1 // Copyright 2022 Code Intelligence GmbH 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package com.example; 16 17 import com.code_intelligence.jazzer.api.FuzzedDataProvider; 18 import java.io.*; 19 import javax.xml.parsers.*; 20 import javax.xml.xpath.*; 21 import org.w3c.dom.Document; 22 import org.xml.sax.*; 23 24 public class XPathInjection { 25 static Document doc = null; 26 static XPath xpath = null; 27 fuzzerInitialize()28 public static void fuzzerInitialize() throws Exception { 29 String xmlFile = "<user name=\"user\" pass=\"pass\"></user>"; 30 31 DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance(); 32 domFactory.setNamespaceAware(true); 33 DocumentBuilder builder = domFactory.newDocumentBuilder(); 34 doc = builder.parse(new InputSource(new StringReader(xmlFile))); 35 36 XPathFactory xpathFactory = XPathFactory.newInstance(); 37 xpath = xpathFactory.newXPath(); 38 } 39 unsafeEval(String user, String pass)40 public static void unsafeEval(String user, String pass) { 41 if (user != null && pass != null) { 42 String expression = "/user[@name='" + user + "' and @pass='" + pass + "']"; 43 try { 44 xpath.evaluate(expression, doc, XPathConstants.BOOLEAN); 45 } catch (XPathExpressionException e) { 46 } 47 } 48 } 49 fuzzerTestOneInput(FuzzedDataProvider data)50 public static void fuzzerTestOneInput(FuzzedDataProvider data) { 51 unsafeEval(data.consumeString(20), data.consumeRemainingAsString()); 52 } 53 } 54