1 files changed, 38 insertions, 0 deletions

diff --git a/projects/json-sanitizer/IdempotenceFuzzer.java b/projects/json-sanitizer/IdempotenceFuzzer.java
new file mode 100644
index 000000000..a42c91af9
--- /dev/null
+++ b/projects/json-sanitizer/IdempotenceFuzzer.java
@@ -0,0 +1,38 @@
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+import com.code_intelligence.jazzer.api.FuzzedDataProvider;
+
+import com.google.json.JsonSanitizer;
+
+public class IdempotenceFuzzer {
+  public static void fuzzerTestOneInput(FuzzedDataProvider data) {
+    String input = data.consumeRemainingAsString();
+    String output;
+    try {
+      output = JsonSanitizer.sanitize(input, 10);
+    } catch (ArrayIndexOutOfBoundsException e) {
+      // ArrayIndexOutOfBoundsException is expected if nesting depth is
+      // exceeded.
+      return;
+    }
+
+    // Ensure that sanitizing twice does not give different output
+    // (idempotence). Since failure to be idempotent is not a security issue in
+    // itself, fail with a regular AssertionError.
+    assert JsonSanitizer.sanitize(output).equals(output) : "Not idempotent";
+  }
+}