")) {
       return true;
     }

     String sanitizer;
     switch (sanitizerId) {
       case DESERIALIZATION_SANITIZER_ID:
         sanitizer = "com.code_intelligence.jazzer.sanitizers.Deserialization";
         break;
       case EXPRESSION_LANGUAGE_SANITIZER_ID:
         sanitizer = "com.code_intelligence.jazzer.sanitizers.ExpressionLanguageInjection";
         break;
       default:
         sanitizer = "com.code_intelligence.jazzer.sanitizers.ReflectiveCall";
     }
     return Arrays.stream(allDisabledHooks.split(",")).noneMatch(sanitizer::equals);
   }

   // Getter/Setter

   public Object getJaz() {
     reportFindingIfEnabled();
     return this;
   }

   public void setJaz(String jaz) {
     reportFindingIfEnabled();
   }

   @Override
   public int hashCode() {
     reportFindingIfEnabled();
     return super.hashCode();
   }

   @Override
   public boolean equals(Object obj) {
     reportFindingIfEnabled();
     return super.equals(obj);
   }

   @Override
   public String toString() {
     reportFindingIfEnabled();
     return super.toString();
   }

   // Common interface stubs

   @Override
   public void close() {
     reportFindingIfEnabled();
   }

   @Override
   public void flush() {
     reportFindingIfEnabled();
   }

   @Override
   public int compareTo(Zer o) {
     reportFindingIfEnabled();
     return 0;
   }

   @Override
   public int compare(Object o1, Object o2) {
     reportFindingIfEnabled();
     return 0;
   }

   @Override
   public int size() {
     reportFindingIfEnabled();
     return 0;
   }

   @Override
   public boolean isEmpty() {
     reportFindingIfEnabled();
     return false;
   }

   @Override
   public boolean contains(Object o) {
     reportFindingIfEnabled();
     return false;
   }

   @Override
   public Object[] toArray() {
     reportFindingIfEnabled();
     return new Object[0];
   }

   @Override
   public boolean add(Object o) {
     reportFindingIfEnabled();
     return false;
   }

   @Override
   public boolean remove(Object o) {
     reportFindingIfEnabled();
     return false;
   }

   @Override
   public boolean addAll(Collection c) {
     reportFindingIfEnabled();
     return false;
   }

   @Override
   public boolean addAll(int index, Collection c) {
     reportFindingIfEnabled();
     return false;
   }

   @Override
   public void clear() {
     reportFindingIfEnabled();
   }

   @Override
   public Object get(int index) {
     reportFindingIfEnabled();
     return this;
   }

   @Override
   public Object set(int index, Object element) {
     reportFindingIfEnabled();
     return this;
   }

   @Override
   public void add(int index, Object element) {
     reportFindingIfEnabled();
   }

   @Override
   public Object remove(int index) {
     reportFindingIfEnabled();
     return this;
   }

   @Override
   public int indexOf(Object o) {
     reportFindingIfEnabled();
     return 0;
   }

   @Override
   public int lastIndexOf(Object o) {
     reportFindingIfEnabled();
     return 0;
   }

   @Override
   @SuppressWarnings("ConstantConditions")
   public ListIterator listIterator() {
     reportFindingIfEnabled();
     return null;
   }

   @Override
   @SuppressWarnings("ConstantConditions")
   public ListIterator listIterator(int index) {
     reportFindingIfEnabled();
     return null;
   }

   @Override
   public List subList(int fromIndex, int toIndex) {
     reportFindingIfEnabled();
     return this;
   }

   @Override
   public boolean retainAll(Collection c) {
     reportFindingIfEnabled();
     return false;
   }

   @Override
   public boolean removeAll(Collection c) {
     reportFindingIfEnabled();
     return false;
   }

   @Override
   public boolean containsAll(Collection c) {
     reportFindingIfEnabled();
     return false;
   }

   @Override
   public Object[] toArray(Object[] a) {
     reportFindingIfEnabled();
     return new Object[0];
   }

   @Override
   public Iterator iterator() {
     reportFindingIfEnabled();
     return this;
   }

   @Override
   public void run() {
     reportFindingIfEnabled();
   }

   @Override
   public boolean hasNext() {
     reportFindingIfEnabled();
     return false;
   }

   @Override
   public Object next() {
     reportFindingIfEnabled();
     return this;
   }

   @Override
   public Object call() throws Exception {
     reportFindingIfEnabled();
     return this;
   }

   @Override
   public Object apply(Object o) {
     reportFindingIfEnabled();
     return this;
   }

   @Override
   @SuppressWarnings("MethodDoesntCallSuperMethod")
   public Object clone() {
     reportFindingIfEnabled();
     return this;
   }

