-
Notifications
You must be signed in to change notification settings - Fork 2.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Expand spring-security fuzzing (#8354)
* Expand spring-security fuzzing * remove comment from debugging that is now misleading the reader (#20)
- Loading branch information
1 parent
655774f
commit 8ad0622
Showing
6 changed files
with
142 additions
and
5 deletions.
There are no files selected for viewing
28 changes: 28 additions & 0 deletions
28
projects/spring-security/EncodingUtilsConcatenateFuzzer.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
import com.code_intelligence.jazzer.api.FuzzedDataProvider; | ||
|
||
import org.springframework.security.crypto.util.EncodingUtils; | ||
|
||
public class EncodingUtilsConcatenateFuzzer { | ||
public static void fuzzerTestOneInput(FuzzedDataProvider data) { | ||
final byte[][] arrayOfByteArrays = getArrayOfByteArrays(data); | ||
|
||
EncodingUtils.concatenate(arrayOfByteArrays); | ||
} | ||
|
||
// Constants to reduce cases of fuzzer running out of memory | ||
private final static int MIN_OUTER_LENGTH = 500; | ||
private final static int MAX_OUTER_LENGTH = 1000; | ||
private final static int MIN_INNER_LENGTH = 320; | ||
private final static int MAX_INNER_LENGTH = 700; | ||
|
||
private static byte[][] getArrayOfByteArrays(FuzzedDataProvider data) { | ||
final int numberOfArrays = data.consumeInt(MIN_OUTER_LENGTH, MAX_OUTER_LENGTH); | ||
byte[][] arrayOfArrays = new byte[numberOfArrays][]; | ||
|
||
for (int i=0; i<numberOfArrays; i++) { | ||
arrayOfArrays[i] = data.consumeBytes(data.consumeInt(MIN_INNER_LENGTH, MAX_INNER_LENGTH)); | ||
} | ||
|
||
return arrayOfArrays; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
import com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow; | ||
|
||
import java.lang.CharSequence; | ||
|
||
import org.springframework.security.crypto.codec.Hex; | ||
|
||
public class HexFuzzer { | ||
public static void fuzzerTestOneInput(byte[] data) { | ||
final byte[] initialByteArray = data; | ||
final char[] encodedChars; | ||
|
||
try { | ||
encodedChars = Hex.encode(initialByteArray); | ||
|
||
if (! initialByteArray.toString().equals(Hex.decode(encodedChars.toString()))) { | ||
throw new FuzzerSecurityIssueLow("Hex value has changed during encoding and decoding"); | ||
} | ||
} catch (IllegalArgumentException err) { | ||
// ignore expected exceptions | ||
} | ||
} | ||
} |
63 changes: 63 additions & 0 deletions
63
projects/spring-security/InMemoryUserDetailsManagerChangePasswordFuzzer.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
import com.code_intelligence.jazzer.api.FuzzedDataProvider; | ||
import com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow; | ||
import com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh; | ||
|
||
import java.util.List; | ||
|
||
import org.springframework.security.access.AccessDeniedException; | ||
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; | ||
import org.springframework.security.core.GrantedAuthority; | ||
import org.springframework.security.core.authority.AuthorityUtils; | ||
import org.springframework.security.core.context.SecurityContextHolder; | ||
import org.springframework.security.core.userdetails.User; | ||
import org.springframework.security.core.userdetails.UsernameNotFoundException; | ||
import org.springframework.security.provisioning.InMemoryUserDetailsManager; | ||
|
||
public class InMemoryUserDetailsManagerChangePasswordFuzzer { | ||
private final static String USERNAME = "admin"; | ||
private final static String PASSWORD = "secret"; | ||
private final static String USER_ROLE = "ADMIN"; | ||
private static final List<GrantedAuthority> AUTHORITIES = AuthorityUtils.createAuthorityList(USER_ROLE); | ||
|
||
private final static int LENGTH_PASSWORD = 500; | ||
|
||
public static void fuzzerTestOneInput(FuzzedDataProvider data) { | ||
// generating needed objects | ||
final String generatedPassword01 = data.consumeString(LENGTH_PASSWORD); | ||
final String generatedPassword02 = data.consumeRemainingAsString(); | ||
|
||
// check if the fuzzer generated useful data | ||
if (generatedPassword01.equals(PASSWORD) || generatedPassword02.equals(PASSWORD)) { | ||
return; | ||
} | ||
|
||
// create all the objects needed for fuzzing the InMemoryUserDetailsManager | ||
final User user = new User(USERNAME, PASSWORD, AUTHORITIES); | ||
final InMemoryUserDetailsManager userDetailsManager = new InMemoryUserDetailsManager(user); | ||
|
||
// set the SecurityContext | ||
// this makes it so that InMemoryUserDetailsManager.changePassword(old, new) never actually checks the old password | ||
SecurityContextHolder.getContext().setAuthentication( | ||
UsernamePasswordAuthenticationToken.authenticated(USERNAME, PASSWORD, AUTHORITIES)); | ||
|
||
try { | ||
userDetailsManager.changePassword(generatedPassword01, generatedPassword02); | ||
|
||
// check if the password was successfully changed | ||
final String finalPassword = userDetailsManager.loadUserByUsername(USERNAME).getPassword(); | ||
if (PASSWORD.equals(finalPassword)) { | ||
throw new FuzzerSecurityIssueHigh("Password was not changed to '" + finalPassword + "'"); | ||
} | ||
} catch (UsernameNotFoundException err) { | ||
throw new FuzzerSecurityIssueLow("The user disappeared from the InMemoryUserDetailsManager"); | ||
} catch (AccessDeniedException problem) { | ||
// should not be thrown anymore | ||
problem.printStackTrace(); | ||
throw problem; | ||
} | ||
} | ||
|
||
public static void fuzzerTearDown() { | ||
SecurityContextHolder.clearContext(); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
import com.code_intelligence.jazzer.api.FuzzedDataProvider; | ||
import com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow; | ||
|
||
import java.lang.CharSequence; | ||
|
||
import org.springframework.security.crypto.codec.Utf8; | ||
|
||
public class Utf8Fuzzer { | ||
public static void fuzzerTestOneInput(FuzzedDataProvider data) { | ||
final String initialString = data.consumeString(Integer.MAX_VALUE); | ||
final byte[] encodedBytes; | ||
|
||
try { | ||
encodedBytes = Utf8.encode(initialString); | ||
|
||
if (! initialString.equals(Utf8.decode(encodedBytes))) { | ||
throw new FuzzerSecurityIssueLow("Utf8 value has changed during encoding and decoding"); | ||
} | ||
} catch (IllegalArgumentException err) { | ||
// ignore expected exceptions | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters