CodeIntelligenceTesting · oetr · Jan 19, 2025 · Jan 17, 2025 · Jan 17, 2025 · Jan 18, 2025
diff --git a/MODULE.bazel b/MODULE.bazel
@@ -6,7 +6,7 @@ module(name = "jazzer")
 # Kept up-to-date by Renovate
 ################################################################################
 
-bazel_dep(name = "abseil-cpp", version = "20230802.0.bcr.1")
+bazel_dep(name = "abseil-cpp", version = "20230802.1")
 bazel_dep(name = "apple_support", version = "1.11.1")
 bazel_dep(name = "bazel_jar_jar", version = "0.1.0")
 bazel_dep(name = "bazel_skylib", version = "1.7.1")
@@ -18,11 +18,20 @@ bazel_dep(name = "protobuf")
 bazel_dep(name = "rules_android", version = "0.1.1")
 bazel_dep(name = "rules_android_ndk", version = "0.1.2")
 bazel_dep(name = "rules_foreign_cc", version = "0.11.1")
-bazel_dep(name = "rules_java", version = "7.7.0")
+bazel_dep(name = "rules_java", version = "7.12.2")
 bazel_dep(name = "rules_jni", version = "0.9.1")
-bazel_dep(name = "rules_jvm_external", version = "6.2")
-bazel_dep(name = "rules_kotlin", version = "1.9.5")
-bazel_dep(name = "rules_license", version = "0.0.8")
+bazel_dep(name = "rules_jvm_external")
+
+# TODO: Remove after the next release.
+archive_override(
+    module_name = "rules_jvm_external",
+    integrity = "sha256-7AerLOLhQ+oIDH2id7OE8WJmbH01MqBWV4CbqJ6Nh68=",
+    strip_prefix = "rules_jvm_external-a1d4e4f4267c1797b686719aa385e707b732c541",
+    urls = ["https://github.com/bazelbuild/rules_jvm_external/archive/a1d4e4f4267c1797b686719aa385e707b732c541.tar.gz"],
+)
+
+bazel_dep(name = "rules_kotlin", version = "1.9.6")
+bazel_dep(name = "rules_license", version = "1.0.0")
 bazel_dep(name = "rules_pkg", version = "0.9.1")
 bazel_dep(name = "toolchains_llvm", version = "0.10.3")
 

diff --git a/examples/src/main/java/com/example/ExampleKotlinFuzzer.kt b/examples/src/main/java/com/example/ExampleKotlinFuzzer.kt
@@ -20,13 +20,16 @@ import com.code_intelligence.jazzer.api.FuzzedDataProvider
 import com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium
 
 object ExampleKotlinFuzzer {
-
     @JvmStatic
     fun fuzzerTestOneInput(data: FuzzedDataProvider) {
         exploreMe(data.consumeString(8), data.consumeInt(), data.consumeRemainingAsString())
     }
 
-    private fun exploreMe(prefix: String, n: Int, suffix: String) {
+    private fun exploreMe(
+        prefix: String,
+        n: Int,
+        suffix: String,
+    ) {
         if (prefix.findAnyOf(arrayListOf("Fuzz", "Test")) != null) {
             if (n >= 2000000) {
                 if (suffix.startsWith("@")) {

diff --git a/examples/src/main/java/com/example/ExampleKotlinValueProfileFuzzer.kt b/examples/src/main/java/com/example/ExampleKotlinValueProfileFuzzer.kt
@@ -20,7 +20,6 @@ import com.code_intelligence.jazzer.api.FuzzedDataProvider
 import com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium
 
 object ExampleKotlinValueProfileFuzzer {
-
     @JvmStatic
     fun fuzzerTestOneInput(data: FuzzedDataProvider) {
         if (data.consumeInt().compareTo(0x11223344) != 0) {
@@ -33,7 +32,5 @@ object ExampleKotlinValueProfileFuzzer {
         }
     }
 