   // readObject calls can directly result in RCE, see https://github.com/frohoff/ysoserial for
   // examples. Since deserialization doesn't call constructors (see
   // https://docs.oracle.com/javase/7/docs/platform/serialization/spec/input.html#2971), we emit a
   // finding right in the readObject method.
   private void readObject(ObjectInputStream stream) throws IOException, ClassNotFoundException {
     // Need to read in ourselves to initialize the sanitizer field.
     stream.defaultReadObject();
     reportFindingIfEnabled();
   }
 }
	// Copyright 2021 Code Intelligence GmbH
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package jaz;

	import com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh;
	import com.code_intelligence.jazzer.api.Jazzer;
	import java.io.*;
	import java.util.*;
	import java.util.concurrent.Callable;
	import java.util.function.Function;

	/**
	* A honeypot class that reports a finding on initialization.
	*
	* Class loading based on externally controlled data could lead to RCE
	* depending on available classes on the classpath. Even if no applicable
	* gadget class is available, allowing input to control class loading is a bad
	* idea and should be prevented. A finding is generated whenever the class
	* is loaded and initialized, regardless of its further use.
	* <p>
	* This class needs to implement {@link Serializable} to be considered in
	* deserialization scenarios. It also implements common constructors, getter
	* and setter and common interfaces to increase chances of passing
	* deserialization checks.
	* <p>
	* <b>Note</b>: Jackson provides a nice list of "nasty classes" at
	* <a
	* href=https://github.com/FasterXML/jackson-databind/blob/2.14/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java>SubTypeValidator</a>.
	* <p>
	* <b>Note</b>: This class must not be referenced in any way by the rest of the code, not even
	* statically. When referring to it, always use its hardcoded class name {@code jaz.Zer}.
	*/
	@SuppressWarnings({"rawtypes", "unused"})
	public class Zer
	implements Serializable, Cloneable, Comparable<Zer>, Comparator, Closeable, Flushable, Iterable,
	Iterator, Runnable, Callable, Function, Collection, List {
	static final long serialVersionUID = 42L;

	// serialized size is 41 bytes
	private static final byte REFLECTIVE_CALL_SANITIZER_ID = 0;
	private static final byte DESERIALIZATION_SANITIZER_ID = 1;
	private static final byte EXPRESSION_LANGUAGE_SANITIZER_ID = 2;

	// A byte representing the relevant sanitizer for a given jaz.Zer instance. It is used to check
	// whether the corresponding sanitizer is disabled and jaz.Zer will not report a finding in this
	// case. Each sanitizer which relies on this class must set this byte accordingly. We choose a
	// single byte to represent the sanitizer in order to keep the serialized version of jaz.Zer
	// objects small (currently 41 bytes) so that it fits in the 64 byte limit of the words that can
	// be used with Jazzer's methods that guide the fuzzer towards generating inputs that contain or
	// are equal to target strings. This limit comes from the corresponding libFuzzer hooks that
	// Jazzer uses under the hood.
	private byte sanitizer = REFLECTIVE_CALL_SANITIZER_ID;

	// Common constructors
	public Zer() {
	reportFindingIfEnabled();
	}

	public Zer(String arg1) {
	reportFindingIfEnabled();
	}

	public Zer(String arg1, Throwable arg2) {
	reportFindingIfEnabled();
	}

	public Zer(byte sanitizer) {
	this.sanitizer = sanitizer;
	reportFindingIfEnabled();
	}

	// A special static method that is called by the expression language injection sanitizer. We
	// choose a parameterless method to keep the string that the sanitizer guides the fuzzer to
	// generate within the 64-byte boundary required by the corresponding guiding methods.
	public static void el() {
	if (isSanitizerEnabled(EXPRESSION_LANGUAGE_SANITIZER_ID)) {
	reportFinding();
	}
	}

	private void reportFindingIfEnabled() {
	if (isSanitizerEnabled(sanitizer)) {
	reportFinding();
	}
	}

	private static void reportFinding() {
	Jazzer.reportFindingFromHook(new FuzzerSecurityIssueHigh("Remote Code Execution\n"
	+ "Unrestricted class/object creation based on externally controlled data may allow\n"
	+ "remote code execution depending on available classes on the classpath."));
	}

	private static boolean isSanitizerEnabled(byte sanitizerId) {
	String allDisabledHooks = System.getProperty("jazzer.disabled_hooks");
	if (allDisabledHooks == null \|\| allDisabledHooks.equals("")) {
	return true;
	}

	String sanitizer;
	switch (sanitizerId) {
	case DESERIALIZATION_SANITIZER_ID:
	sanitizer = "com.code_intelligence.jazzer.sanitizers.Deserialization";
	break;
	case EXPRESSION_LANGUAGE_SANITIZER_ID:
	sanitizer = "com.code_intelligence.jazzer.sanitizers.ExpressionLanguageInjection";
	break;
	default:
	sanitizer = "com.code_intelligence.jazzer.sanitizers.ReflectiveCall";
	}
	return Arrays.stream(allDisabledHooks.split(",")).noneMatch(sanitizer::equals);
	}

