diff options
author | Mark <mteffeteller@google.com> | 2023-06-21 22:47:10 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2023-06-21 22:47:10 +0000 |
commit | e73be1680dae58cb83d869104def1c59102d59b2 (patch) | |
tree | 68cf332a40b94b2d28b256b19b916f99220bb0c4 /sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/ExpressionLanguageInjection.kt | |
parent | ba37c2e361c2ba91bacc47fcae5383c52e50f6be (diff) | |
parent | 34a8e5c8aa0e14c79803a61c3eb7a66436482b18 (diff) | |
download | jazzer-api-e73be1680dae58cb83d869104def1c59102d59b2.tar.gz |
Sync jazzer in AOSP with upstream repo (new SHA: 30decf81a147c66fa5a098072c38ab6924ba0aa6) am: 9350e0ab03 am: 99d9a79746 am: 34a8e5c8aa
Original change: https://android-review.googlesource.com/c/platform/external/jazzer-api/+/2627336
Change-Id: I0f00e1cd356d2e6c7dc1b744fea8a898fd5714c6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
Diffstat (limited to 'sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/ExpressionLanguageInjection.kt')
-rw-r--r-- | sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/ExpressionLanguageInjection.kt | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/ExpressionLanguageInjection.kt b/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/ExpressionLanguageInjection.kt index 1dc1d5f0..a60c088e 100644 --- a/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/ExpressionLanguageInjection.kt +++ b/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/ExpressionLanguageInjection.kt @@ -31,7 +31,13 @@ object ExpressionLanguageInjection { * Try to call the default constructor of the honeypot class. */ private const val EXPRESSION_LANGUAGE_ATTACK = - "\${\"\".getClass().forName(\"$HONEYPOT_CLASS_NAME\").newInstance()}" + "\${Byte.class.forName(\"$HONEYPOT_CLASS_NAME\").getMethod(\"el\").invoke(null)}" + + init { + require(EXPRESSION_LANGUAGE_ATTACK.length <= 64) { + "Expression language exploit must fit in a table of recent compares entry (64 bytes)" + } + } @MethodHooks( MethodHook( @@ -60,8 +66,10 @@ object ExpressionLanguageInjection { method: MethodHandle?, thisObject: Any?, arguments: Array<Any>, - hookId: Int + hookId: Int, ) { + // The overloads taking a second string argument have either three or four arguments + if (arguments.size < 3) { return } val expression = arguments[1] as? String ?: return Jazzer.guideTowardsContainment(expression, EXPRESSION_LANGUAGE_ATTACK, hookId) } @@ -76,15 +84,16 @@ object ExpressionLanguageInjection { @MethodHook( type = HookType.BEFORE, targetClassName = "javax.validation.ConstraintValidatorContext", - targetMethod = "buildConstraintViolationWithTemplate" + targetMethod = "buildConstraintViolationWithTemplate", ) @JvmStatic fun hookBuildConstraintViolationWithTemplate( method: MethodHandle?, thisObject: Any?, arguments: Array<Any>, - hookId: Int + hookId: Int, ) { + if (arguments.size != 1) { return } val message = arguments[0] as String Jazzer.guideTowardsContainment(message, EXPRESSION_LANGUAGE_ATTACK, hookId) } |