-    private fun encrypt(n: Long): Long {
-        return n.xor(0x1122334455667788)
-    }
+    private fun encrypt(n: Long): Long = n.xor(0x1122334455667788)
 }
diff --git a/examples/src/main/java/com/example/KlaxonFuzzer.kt b/examples/src/main/java/com/example/KlaxonFuzzer.kt
@@ -22,7 +22,6 @@ import com.code_intelligence.jazzer.api.FuzzedDataProvider
 
 // Reproduces https://github.com/cbeust/klaxon/pull/330
 object KlaxonFuzzer {
-
     @JvmStatic
     fun fuzzerTestOneInput(data: FuzzedDataProvider) {
         try {

diff --git a/format.sh b/format.sh
@@ -35,9 +35,9 @@ if [[ "${CI:-0}" == 0 ]]; then
     # Check which ktlint_tests failed and run the corresponding fix targets. This is much faster than
     # running all ktlint_fix targets when e.g. only a few or no .kt files changed.
     # shellcheck disable=SC2046
-    TARGETS_TO_RUN=$(bazel test --config=quiet $(bazel query --config=quiet 'kind(ktlint_test, //...)') | { grep FAILED || true; } | cut -f1 -d' ' | sed -e 's/:ktlint_test/:ktlint_fix/g')
+    TARGETS_TO_RUN=$(bazel test --config=quiet $(bazel query --config=quiet 'kind(ktlint_test, //...)') | { grep FAILED || true; } | cut -f1 -d' ' | sed -e 's/:ktlint_test/:ktlint_fix/g' || true)
     if [[ -n "${TARGETS_TO_RUN}" ]]; then
-        echo "$TARGETS_TO_RUN" | xargs -n 1 bazel run --config=quiet
+        echo "$TARGETS_TO_RUN" | xargs -I '{}' -n 1 bazel run --config=quiet {} -- --format
     fi
 
     # BUILD files

diff --git a/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/Deserialization.kt b/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/Deserialization.kt
@@ -33,7 +33,6 @@ import java.util.WeakHashMap
  */
 @Suppress("unused_parameter", "unused")
 object Deserialization {
-
     private val OBJECT_INPUT_STREAM_HEADER =
         ObjectStreamConstants.STREAM_MAGIC.toBytes() + ObjectStreamConstants.STREAM_VERSION.toBytes()
 
@@ -88,13 +87,19 @@ object Deserialization {
         targetMethodDescriptor = "(Ljava/io/InputStream;)V",
     )
     @JvmStatic
-    fun objectInputStreamInitBeforeHook(method: MethodHandle?, alwaysNull: Any?, args: Array<Any?>, hookId: Int) {
+    fun objectInputStreamInitBeforeHook(
+        method: MethodHandle?,
+        alwaysNull: Any?,
+        args: Array<Any?>,
+        hookId: Int,
+    ) {
         val originalInputStream = args[0] as? InputStream ?: return
-        val fixedInputStream = if (originalInputStream.markSupported()) {
-            originalInputStream
-        } else {
-            BufferedInputStream(originalInputStream)
-        }
+        val fixedInputStream =
+            if (originalInputStream.markSupported()) {
+                originalInputStream
+            } else {
+                BufferedInputStream(originalInputStream)
+            }
         args[0] = fixedInputStream
         guideMarkableInputStreamTowardsEquality(fixedInputStream, OBJECT_INPUT_STREAM_HEADER, hookId)
     }