	// Getter/Setter

	public Object getJaz() {
	reportFindingIfEnabled();
	return this;
	}

	public void setJaz(String jaz) {
	reportFindingIfEnabled();
	}

	@Override
	public int hashCode() {
	reportFindingIfEnabled();
	return super.hashCode();
	}

	@Override
	public boolean equals(Object obj) {
	reportFindingIfEnabled();
	return super.equals(obj);
	}

	@Override
	public String toString() {
	reportFindingIfEnabled();
	return super.toString();
	}

	// Common interface stubs

	@Override
	public void close() {
	reportFindingIfEnabled();
	}

	@Override
	public void flush() {
	reportFindingIfEnabled();
	}

	@Override
	public int compareTo(Zer o) {
	reportFindingIfEnabled();
	return 0;
	}

	@Override
	public int compare(Object o1, Object o2) {
	reportFindingIfEnabled();
	return 0;
	}

	@Override
	public int size() {
	reportFindingIfEnabled();
	return 0;
	}

	@Override
	public boolean isEmpty() {
	reportFindingIfEnabled();
	return false;
	}

	@Override
	public boolean contains(Object o) {
	reportFindingIfEnabled();
	return false;
	}

	@Override
	public Object[] toArray() {
	reportFindingIfEnabled();
	return new Object[0];
	}

	@Override
	public boolean add(Object o) {
	reportFindingIfEnabled();
	return false;
	}

	@Override
	public boolean remove(Object o) {
	reportFindingIfEnabled();
	return false;
	}

	@Override
	public boolean addAll(Collection c) {
	reportFindingIfEnabled();
	return false;
	}

	@Override
	public boolean addAll(int index, Collection c) {
	reportFindingIfEnabled();
	return false;
	}

	@Override
	public void clear() {
	reportFindingIfEnabled();
	}

	@Override
	public Object get(int index) {
	reportFindingIfEnabled();
	return this;
	}

	@Override
	public Object set(int index, Object element) {
	reportFindingIfEnabled();
	return this;
	}

	@Override
	public void add(int index, Object element) {
	reportFindingIfEnabled();
	}

	@Override
	public Object remove(int index) {
	reportFindingIfEnabled();
	return this;
	}

	@Override
	public int indexOf(Object o) {
	reportFindingIfEnabled();
	return 0;
	}

	@Override
	public int lastIndexOf(Object o) {
	reportFindingIfEnabled();
	return 0;
	}

	@Override
	@SuppressWarnings("ConstantConditions")
	public ListIterator listIterator() {
	reportFindingIfEnabled();
	return null;
	}

	@Override
	@SuppressWarnings("ConstantConditions")
	public ListIterator listIterator(int index) {
	reportFindingIfEnabled();
	return null;
	}

	@Override
	public List subList(int fromIndex, int toIndex) {
	reportFindingIfEnabled();
	return this;
	}

	@Override
	public boolean retainAll(Collection c) {
	reportFindingIfEnabled();
	return false;
	}

	@Override
	public boolean removeAll(Collection c) {
	reportFindingIfEnabled();
	return false;
	}

	@Override
	public boolean containsAll(Collection c) {
	reportFindingIfEnabled();
	return false;
	}

	@Override
	public Object[] toArray(Object[] a) {
	reportFindingIfEnabled();
	return new Object[0];
	}

	@Override
	public Iterator iterator() {
	reportFindingIfEnabled();
	return this;
	}

	@Override
	public void run() {
	reportFindingIfEnabled();
	}

	@Override
	public boolean hasNext() {
	reportFindingIfEnabled();
	return false;
	}

	@Override
	public Object next() {
	reportFindingIfEnabled();
	return this;
	}

	@Override
	public Object call() throws Exception {
	reportFindingIfEnabled();
	return this;
	}

	@Override
	public Object apply(Object o) {
	reportFindingIfEnabled();
	return this;
	}

	@Override
	@SuppressWarnings("MethodDoesntCallSuperMethod")
	public Object clone() {
	reportFindingIfEnabled();
	return this;
	}

	// readObject calls can directly result in RCE, see https://github.com/frohoff/ysoserial for
	// examples. Since deserialization doesn't call constructors (see
	// https://docs.oracle.com/javase/7/docs/platform/serialization/spec/input.html#2971), we emit a
	// finding right in the readObject method.
	private void readObject(ObjectInputStream stream) throws IOException, ClassNotFoundException {
	// Need to read in ourselves to initialize the sanitizer field.
	stream.defaultReadObject();
	reportFindingIfEnabled();
	}
	}