load("@io_bazel_rules_kotlin//kotlin:jvm.bzl", "kt_jvm_library") load("@fmeum_rules_jni//jni:defs.bzl", "java_jni_library") load("//bazel:compat.bzl", "SKIP_ON_MACOS", "SKIP_ON_WINDOWS") load("//bazel:fuzz_target.bzl", "java_fuzz_target_test") load("//bazel:kotlin.bzl", "ktlint") java_fuzz_target_test( name = "Autofuzz", allowed_findings = ["java.lang.ArrayIndexOutOfBoundsException"], fuzzer_args = [ "--autofuzz=com.google.json.JsonSanitizer::sanitize", ], runtime_deps = [ "@maven//:com_mikesamuel_json_sanitizer", ], ) java_fuzz_target_test( name = "ExampleFuzzer", srcs = ["src/main/java/com/example/ExampleFuzzer.java"], allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium"], hook_jar = "ExampleFuzzerHooks_deploy.jar", target_class = "com.example.ExampleFuzzer", # Does not crash due to not using the hook. verify_crash_reproducer = False, ) java_binary( name = "ExampleFuzzerHooks", srcs = ["src/main/java/com/example/ExampleFuzzerHooks.java"], create_executable = False, # Comment out the next line to keep the ExampleFuzzer running indefinitely - without the hook, it will never be able # to pass the comparison with the random number. deploy_manifest_lines = ["Jazzer-Hook-Classes: com.example.ExampleFuzzerHooks"], deps = ["//src/main/java/com/code_intelligence/jazzer/api:hooks"], ) java_jni_library( name = "example_fuzzer_with_native_lib", srcs = [ "src/main/java/com/example/ExampleFuzzerWithNative.java", ], native_libs = [ "//examples/src/main/native/com/example:native_asan", "//examples/src/main/native/com/example:native_ubsan", ], visibility = ["//examples/src/main/native/com/example:__pkg__"], deps = [ "//deploy:jazzer-api", ], ) java_fuzz_target_test( name = "ExampleFuzzerWithASan", allowed_findings = ["native"], env = {"EXAMPLE_NATIVE_LIB": "native_asan"}, env_inherit = ["CC"], fuzzer_args = [ "--asan", ], # The shell launcher generated by Jazzer is killed in CI, even with codesigning disabled on the # Java binary. This is not reproducible locally or with JDK 17. tags = ["no-macos-x86_64-jdk8"], target_class = "com.example.ExampleFuzzerWithNative", target_compatible_with = SKIP_ON_WINDOWS, verify_crash_reproducer = False, runtime_deps = [ ":example_fuzzer_with_native_lib", ], ) java_fuzz_target_test( name = "ExampleFuzzerWithUBSan", allowed_findings = ["native"], env = {"EXAMPLE_NATIVE_LIB": "native_ubsan"}, env_inherit = ["CC"], fuzzer_args = [ "--ubsan", ], # The shell launcher generated by Jazzer is killed in CI, even with codesigning disabled on the # Java binary. This is not reproducible locally or with JDK 17. tags = ["no-macos-x86_64-jdk8"], target_class = "com.example.ExampleFuzzerWithNative", # Crashes at runtime without an error message. target_compatible_with = SKIP_ON_WINDOWS, verify_crash_reproducer = False, runtime_deps = [ ":example_fuzzer_with_native_lib", ], ) java_binary( name = "ExamplePathTraversalFuzzerHooks", srcs = ["src/main/java/com/example/ExamplePathTraversalFuzzerHooks.java"], create_executable = False, deploy_manifest_lines = ["Jazzer-Hook-Classes: com.example.ExamplePathTraversalFuzzerHooks"], deps = ["//src/main/java/com/code_intelligence/jazzer/api:hooks"], ) java_fuzz_target_test( name = "ExamplePathTraversalFuzzer", srcs = [ "src/main/java/com/example/ExamplePathTraversalFuzzer.java", ], allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh"], hook_jar = "ExamplePathTraversalFuzzerHooks_deploy.jar", target_class = "com.example.ExamplePathTraversalFuzzer", verify_crash_reproducer = False, ) java_fuzz_target_test( name = "ExampleValueProfileFuzzer", srcs = [ "src/main/java/com/example/ExampleValueProfileFuzzer.java", ], allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], # Comment out the next line to keep the fuzzer running indefinitely. fuzzer_args = ["-use_value_profile=1"], target_class = "com.example.ExampleValueProfileFuzzer", ) java_fuzz_target_test( name = "MazeFuzzer", srcs = [ "src/main/java/com/example/MazeFuzzer.java", ], allowed_findings = ["com.example.MazeFuzzer$$TreasureFoundException"], fuzzer_args = ["-use_value_profile=1"], target_class = "com.example.MazeFuzzer", ) java_fuzz_target_test( name = "ExampleOutOfMemoryFuzzer", timeout = "short", srcs = [ "src/main/java/com/example/ExampleOutOfMemoryFuzzer.java", ], allowed_findings = [ "com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow", "java.lang.OutOfMemoryError", ], fuzzer_args = ["--jvm_args=-Xmx512m"], target_class = "com.example.ExampleOutOfMemoryFuzzer", ) java_fuzz_target_test( name = "ExampleStackOverflowFuzzer", srcs = [ "src/main/java/com/example/ExampleStackOverflowFuzzer.java", ], allowed_findings = [ "com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow", "java.lang.StackOverflowError", ], target_class = "com.example.ExampleStackOverflowFuzzer", # Crashes with a segfault before any stack trace printing is reached. target_compatible_with = SKIP_ON_MACOS, ) # WARNING: This fuzz target uses a vulnerable version of log4j, which could result in the execution # of arbitrary code during fuzzing if executed with an older JDK. Use at your own risk. java_fuzz_target_test( name = "Log4jFuzzer", timeout = "long", srcs = [ "src/main/java/com/example/Log4jFuzzer.java", ], fuzzer_args = [ "-fork=4", "-use_value_profile=1", ], # Finding this bug takes ~5 minutes on a decent laptop, but the GitHub Actions machines are not # powerful enough to run it as part of our test suite. tags = ["manual"], target_class = "com.example.Log4jFuzzer", deps = [ "@maven//:org_apache_logging_log4j_log4j_api", "@maven//:org_apache_logging_log4j_log4j_core", ], ) java_fuzz_target_test( name = "JpegImageParserFuzzer", size = "enormous", srcs = [ "src/main/java/com/example/JpegImageParserFuzzer.java", ], allowed_findings = ["java.lang.NegativeArraySizeException"], fuzzer_args = [ "-fork=2", ], tags = ["exclusive-if-local"], target_class = "com.example.JpegImageParserFuzzer", # The exit codes of the forked libFuzzer processes are not picked up correctly. target_compatible_with = SKIP_ON_MACOS, deps = [ "@maven//:org_apache_commons_commons_imaging", ], ) java_fuzz_target_test( name = "GifImageParserFuzzer", srcs = [ "src/main/java/com/example/GifImageParserFuzzer.java", ], allowed_findings = [ "java.lang.ArrayIndexOutOfBoundsException", "java.lang.IllegalArgumentException", "java.lang.OutOfMemoryError", ], target_class = "com.example.GifImageParserFuzzer", deps = [ "@maven//:org_apache_commons_commons_imaging", ], ) java_fuzz_target_test( name = "TiffImageParserFuzzer", srcs = [ "src/main/java/com/example/TiffImageParserFuzzer.java", ], tags = ["manual"], target_class = "com.example.TiffImageParserFuzzer", deps = [ "@maven//:org_apache_commons_commons_imaging", ], ) java_fuzz_target_test( name = "JsonSanitizerCrashFuzzer", srcs = [ "src/main/java/com/example/JsonSanitizerCrashFuzzer.java", ], allowed_findings = ["java.lang.IndexOutOfBoundsException"], target_class = "com.example.JsonSanitizerCrashFuzzer", deps = [ "@maven//:com_mikesamuel_json_sanitizer", ], ) java_fuzz_target_test( name = "JsonSanitizerDenylistFuzzer", srcs = [ "src/main/java/com/example/JsonSanitizerDenylistFuzzer.java", ], allowed_findings = ["java.lang.AssertionError"], target_class = "com.example.JsonSanitizerDenylistFuzzer", deps = [ "@maven//:com_mikesamuel_json_sanitizer", ], ) java_binary( name = "JsonSanitizerReplayerCrash", data = [ ":json_sanitizer_denylist_crash", ], main_class = "com.code_intelligence.jazzer.replay.Replayer", runtime_deps = [ ":JsonSanitizerDenylistFuzzer_target_deploy.jar", "//src/main/java/com/code_intelligence/jazzer/replay:Replayer_deploy.jar", ], ) sh_test( name = "JsonSanitizerReplayerCrashTest", srcs = ["check_for_finding.sh"], args = [ "jazzer/$(rootpath :JsonSanitizerReplayerCrash)", "com.example.JsonSanitizerDenylistFuzzer", "jazzer/$(rootpath :json_sanitizer_denylist_crash)", ], data = [ ":JsonSanitizerReplayerCrash", ":json_sanitizer_denylist_crash", ], deps = [ "@bazel_tools//tools/bash/runfiles", ], ) java_fuzz_target_test( name = "JsonSanitizerIdempotenceFuzzer", srcs = [ "src/main/java/com/example/JsonSanitizerIdempotenceFuzzer.java", ], allowed_findings = ["java.lang.AssertionError"], target_class = "com.example.JsonSanitizerIdempotenceFuzzer", deps = [ "@maven//:com_mikesamuel_json_sanitizer", ], ) java_fuzz_target_test( name = "JsonSanitizerValidJsonFuzzer", srcs = [ "src/main/java/com/example/JsonSanitizerValidJsonFuzzer.java", ], allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], target_class = "com.example.JsonSanitizerValidJsonFuzzer", deps = [ "@maven//:com_google_code_gson_gson", "@maven//:com_mikesamuel_json_sanitizer", ], ) java_fuzz_target_test( name = "JacksonCborFuzzer", srcs = [ "src/main/java/com/example/JacksonCborFuzzer.java", ], allowed_findings = ["java.lang.NullPointerException"], target_class = "com.example.JacksonCborFuzzer", deps = [ "@maven//:com_fasterxml_jackson_core_jackson_core", "@maven//:com_fasterxml_jackson_core_jackson_databind", "@maven//:com_fasterxml_jackson_dataformat_jackson_dataformat_cbor", ], ) java_fuzz_target_test( name = "FastJsonFuzzer", srcs = [ "src/main/java/com/example/FastJsonFuzzer.java", ], allowed_findings = ["java.lang.NumberFormatException"], target_class = "com.example.FastJsonFuzzer", deps = [ "@maven//:com_alibaba_fastjson", ], ) kt_jvm_library( name = "KlaxonFuzzTarget", srcs = [ "src/main/java/com/example/KlaxonFuzzer.kt", ], deps = [ "//deploy:jazzer-api", "@maven//:com_beust_klaxon", ], ) java_fuzz_target_test( name = "KlaxonFuzzer", allowed_findings = [ "java.lang.ClassCastException", "java.lang.IllegalStateException", "java.lang.NumberFormatException", "java.lang.NullPointerException", ], fuzzer_args = [ "--keep_going=7", ], target_class = "com.example.KlaxonFuzzer", runtime_deps = [":KlaxonFuzzTarget"], ) kt_jvm_library( name = "ExampleKotlinFuzzTarget", srcs = [ "src/main/java/com/example/ExampleKotlinFuzzer.kt", ], deps = [ "//deploy:jazzer-api", ], ) java_fuzz_target_test( name = "ExampleKotlinFuzzer", allowed_findings = [ "com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium", ], target_class = "com.example.ExampleKotlinFuzzer", runtime_deps = [":ExampleKotlinFuzzTarget"], ) kt_jvm_library( name = "ExampleKotlinValueProfileFuzzTarget", srcs = [ "src/main/java/com/example/ExampleKotlinValueProfileFuzzer.kt", ], deps = [ "//deploy:jazzer-api", ], ) java_fuzz_target_test( name = "ExampleKotlinValueProfileFuzzer", allowed_findings = [ "com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium", ], fuzzer_args = [ "-use_value_profile=1", ], target_class = "com.example.ExampleKotlinValueProfileFuzzer", runtime_deps = [":ExampleKotlinValueProfileFuzzTarget"], ) java_fuzz_target_test( name = "TurboJpegFuzzer", srcs = [ "src/main/java/com/example/TurboJpegFuzzer.java", ], data = [ "@libjpeg_turbo//:turbojpeg_native", ], fuzzer_args = [ "-rss_limit_mb=8196", "--jvm_args=-Djava.library.path=../libjpeg_turbo", "--ubsan", ], tags = ["manual"], target_class = "com.example.TurboJpegFuzzer", deps = [ "@libjpeg_turbo//:turbojpeg_java", ], ) java_binary( name = "examples", create_executable = False, visibility = ["//visibility:public"], runtime_deps = [ ":ExampleFuzzer_target_deploy.jar", ":ExampleValueProfileFuzzer_target_deploy.jar", ":FastJsonFuzzer_target_deploy.jar", ":JacksonCborFuzzer_target_deploy.jar", ":JpegImageParserFuzzer_target_deploy.jar", ":JsonSanitizerDenylistFuzzer_target_deploy.jar", ], ) ktlint()