chore: add more tests for the path traversal sanitizer

oetr · oetr · commit 18fbda6a93b6 · 2025-08-14T13:48:48.000+02:00
diff --git a/sanitizers/src/test/java/com/example/BUILD.bazel b/sanitizers/src/test/java/com/example/BUILD.bazel
@@ -88,6 +88,71 @@ java_fuzz_target_test(
     ],
 )
 
+[java_fuzz_target_test(
+    name = "FilePathTraversalPass_" + method,
+    srcs = [
+        "FilePathTraversalPass.java",
+    ],
+    env = {
+        "JAZZER_FUZZ": "1",
+    },
+    fuzzer_args = [
+        "-runs=0",
+    ],
+    target_class = "com.example.FilePathTraversalPass",
+    target_method = method,
+    verify_crash_reproducer = False,
+    runtime_deps = [
+        "@maven//:org_junit_jupiter_junit_jupiter_engine",
+    ],
+    deps = [
+        "//deploy:jazzer-junit",
+        "@maven//:org_junit_jupiter_junit_jupiter_api",
+    ],
+) for method in [
+    "beforeEachWorks",
+    "overwritingBeforeEachWorks",
+    "allow",
+    "targetMissed",
+    "onion",
+]]
+
+[java_fuzz_target_test(
+    name = "FilePathTraversalCrash_" + method,
+    srcs = [
+        "FilePathTraversalCrash.java",
+    ],
+    allowed_findings = [
+        "com.code_intelligence.jazzer.api.FuzzerSecurityIssueCritical",
+    ],
+    env = {
+        "JAZZER_FUZZ": "1",
+    },
+    expect_number_of_findings = 1,
+    fuzzer_args = [
+        "-runs=0",
+    ],
+    target_class = "com.example.FilePathTraversalCrash",
+    target_method = method,
+    verify_crash_reproducer = False,
+    runtime_deps = [
+        "@maven//:org_junit_jupiter_junit_jupiter_engine",
+    ],
+    deps = [
+        "//deploy:jazzer-junit",
+        "@maven//:org_junit_jupiter_junit_jupiter_api",
+    ],
+) for method in [
+    "beforeEachWorks",
+    "overwritingBeforeEachWorks",
+    "crashWhenAllowIsFalse",
+    "crashWhenDefaultTarget",
+    "onionTarget",
+    "cascadedTarget",
+    "absoluteToRelative",
+    "relativeToAbsolute",
+]]
+
 java_fuzz_target_test(
     name = "OsCommandInjectionProcessBuilder",
     srcs = [
diff --git a/sanitizers/src/test/java/com/example/FilePathTraversalCrash.java b/sanitizers/src/test/java/com/example/FilePathTraversalCrash.java
@@ -0,0 +1,128 @@
+/*
+ * Copyright 2025 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.example;
+
+import com.code_intelligence.jazzer.api.BugDetectors;
+import com.code_intelligence.jazzer.api.SilentCloseable;
+import com.code_intelligence.jazzer.junit.FuzzTest;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import org.junit.jupiter.api.BeforeEach;
+
+public class FilePathTraversalCrash {
+  @BeforeEach
+  public void setUp() {
+    BugDetectors.setFilePathTraversalTarget(() -> Paths.get("..", "..", "hello"));
+  }
+
+  @FuzzTest
+  void beforeEachWorks(boolean ignore) throws Exception {
+    tryPathTraversal("..", "..", "hello");
+  }
+
+  @FuzzTest
+  void overwritingBeforeEachWorks(boolean ignore) {
+    try (SilentCloseable unused = setTarget("..", "..", "jazzer-hey")) {
+      tryPathTraversal("..", "..", "jazzer-hey");
+    }
+  }
+
+  @FuzzTest
+  void crashWhenAllowIsFalse(boolean ignore) {
+    try (SilentCloseable unused = BugDetectors.setFilePathTraversalAllowPath((Path p) -> false)) {
+      tryPathTraversal("any-path-is-bad");
+    }
+  }
+
+  @FuzzTest
+  void crashWhenDefaultTarget(boolean ignore) {
+    try (SilentCloseable unused = BugDetectors.setFilePathTraversalAllowPath((Path p) -> true)) {
+      tryPathTraversal("..", "..", "hello");
+    }
+  }
+
+  @FuzzTest
+  void onionTarget(boolean ignore) {
+    try (SilentCloseable unused = setTarget("..", "..", "jazzer-hey")) {
+      try (SilentCloseable unused1 = setTarget("..", "..", "jazzer-hey1")) {
+        try (SilentCloseable unused2 = setTarget("..", "..", "jazzer-hey2")) {
+          tryPathTraversal("..", "..", "jazzer-hey2");
+        }
+      }
+    }
+  }
+
+  @FuzzTest
+  void cascadedTarget(boolean ignore) {
+    try (SilentCloseable ignore1 = setTarget("..", "..", "jazzer-hey")) {
+      // ignore
+    }
+    try (SilentCloseable ignore2 = setTarget("..", "..", "jazzer-hey1")) {
+      // ignore
+    }
+    try (SilentCloseable ignore3 = setTarget("..", "..", "jazzer-hey2")) {
+      tryPathTraversal("..", "..", "jazzer-hey2");
+    }
+  }
+
+  @FuzzTest
+  void absoluteToRelative(boolean ignore) {
+    final Path cwd = Paths.get("").toAbsolutePath();
+    final Path target = Paths.get("test", "A");
+    // set absolute target
+    try (SilentCloseable ignore1 = setTarget(cwd.resolve(target))) {
+      // try to read relative path
+      tryPathTraversal(target);
+    }
+  }
+
+  @FuzzTest
+  void relativeToAbsolute(boolean ignore) {
+    final Path cwd = Paths.get("").toAbsolutePath();
+    final Path target = Paths.get("test", "A");
+    // set relative target
+    try (SilentCloseable ignore1 = setTarget(target)) {
+      // try to read absolute path
+      tryPathTraversal(cwd.resolve(target));
+    }
+  }
+
+  private static SilentCloseable setTarget(String first, String... rest) {
+    return setTarget(Paths.get(first, rest));
+  }
+
+  private static SilentCloseable setTarget(Path p) {
+    return BugDetectors.setFilePathTraversalTarget(() -> p);
+  }
+
+  private static void tryPathTraversal(String part1, String... rest) {
+    Path path = Paths.get(part1, rest);
+    try (FileInputStream fis = new FileInputStream(path.toString())) {
+      fis.read();
+    } catch (NullPointerException | IOException ignored) {
+    }
+  }
+
+  private static void tryPathTraversal(Path path) {
+    try (FileInputStream fis = new FileInputStream(path.toString())) {
+      fis.read();
+    } catch (NullPointerException | IOException ignored) {
+    }
+  }
+}
diff --git a/sanitizers/src/test/java/com/example/FilePathTraversalPass.java b/sanitizers/src/test/java/com/example/FilePathTraversalPass.java
@@ -0,0 +1,107 @@
+/*
+ * Copyright 2025 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.example;
+
+import com.code_intelligence.jazzer.api.BugDetectors;
+import com.code_intelligence.jazzer.api.SilentCloseable;
+import com.code_intelligence.jazzer.junit.FuzzTest;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import org.junit.jupiter.api.BeforeEach;
+
+public class FilePathTraversalPass {
+  @BeforeEach
+  public void setUp() {
+    setTarget(Paths.get("..", "..", "hello"));
+  }
+
+  @FuzzTest
+  void beforeEachWorks(boolean ignore) {
+    tryPathTraversal("test");
+  }
+
+  @FuzzTest
+  void overwritingBeforeEachWorks(boolean ignore) {
+    try (SilentCloseable ignore1 = setTarget(Paths.get("..", "..", "jazzer-hey"))) {
+      tryPathTraversal("..", "..", "hello");
+    }
+  }
+
+  @FuzzTest
+  void allow(boolean ignore) {
+    try (SilentCloseable ignore1 =
+        BugDetectors.setFilePathTraversalAllowPath((Path p) -> p.toString().contains("secret"))) {
+      tryPathTraversal("my-secret-file");
+    }
+  }
+
+  @FuzzTest
+  void targetMissed(boolean ignore) {
+    try (SilentCloseable ignore1 =
+        BugDetectors.setFilePathTraversalAllowPath((Path ignoredAgain) -> true)) {
+      tryPathTraversal("some-path");
+    }
+  }
+
+  @FuzzTest
+  void onion(boolean ignore) {
+    final Path jazzerHello = Paths.get("..", "..", "hello");
+    final Path jazzerTest = Paths.get("test");
+    final Path jazzerHey = Paths.get("..", "..", "jazzer-hey");
+    final Path jazzerHey1 = Paths.get("..", "..", "jazzer-hey1");
+
+    try (SilentCloseable ignored = setTarget(jazzerHey)) {
+      tryPathTraversal(jazzerHello);
+      try (SilentCloseable ignored1 = setTarget(jazzerTest)) {
+        tryPathTraversal(jazzerHey);
+        try (SilentCloseable ignored2 = setTarget(jazzerHey1)) {
+          tryPathTraversal(jazzerTest);
+        }
+        tryPathTraversal(jazzerHey);
+        tryPathTraversal(jazzerHey1);
+      }
+      tryPathTraversal(jazzerTest);
+      tryPathTraversal(jazzerHey1);
+      tryPathTraversal(jazzerHello);
+    }
+  }
+
+  private static SilentCloseable setTarget(String first, String... rest) {
+    return setTarget(Paths.get(first, rest));
+  }
+
+  private static SilentCloseable setTarget(Path p) {
+    return BugDetectors.setFilePathTraversalTarget(() -> p);
+  }
+
+  private static void tryPathTraversal(String first, String... rest) {
+    Path path = Paths.get(first, rest);
+    try (FileInputStream fis = new FileInputStream(path.toString())) {
+      fis.read();
+    } catch (NullPointerException | IOException ignored) {
+    }
+  }
+
+  private static void tryPathTraversal(Path path) {
+    try (FileInputStream fis = new FileInputStream(path.toString())) {
+      fis.read();
+    } catch (NullPointerException | IOException ignored) {
+    }
+  }
+}
