Merge branch 'main' into fix-method-name-bug

Signed-off-by: Arthur Chan <[email protected]>

frontends/java/oss-fuzz-main.py

@@ -129,18 +129,7 @@ def run_introspector_frontend(target_class, jar_set):
       "NULL", # source directory
       "False", # Auto-fuzz switch
       """===jdk.*:java.*:javax.*:sun.*:sunw.*:com.sun.*:com.ibm.*:\
-com.apple.*:apple.awt.*===[java.lang.Runtime].exec:[javax.xml.xpath.XPath].compile:\
-[javax.xml.xpath.XPath].evaluate:[java.lang.Thread].run:[java.lang.Runnable].run:\
-[java.util.concurrent.Executor].execute:[java.util.concurrent.Callable].call:\
-[java.lang.System].console:[java.lang.System].load:[java.lang.System].loadLibrary:\
-[java.lang.System].apLibraryName:[java.lang.System].runFinalization:\
-[java.lang.System].setErr:[java.lang.System].setIn:[java.lang.System].setOut:\
-[java.lang.System].setProperties:[java.lang.System].setProperty:\
-[java.lang.System].setSecurityManager:[java.lang.ProcessBuilder].directory:\
-[java.lang.ProcessBuilder].inheritIO:[java.lang.ProcessBuilder].command:\
-[java.lang.ProcessBuilder].redirectError:[java.lang.ProcessBuilder].redirectErrorStream:\
-[java.lang.ProcessBuilder].redirectInput:[java.lang.ProcessBuilder].redirectOutput:\
-[java.lang.ProcessBuilder].start""" # include prefix === exclude prefix === sink functions
+com.apple.*:apple.awt.*===DEFAULT""" # include prefix === exclude prefix === sink functions
   ]
 
   print("Running command: [%s]" % " ".join(cmd))

frontends/java/run.sh

@@ -108,7 +108,7 @@ fi
 if [ -z $SINKMETHOD ]
 then
     echo "No sink method list defined, using default sink method list"
-    SINKMETHOD="[java.lang.Runtime].exec:[javax.xml.xpath.XPath].compile:[javax.xml.xpath.XPath].evaluate:[java.lang.Thread].run:[java.lang.Runnable].run:[java.util.concurrent.Executor].execute:[java.util.concurrent.Callable].call:[java.lang.System].console:[java.lang.System].load:[java.lang.System].loadLibrary:[java.lang.System].apLibraryName:[java.lang.System].runFinalization:[java.lang.System].setErr:[java.lang.System].setIn:[java.lang.System].setOut:[java.lang.System].setProperties:[java.lang.System].setProperty:[java.lang.System].setSecurityManager:[java.lang.ProcessBuilder].directory:[java.lang.ProcessBuilder].inheritIO:[java.lang.ProcessBuilder].command:[java.lang.ProcessBuilder].redirectError:[java.lang.ProcessBuilder].redirectErrorStream:[java.lang.ProcessBuilder].redirectInput:[java.lang.ProcessBuilder].redirectOutput:[java.lang.ProcessBuilder].start"
+    SINKMETHOD="DEFAULT"
 fi
 if [ -z $PACKAGEPREFIX ]
 then

frontends/java/src/main/java/ossf/fuzz/introspector/soot/CallGraphGenerator.java

@@ -16,6 +16,8 @@
 package ossf.fuzz.introspector.soot;
 
 import java.io.File;
+import java.io.InputStream;
+import java.io.IOException;
 import java.util.Arrays;
 import java.util.LinkedList;
 import java.util.List;
@@ -52,6 +54,16 @@ public static void main(String[] args) {
       includePrefix = args[7].split("===")[0];
       excludePrefix = args[7].split("===")[1];
       sinkMethod = args[7].split("===")[2];
+
+      // Retrieve default sink methods
+      if (sinkMethod.equals("DEFAULT")) {
+        try {
+          InputStream is = CallGraphGenerator.class.getResourceAsStream("/java_sinks");
+          sinkMethod = new String(is.readAllBytes());
+        } catch (IOException e) {
+          sinkMethod = "";
+        }
+      }
     }
     if (jarFiles.size() < 1) {
       System.err.println("Invalid jarFiles");

frontends/java/src/main/java/ossf/fuzz/introspector/soot/SootSceneTransformer.java

