path traversal followup #943
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
oetr
force-pushed
the
CIF-1316-path-traversal-followup
branch
3 times, most recently
from
c675743 to
235057d
Compare
oetr
force-pushed
the
CIF-1316-path-traversal-followup
branch
2 times, most recently
from
c7e4b96 to
be1a252
Compare
oetr
force-pushed
the
CIF-1316-path-traversal-followup
branch
8 times, most recently
from
18fbda6 to
fa61ef4
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR adds an interface to control file path traversal sanitization, allowing users to set both a fuzzing target and a predicate to allow/deny file path access through the BugDetectors API.
Key changes:
- Adds
setFilePathTraversalTargetandsetFilePathTraversalAllowPathmethods to the BugDetectors API - Refactors the file path traversal sanitizer to use atomic references instead of system properties
- Introduces comprehensive test coverage for the new API
Reviewed Changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| BugDetectors.java | Adds new file path traversal configuration methods and refactors existing network connection logic |
| FilePathTraversal.java | Complete rewrite replacing system properties with atomic references and improving path handling |
| FilePathTraversalPass.java | New test file for valid path traversal scenarios |
| FilePathTraversalCrash.java | New test file for expected crashes and security findings |
| FilePathTraversalTest.java | Unit tests for path conversion utilities |
| AbsoluteFilePathTraversal.java | Updated to use new BugDetectors API |
| FilePathTraversal.java (test) | Simplified test to remove unused parameters |
| BUILD.bazel files | Updated test configurations and visibility rules |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/FilePathTraversal.java
Show resolved
Hide resolved
sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/FilePathTraversal.java
Show resolved
Hide resolved
florianGla
reviewed
Aug 15, 2025
sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/FilePathTraversal.java
Outdated
Show resolved
Hide resolved
florianGla
approved these changes
Aug 18, 2025
oetr
force-pushed
the
CIF-1316-path-traversal-followup
branch
from
fa61ef4 to
5b88bbf
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds an interface to control the file traversal sanitizer:
setFilePathTraversalTarget(Supplier<Path>)--- sets the fuzzing targetsetFilePathTraversalAllowPath(Predicate<Path>)--- a user function that allows/denies file path accessBoth can be used to confine the sanitizer configuration to a specific part of the fuzz test. As for example here: