1 // Copyright 2022 Code Intelligence GmbH 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package com.code_intelligence.jazzer.sanitizers 16 17 import com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow 18 import com.code_intelligence.jazzer.api.HookType 19 import com.code_intelligence.jazzer.api.Jazzer 20 import com.code_intelligence.jazzer.api.MethodHook 21 import com.code_intelligence.jazzer.api.MethodHooks 22 import java.lang.invoke.MethodHandle 23 import java.util.regex.Pattern 24 import java.util.regex.PatternSyntaxException 25 26 @Suppress("unused_parameter", "unused") 27 object RegexInjection { 28 /** 29 * Part of an OOM "exploit" for [java.util.regex.Pattern.compile] with the 30 * [java.util.regex.Pattern.CANON_EQ] flag, formed by three consecutive combining marks, in this 31 * case grave accents: ◌̀. 32 * See [compileWithFlagsHook] for details. 33 */ 34 private const val CANON_EQ_ALMOST_EXPLOIT = "\u0300\u0300\u0300" 35 36 /** 37 * When injected into a regex pattern, helps the fuzzer break out of quotes and character 38 * classes in order to cause a [PatternSyntaxException]. 39 */ 40 private const val FORCE_PATTERN_SYNTAX_EXCEPTION_PATTERN = "\\E]\\E]]]]]]" 41 42 @MethodHook( 43 type = HookType.REPLACE, 44 targetClassName = "java.util.regex.Pattern", 45 targetMethod = "compile", 46 targetMethodDescriptor = "(Ljava/lang/String;I)Ljava/util/regex/Pattern;" 47 ) 48 @JvmStatic compileWithFlagsHooknull49 fun compileWithFlagsHook(method: MethodHandle, alwaysNull: Any?, args: Array<Any?>, hookId: Int): Any? { 50 val pattern = args[0] as String? 51 val hasCanonEqFlag = ((args[1] as Int) and Pattern.CANON_EQ) != 0 52 return hookInternal(method, pattern, hasCanonEqFlag, hookId, *args) 53 } 54 55 @MethodHooks( 56 MethodHook( 57 type = HookType.REPLACE, 58 targetClassName = "java.util.regex.Pattern", 59 targetMethod = "compile", 60 targetMethodDescriptor = "(Ljava/lang/String;)Ljava/util/regex/Pattern;" 61 ), 62 MethodHook( 63 type = HookType.REPLACE, 64 targetClassName = "java.util.regex.Pattern", 65 targetMethod = "matches", 66 targetMethodDescriptor = "(Ljava/lang/String;Ljava/lang/CharSequence;)Z" 67 ), 68 ) 69 @JvmStatic patternHooknull70 fun patternHook(method: MethodHandle, alwaysNull: Any?, args: Array<Any?>, hookId: Int): Any? { 71 return hookInternal(method, args[0] as String?, false, hookId, *args) 72 } 73 74 @MethodHooks( 75 MethodHook( 76 type = HookType.REPLACE, 77 targetClassName = "java.lang.String", 78 targetMethod = "matches", 79 targetMethodDescriptor = "(Ljava/lang/String;)Z", 80 ), 81 MethodHook( 82 type = HookType.REPLACE, 83 targetClassName = "java.lang.String", 84 targetMethod = "replaceAll", 85 targetMethodDescriptor = "(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;", 86 ), 87 MethodHook( 88 type = HookType.REPLACE, 89 targetClassName = "java.lang.String", 90 targetMethod = "replaceFirst", 91 targetMethodDescriptor = "(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;", 92 ), 93 MethodHook( 94 type = HookType.REPLACE, 95 targetClassName = "java.lang.String", 96 targetMethod = "split", 97 targetMethodDescriptor = "(Ljava/lang/String;)Ljava/lang/String;", 98 ), 99 MethodHook( 100 type = HookType.REPLACE, 101 targetClassName = "java.lang.String", 102 targetMethod = "split", 103 targetMethodDescriptor = "(Ljava/lang/String;I)Ljava/lang/String;", 104 ), 105 ) 106 @JvmStatic stringHooknull107 fun stringHook(method: MethodHandle, thisObject: Any?, args: Array<Any?>, hookId: Int): Any? { 108 return hookInternal(method, args[0] as String?, false, hookId, thisObject, *args) 109 } 110 hookInternalnull111 private fun hookInternal( 112 method: MethodHandle, 113 pattern: String?, 114 hasCanonEqFlag: Boolean, 115 hookId: Int, 116 vararg args: Any? 117 ): Any? { 118 if (hasCanonEqFlag && pattern != null) { 119 // With CANON_EQ enabled, Pattern.compile allocates an array with a size that is 120 // (super-)exponential in the number of consecutive Unicode combining marks. We use a mild case 121 // of this as a magic string based on which we trigger a finding. 122 // Note: The fuzzer might trigger an OutOfMemoryError or NegativeArraySizeException (if the size 123 // of the array overflows an int) by chance before it correctly emits this "exploit". In that 124 // case, we report the original exception instead. 125 if (pattern.contains(CANON_EQ_ALMOST_EXPLOIT)) { 126 Jazzer.reportFindingFromHook( 127 FuzzerSecurityIssueLow( 128 """Regular Expression Injection with CANON_EQ 129 When java.util.regex.Pattern.compile is used with the Pattern.CANON_EQ flag, 130 every injection into the regular expression pattern can cause arbitrarily large 131 memory allocations, even when wrapped with Pattern.quote(...).""" 132 ) 133 ) 134 } else { 135 Jazzer.guideTowardsContainment(pattern, CANON_EQ_ALMOST_EXPLOIT, hookId) 136 } 137 } 138 try { 139 return method.invokeWithArguments(*args).also { 140 // Only submit a fuzzer hint if no exception has been thrown. 141 if (!hasCanonEqFlag && pattern != null) { 142 Jazzer.guideTowardsContainment(pattern, FORCE_PATTERN_SYNTAX_EXCEPTION_PATTERN, hookId) 143 } 144 } 145 } catch (e: Exception) { 146 if (e is PatternSyntaxException) { 147 Jazzer.reportFindingFromHook( 148 FuzzerSecurityIssueLow( 149 """Regular Expression Injection 150 Regular expression patterns that contain unescaped untrusted input can consume 151 arbitrary amounts of CPU time. To properly escape the input, wrap it with 152 Pattern.quote(...).""", 153 e 154 ) 155 ) 156 } 157 throw e 158 } 159 } 160 } 161