@@ -36,6 +36,7 @@
 import ossf.fuzz.introspector.soot.utils.CalculationUtils;
 import ossf.fuzz.introspector.soot.utils.CalltreeUtils;
 import ossf.fuzz.introspector.soot.utils.EdgeUtils;
+import ossf.fuzz.introspector.soot.utils.SinkDiscoveryUtils;
 import ossf.fuzz.introspector.soot.yaml.Callsite;
 import ossf.fuzz.introspector.soot.yaml.FunctionConfig;
 import ossf.fuzz.introspector.soot.yaml.FunctionElement;
@@ -60,9 +61,11 @@ public class SootSceneTransformer extends SceneTransformer {
   private List<String> excludeMethodList;
   private List<String> projectClassList;
   private List<SootMethod> reachedSinkMethodList;
+  private List<SootMethod> fullSinkMethodList;
   private List<FunctionElement> depthHandled;
   private Map<String, Set<String>> edgeClassMap;
   private Map<String, Set<String>> sinkMethodMap;
+  private Map<SootClass, List<SootMethod>> projectClassMethodMap;
   private String entryClassStr;
   private String entryMethodStr;
   private SootMethod entryMethod;
@@ -91,8 +94,10 @@ public SootSceneTransformer(
     excludeMethodList = new LinkedList<String>();
     projectClassList = new LinkedList<String>();
     reachedSinkMethodList = new LinkedList<SootMethod>();
+    fullSinkMethodList = new LinkedList<SootMethod>();
     edgeClassMap = new HashMap<String, Set<String>>();
     sinkMethodMap = new HashMap<String, Set<String>>();
+    projectClassMethodMap = new HashMap<SootClass, List<SootMethod>>();
     methodList = new FunctionConfig();
     analyseFinished = false;
 
@@ -180,6 +185,7 @@ protected void internalTransform(String phaseName, Map<String, String> options)
       CalculationUtils.calculateAllCallDepth(this.methodList);
 
       if (!isAutoFuzz) {
+        fullSinkMethodList = SinkDiscoveryUtils.discoverAllSinks(sinkMethodMap, projectClassMethodMap);
         CalltreeUtils.addSinkMethods(this.methodList, this.reachedSinkMethodList, this.isAutoFuzz);
       }
 
@@ -230,6 +236,9 @@ private Map<SootClass, List<SootMethod>> generateClassMethodMap(
       SootClass c = classIterator.next();
       String cname = c.getName();
 
+      // Add data for the full project class method map
+      this.projectClassMethodMap.put(c, c.getMethods());
+
       // Check for a list of classes of prefixes that must handled
       for (String prefix : includeList) {
         if (cname.startsWith(prefix.replace("*", ""))) {

frontends/java/src/main/java/ossf/fuzz/introspector/soot/utils/SinkDiscoveryUtils.java

@@ -0,0 +1,55 @@
+// Copyright 2024 Fuzz Introspector Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+///////////////////////////////////////////////////////////////////////////
+
+package ossf.fuzz.introspector.soot.utils;
+
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import soot.SootClass;
+import soot.SootMethod;
+
+public class SinkDiscoveryUtils {
+  /**
+   * The method loop through all methods and classes for the target
+   * project and discover all sink methods existed in the project.
+   *
+   * @param sinkMethodMap the sink methods and classes to look for
+   * @param projectClassMethodMap all methods and classes in the project
+   * @return a list of sink methods exist in the project
+   */
+  public static List<SootMethod> discoverAllSinks(Map<String, Set<String>> sinkMethodMap, Map<SootClass, List<SootMethod>> projectClassMethodMap) {
+    List<SootMethod> sinkMethods = new LinkedList<SootMethod>();
+
+    // Loop through all classes and methods of the project
+    for (SootClass c : projectClassMethodMap.keySet()) {
+      // Only process classes with sink methods
+      if (sinkMethodMap.containsKey(c.getName())) {
+        // Temporary SootMethod list to avoid concurrent modification
+        List<SootMethod> mList = new LinkedList<SootMethod>();
+        mList.addAll(projectClassMethodMap.get(c));
+        for (SootMethod m : mList) {
+          if (sinkMethodMap.get(c.getName()).contains(m.getName())) {
+            // Add the found sink method to the result list
+            sinkMethods.add(m);
+          }
+        }
+      }
+    }
+
+    return sinkMethods;
+  }
+}

