1load("@io_bazel_rules_kotlin//kotlin:jvm.bzl", "kt_jvm_library") 2load("@fmeum_rules_jni//jni:defs.bzl", "java_jni_library") 3load("//bazel:compat.bzl", "SKIP_ON_MACOS", "SKIP_ON_WINDOWS") 4load("//bazel:fuzz_target.bzl", "java_fuzz_target_test") 5 6java_fuzz_target_test( 7 name = "Autofuzz", 8 fuzzer_args = [ 9 "--autofuzz=com.google.json.JsonSanitizer::sanitize", 10 # Exit after the first finding for testing purposes. 11 "--keep_going=1", 12 ], 13 runtime_deps = [ 14 "@maven//:com_mikesamuel_json_sanitizer", 15 ], 16) 17 18java_fuzz_target_test( 19 name = "ExampleFuzzer", 20 srcs = [ 21 "src/main/java/com/example/ExampleFuzzer.java", 22 "src/main/java/com/example/ExampleFuzzerHooks.java", 23 ], 24 # Comment out the next line to keep the fuzzer running indefinitely. 25 hook_classes = ["com.example.ExampleFuzzerHooks"], 26 target_class = "com.example.ExampleFuzzer", 27) 28 29java_jni_library( 30 name = "example_fuzzer_with_native_lib", 31 srcs = [ 32 "src/main/java/com/example/ExampleFuzzerWithNative.java", 33 ], 34 native_libs = [ 35 "//examples/src/main/native/com/example:native_asan", 36 "//examples/src/main/native/com/example:native_ubsan", 37 ], 38 visibility = ["//examples/src/main/native/com/example:__pkg__"], 39 deps = [ 40 "//agent:jazzer_api_compile_only", 41 ], 42) 43 44java_fuzz_target_test( 45 name = "ExampleFuzzerWithASan", 46 fuzzer_args = ["--jvm_args=-Djazzer.native_lib=native_asan"], 47 sanitizer = "address", 48 target_class = "com.example.ExampleFuzzerWithNative", 49 runtime_deps = [ 50 ":example_fuzzer_with_native_lib", 51 ], 52) 53 54java_fuzz_target_test( 55 name = "ExampleFuzzerWithUBSan", 56 fuzzer_args = ["--jvm_args=-Djazzer.native_lib=native_ubsan"], 57 sanitizer = "undefined", 58 target_class = "com.example.ExampleFuzzerWithNative", 59 # Crashes at runtime without an error message. 60 target_compatible_with = SKIP_ON_WINDOWS, 61 runtime_deps = [ 62 ":example_fuzzer_with_native_lib", 63 ], 64) 65 66java_fuzz_target_test( 67 name = "ExamplePathTraversalFuzzer", 68 srcs = [ 69 "src/main/java/com/example/ExamplePathTraversalFuzzer.java", 70 "src/main/java/com/example/ExamplePathTraversalFuzzerHooks.java", 71 ], 72 hook_classes = ["com.example.ExamplePathTraversalFuzzerHooks"], 73 target_class = "com.example.ExamplePathTraversalFuzzer", 74) 75 76java_fuzz_target_test( 77 name = "ExampleValueProfileFuzzer", 78 srcs = [ 79 "src/main/java/com/example/ExampleValueProfileFuzzer.java", 80 ], 81 # Comment out the next line to keep the fuzzer running indefinitely. 82 fuzzer_args = ["-use_value_profile=1"], 83 target_class = "com.example.ExampleValueProfileFuzzer", 84) 85 86java_fuzz_target_test( 87 name = "ExampleOutOfMemoryFuzzer", 88 srcs = [ 89 "src/main/java/com/example/ExampleOutOfMemoryFuzzer.java", 90 ], 91 fuzzer_args = ["--jvm_args=-Xmx512m"], 92 target_class = "com.example.ExampleOutOfMemoryFuzzer", 93) 94 95java_fuzz_target_test( 96 name = "ExampleStackOverflowFuzzer", 97 srcs = [ 98 "src/main/java/com/example/ExampleStackOverflowFuzzer.java", 99 ], 100 target_class = "com.example.ExampleStackOverflowFuzzer", 101 # Crashes with a segfault before any stack trace printing is reached. 