• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2021 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //      http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ////////////////////////////////////////////////////////////////////////////////
16 
17 import com.code_intelligence.jazzer.api.FuzzedDataProvider;
18 import com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh;
19 import com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium;
20 import com.google.json.JsonSanitizer;
21 
22 public class DenylistFuzzer {
fuzzerTestOneInput(FuzzedDataProvider data)23   public static void fuzzerTestOneInput(FuzzedDataProvider data) {
24     String input = data.consumeRemainingAsString();
25     String output;
26     try {
27       output = JsonSanitizer.sanitize(input, 10);
28     } catch (ArrayIndexOutOfBoundsException e) {
29       // ArrayIndexOutOfBoundsException is expected if nesting depth is
30       // exceeded.
31       return;
32     }
33 
34     // Check for forbidden substrings. As these would enable Cross-Site
35     // Scripting, treat every finding as a high severity vulnerability.
36     assert !output.contains("</script")
37         : new FuzzerSecurityIssueHigh("Output contains </script");
38     assert !output.contains("]]>")
39         : new FuzzerSecurityIssueHigh("Output contains ]]>");
40 
41     // Check for more forbidden substrings. As these would not directly enable
42     // Cross-Site Scripting in general, but may impact script execution on the
43     // embedding page, treat each finding as a medium severity vulnerability.
44     assert !output.contains("<script")
45         : new FuzzerSecurityIssueMedium("Output contains <script");
46     assert !output.contains("<!--")
47         : new FuzzerSecurityIssueMedium("Output contains <!--");
48   }
49 }
50