frontends/java/src/main/resources/java_sinks

@@ -0,0 +1 @@
+[javax.servlet.http.HttpServletRequest].getDateHeader:[java.sql.Statement].executeLargeUpdate:[org.apache.commons.io.FileUtils].moveFile:[org.apache.commons.io.FileUtils].copyToFile:[org.apache.commons.io.FileUtils].copyFileToDirectory:[javax.servlet.http.HttpServletRequest].getMethod:[org.apache.commons.io.FileUtils].copyURLToFile:[javax.servlet.http.HttpServletRequest].getParameterValues:[java.lang.System].getProperties:[org.apache.commons.io.file.PathUtils].cleanDirectory:[java.lang.System].mapLibraryName:[javax.servlet.http.HttpServletRequest].getCharacterEncoding:[javax.servlet.http.HttpServletRequest].getIntHeader:[java.lang.ProcessBuilder].directory:[javax.persistence.EntityManager].createNativeQuery:[java.lang.ProcessBuilder].command:[java.lang.System].getProperty:[java.io.File].<init>:[org.apache.commons.io.file.PathUtils].copyFile:[java.lang.ProcessBuilder].redirectError:[java.io.OutputStream].write:[org.apache.commons.io.file.PathUtils].deleteDirectory:[javax.servlet.http.HttpServletRequest].getContentType:[org.apache.commons.io.FileUtils].copyToDirectory:[org.apache.commons.io.FileUtils].copyDirectory:[java.lang.ProcessBuilder].start:[java.lang.ProcessBuilder].inheritIO:[org.apache.commons.io.FileUtils].copyInputStreamToFile:[java.util.concurrent.Executor].execute:[org.apache.commons.io.FileUtils].deleteQuitely:[org.apache.commons.io.FileUtils].forceMkdir:[java.lang.ProcessBuilder].redirectOutput:[java.io.File].renameTo:[javax.xml.xpath.XPath].compile:[java.io.InputStream].<init>:[javax.servlet.http.HttpServletRequest].getHeaderNames:[org.apache.commons.io.FileUtils].writeByteArrayToFile:[java.nio.file.Files].createLink:[org.apache.commons.io.FileUtils].openOutputStream:[java.io.PrintWriter].println:[java.lang.System].exec:[javax.servlet.http.HttpServletRequest].getParts:[java.util.concurrent.Callable].call:[javax.servlet.http.HttpServletRequest].getParameter:[java.io.File].deleteOnExit:[java.lang.ProcessBuilder].redirectErrorStream:[javax.servlet.http.HttpServletRequest].getRequestURI:[java.nio.file.Files].createDirectory:[org.apache.commons.io.FileUtils].forceDeleteOnExit:[java.lang.System].getSecurityManager:[javax.servlet.http.HttpServletRequest].getCookies:[java.io.File].delete:[org.apache.commons.io.FileUtils].cleanDirectory:[org.apache.commons.io.FileUtils].forceDelete:[org.apache.commons.io.file.PathUtils].delete:[java.io.BufferedReader].<init>:[java.io.PrintWriter].printf:[javax.servlet.http.HttpServletRequest].getAttributeNames:[java.lang.ProcessBuilder].redirectInput:[org.apache.commons.io.FileUtils].delete:[javax.servlet.http.HttpServletRequest].getPathInfo:[java.nio.file.Files].delete:[org.apache.commons.io.FileUtils].forceMkdirParent:[javax.servlet.http.HttpServletRequest].getPathTranslated:[java.lang.System].getenv:[org.apache.commons.io.file.PathUtils].deleteFile:[org.apache.commons.io.FileUtils].moveDirectoryToDirectory:[java.nio.file.Files].createSymbolicLink:[java.nio.file.Paths].get:[javax.servlet.http.HttpServletRequest].getContextPath:[java.nio.file.Files].deleteIfExists:[javax.servlet.http.HttpServletRequest].getAttribute:[java.sql.Statement].executeUpdate:[javax.servlet.http.HttpServletRequest].getPart:[java.io.PrintWriter].write:[java.nio.file.Files].write:[java.nio.file.Files].createTempDirectory:[java.lang.System].runFinalization:[java.sql.Statement].executeLargeBatch:[java.nio.file.Files].createFile:[java.nio.file.Files].createTempFile:[java.nio.file.Files].find:[java.lang.System].loadLibrary:[org.apache.commons.io.FileUtils].write:[javax.xml.xpath.XPath].evaluate:[org.apache.commons.io.FileUtils].deleteDirectory:[java.nio.file.Files].createDirectories:[org.apache.commons.io.FileUtils].moveDirectory:[javax.servlet.http.HttpServletRequest].getRemoteUser:[javax.servlet.http.HttpServletRequest].getQueryString:[org.springframework.security.config.annotation.web.builders.HttpSecurity].csrf:[org.apache.commons.io.file.PathUtils].copyDirectory:[java.sql.Statement].executeQuery:[java.io.File].createTempFile:[javax.servlet.http.HttpServletRequest].getRequestedSessionId:[javax.servlet.http.HttpServletRequest].getParameterMap:[java.io.InputStream].read:[java.nio.file.Files].move:[java.sql.Statement].addBatch:[org.apache.commons.io.FileUtils].writeLines:[org.apache.commons.io.FileUtils].moveFileToDirectory:[java.lang.System].console:[java.io.BufferedWriter].write:[java.sql.Statement].executeBatch:[javax.servlet.http.HttpServletRequest].getRequestURL:[org.apache.commons.io.FileUtils].newOutputStream:[java.io.PrintWriter].print:[javax.persistence.EntityManager].createStoredProcedureQuery:[javax.servlet.http.HttpServletRequest].getParameterNames:[org.apache.commons.io.FileUtils].writeStringToFile:[java.io.BufferedReader].readLine:[java.lang.Runtime].exec:[java.io.File].createNewFile:[java.sql.Statement].execute:[org.apache.commons.io.FileUtils].createParentDirectories:[javax.servlet.http.HttpServletRequest].getAuthType:[javax.servlet.http.HttpServletRequest].getHeader:[org.apache.commons.io.file.PathUtils].copyFileToDirectory:[java.lang.System].load:[java.io.BufferedReader].read:[javax.persistence.EntityManager].createQuery:[org.apache.commons.io.FileUtils].copyFile:[org.apache.commons.io.FileUtils].moveToDirectory

src/fuzz_introspector/analyses/sinks_analyser.py

@@ -626,6 +626,7 @@ def analysis_func(self,
                   "is only shown if there is fuzzer statically reached the "
                   "target sink function but failed to reach it dynamically.")])
 
+
             html_string += html_rows
             html_string += "</table>"
 

tools/web-fuzzing-introspection/requirements.txt

@@ -1,7 +1,7 @@
 click==8.1.3
 Flask==2.2.5
 itsdangerous==2.1.2
-Jinja2==3.1.2
+Jinja2==3.1.3
 MarkupSafe==2.1.2
 Werkzeug==3.0.1
 requests==2.31.0