102 target_compatible_with = SKIP_ON_MACOS, 103) 104 105# WARNING: This fuzz target uses a vulnerable version of log4j, which could result in the execution 106# of arbitrary code during fuzzing if executed with an older JDK. Use at your own risk. 107java_fuzz_target_test( 108 name = "Log4jFuzzer", 109 timeout = "long", 110 srcs = [ 111 "src/main/java/com/example/Log4jFuzzer.java", 112 ], 113 fuzzer_args = [ 114 "-fork=4", 115 "-use_value_profile=1", 116 ], 117 # Finding this bug takes ~5 minutes on a decent laptop, but the GitHub Actions machines are not 118 # powerful enough to run it as part of our test suite. 119 tags = ["manual"], 120 target_class = "com.example.Log4jFuzzer", 121 deps = [ 122 "@maven//:org_apache_logging_log4j_log4j_api", 123 "@maven//:org_apache_logging_log4j_log4j_core", 124 ], 125) 126 127java_fuzz_target_test( 128 name = "JpegImageParserFuzzer", 129 srcs = [ 130 "src/main/java/com/example/JpegImageParserFuzzer.java", 131 ], 132 fuzzer_args = [ 133 "-fork=5", 134 "--additional_jvm_args=-Dbaz=baz", 135 ] + select({ 136 # \\\\ becomes \\ when evaluated as a Starlark string literal, then \ in 137 # java_fuzz_target_test. 138 "@platforms//os:windows": ["--jvm_args=-Dfoo=foo;-Dbar=b\\\\;ar"], 139 "//conditions:default": ["--jvm_args=-Dfoo=foo:-Dbar=b\\\\:ar"], 140 }), 141 target_class = "com.example.JpegImageParserFuzzer", 142 # The exit codes of the forked libFuzzer processes are not picked up correctly. 143 target_compatible_with = SKIP_ON_MACOS, 144 deps = [ 145 "@maven//:org_apache_commons_commons_imaging", 146 ], 147) 148 149java_fuzz_target_test( 150 name = "GifImageParserFuzzer", 151 srcs = [ 152 "src/main/java/com/example/GifImageParserFuzzer.java", 153 ], 154 target_class = "com.example.GifImageParserFuzzer", 155 deps = [ 156 "@maven//:org_apache_commons_commons_imaging", 157 ], 158) 159 160java_fuzz_target_test( 161 name = "TiffImageParserFuzzer", 162 srcs = [ 163 "src/main/java/com/example/TiffImageParserFuzzer.java", 164 ], 165 tags = ["manual"], 166 target_class = "com.example.TiffImageParserFuzzer", 167 deps = [ 168 "@maven//:org_apache_commons_commons_imaging", 169 ], 170) 171 172java_fuzz_target_test( 173 name = "JsonSanitizerCrashFuzzer", 174 srcs = [ 175 "src/main/java/com/example/JsonSanitizerCrashFuzzer.java", 176 ], 177 target_class = "com.example.JsonSanitizerCrashFuzzer", 178 deps = [ 179 "@maven//:com_mikesamuel_json_sanitizer", 180 ], 181) 182 183java_fuzz_target_test( 184 name = "JsonSanitizerDenylistFuzzer", 185 srcs = [ 186 "src/main/java/com/example/JsonSanitizerDenylistFuzzer.java", 187 ], 188 target_class = "com.example.JsonSanitizerDenylistFuzzer", 189 deps = [ 190 "@maven//:com_mikesamuel_json_sanitizer", 191 ], 192) 193 194java_binary( 195 name = "JsonSanitizerReplayerCrash", 196 data = [ 197 ":json_sanitizer_denylist_crash", 198 ], 199 main_class = "com.code_intelligence.jazzer.replay.Replayer", 200 runtime_deps = [ 201 ":JsonSanitizerDenylistFuzzer_target_deploy.jar", 202 "//agent/src/main/java/com/code_intelligence/jazzer/replay:Replayer_deploy.jar", 203 ], 204) 205 206sh_test( 207 name = "JsonSanitizerReplayerCrashTest", 208 srcs = ["check_for_finding.sh"], 209 args = [ 210 "jazzer/$(rootpath :JsonSanitizerReplayerCrash)", 211 "com.example.JsonSanitizerDenylistFuzzer", 212 "jazzer/$(rootpath :json_sanitizer_denylist_crash)", 213 ], 214 data = [ 215 ":JsonSanitizerReplayerCrash", 216 ":json_sanitizer_denylist_crash", 217 ], 218 deps = [ 219 "@bazel_tools//tools/bash/runfiles", 220 ], 221) 222 223java_fuzz_target_test( 224 name = "JsonSanitizerIdempotenceFuzzer", 225 srcs = [ 226 "src/main/java/com/example/JsonSanitizerIdempotenceFuzzer.java", 227 ], 228 target_class = "com.example.JsonSanitizerIdempotenceFuzzer", 229 deps = [ 230 "@maven//:com_mikesamuel_json_sanitizer", 231 ], 232) 233 234java_fuzz_target_test( 235 name = "JsonSanitizerValidJsonFuzzer", 236 srcs = [ 237 "src/main/java/com/example/JsonSanitizerValidJsonFuzzer.java", 238 ], 239 target_class = "com.example.JsonSanitizerValidJsonFuzzer", 240 deps = [ 241 "@maven//:com_google_code_gson_gson", 242 "@maven//:com_mikesamuel_json_sanitizer", 243 ], 244) 245 246java_fuzz_target_test( 247 name = "JacksonCborFuzzer", 248 srcs = [ 249 "src/main/java/com/example/JacksonCborFuzzer.java", 250 ], 251 target_class = "com.example.JacksonCborFuzzer", 252 deps = [ 253 "@maven//:com_fasterxml_jackson_core_jackson_core", 254 "@maven//:com_fasterxml_jackson_core_jackson_databind", 255 "@maven//:com_fasterxml_jackson_dataformat_jackson_dataformat_cbor", 256 ], 257) 258 259java_fuzz_target_test( 260 name = "FastJsonFuzzer", 261 srcs = [ 262 "src/main/java/com/example/FastJsonFuzzer.java", 263 ], 264 target_class = "com.example.FastJsonFuzzer", 265 deps = [ 266 "@maven//:com_alibaba_fastjson", 267 ], 268) 269 270kt_jvm_library( 271 name = "KlaxonFuzzTarget", 272 srcs = [ 273 "src/main/java/com/example/KlaxonFuzzer.kt", 274 ], 275 deps = [ 276 "//agent:jazzer_api_compile_only", 277 "@maven//:com_beust_klaxon", 278 ], 279) 280 281java_fuzz_target_test( 282 name = "KlaxonFuzzer", 283 fuzzer_args = [ 284 "--keep_going=7", 285 ], 286 target_class = "com.example.KlaxonFuzzer", 287 runtime_deps = [":KlaxonFuzzTarget"], 288) 289 290java_fuzz_target_test( 291 name = "TurboJpegFuzzer", 292 srcs = [ 293 "src/main/java/com/example/TurboJpegFuzzer.java", 294 ], 295 fuzzer_args = [ 296 "-rss_limit_mb=8196", 297 ], 298 native_libs = [ 299 "@libjpeg_turbo//:turbojpeg_native", 300 ], 301 sanitizer = "address", 302 tags = ["manual"], 303 target_class = "com.example.TurboJpegFuzzer", 304 deps = [ 305 "@libjpeg_turbo//:turbojpeg_java", 306 ], 307) 308 309java_binary( 310 name = "examples", 311 create_executable = False, 312 visibility = ["//visibility:public"], 313 runtime_deps = [ 314 ":ExampleFuzzer_target_deploy.jar", 315 ":ExampleValueProfileFuzzer_target_deploy.jar", 316 ":FastJsonFuzzer_target_deploy.jar", 317 ":JacksonCborFuzzer_target_deploy.jar", 318 ":JpegImageParserFuzzer_target_deploy.jar", 319 ":JsonSanitizerDenylistFuzzer_target_deploy.jar", 320 ], 321) 322