diff --git a/...zers/src/main/java/com/code_intelligence/jazzer/sanitizers/ExpressionLanguageInjection.kt b/...zers/src/main/java/com/code_intelligence/jazzer/sanitizers/ExpressionLanguageInjection.kt
@@ -28,7 +28,6 @@ import java.lang.invoke.MethodHandle
  */
 @Suppress("unused_parameter", "unused")
 object ExpressionLanguageInjection {
-
     /**
      * Try to call the default constructor of the honeypot class.
      */
@@ -71,7 +70,9 @@ object ExpressionLanguageInjection {
         hookId: Int,
     ) {
         // The overloads taking a second string argument have either three or four arguments
-        if (arguments.size < 3) { return }
+        if (arguments.size < 3) {
+            return
+        }
         val expression = arguments[1] as? String ?: return
         Jazzer.guideTowardsContainment(expression, EXPRESSION_LANGUAGE_ATTACK, hookId)
     }
@@ -95,7 +96,9 @@ object ExpressionLanguageInjection {
         arguments: Array<Any>,
         hookId: Int,
     ) {
-        if (arguments.size != 1) { return }
+        if (arguments.size != 1) {
+            return
+        }
         val message = arguments[0] as String
         Jazzer.guideTowardsContainment(message, EXPRESSION_LANGUAGE_ATTACK, hookId)
     }

diff --git a/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/LdapInjection.kt b/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/LdapInjection.kt
@@ -44,13 +44,13 @@ import javax.naming.directory.InvalidSearchFilterException
  */
 @Suppress("unused_parameter", "unused")
 object LdapInjection {
-
     // Characters to escape in DNs
     private const val NAME_CHARACTERS = "\\+<>,;\"="
 
     // Characters to escape in search filter queries
     private const val FILTER_CHARACTERS = "*()\\\u0000"
 
+    @Suppress("ktlint:standard:max-line-length")
     @MethodHooks(
         // Single object lookup, possible DN injection
         MethodHook(
@@ -67,7 +67,6 @@ object LdapInjection {
             targetMethodDescriptor = "(Ljava/lang/String;Ljavax/naming.directory/Attributes;[Ljava/lang/Sting;)Ljavax/naming/NamingEnumeration;",
             additionalClassesToHook = ["javax.naming.directory.InitialDirContext"],
         ),
-
         // Object search, possible DN and search filter injection
         MethodHook(
             type = HookType.REPLACE,
@@ -92,7 +91,12 @@ object LdapInjection {
         ),
     )
     @JvmStatic
-    fun searchLdapContext(method: MethodHandle, thisObject: Any?, args: Array<Any>, hookId: Int): Any? {
+    fun searchLdapContext(
+        method: MethodHandle,
+        thisObject: Any?,
+        args: Array<Any>,
+        hookId: Int,
+    ): Any? {
         try {
             return method.invokeWithArguments(thisObject, *args).also {
                 (args[0] as? String)?.let { name ->

diff --git a/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/NamingContextLookup.kt b/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/NamingContextLookup.kt
@@ -26,7 +26,6 @@ import javax.naming.CommunicationException
 
 @Suppress("unused")
 object NamingContextLookup {
-
     // The particular URL g.co is used here since it is:
     // - short, which makes it easier for the fuzzer to incorporate into the input;
     // - valid, which means that a `lookup` call on it could actually result in RCE;
@@ -50,7 +49,12 @@ object NamingContextLookup {
         ),
     )
     @JvmStatic
-    fun lookupHook(method: MethodHandle?, thisObject: Any?, args: Array<Any?>, hookId: Int): Any {
+    fun lookupHook(
+        method: MethodHandle?,
+        thisObject: Any?,
+        args: Array<Any?>,
+        hookId: Int,
+    ): Any {
         val name = args[0] as? String ?: throw CommunicationException()
         if (name.startsWith(RMI_MARKER) || name.startsWith(LDAP_MARKER)) {
             Jazzer.reportFindingFromHook(

diff --git a/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/OsCommandInjection.kt b/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/OsCommandInjection.kt
@@ -33,7 +33,6 @@ import java.lang.invoke.MethodHandle
  */
 @Suppress("unused_parameter", "unused")
 object OsCommandInjection {
-
     // Short and probably non-existing command name
     private const val COMMAND = "jazze"
 
@@ -44,8 +43,15 @@ object OsCommandInjection {
         additionalClassesToHook = ["java.lang.ProcessBuilder"],
     )
     @JvmStatic
-    fun processImplStartHook(method: MethodHandle?, alwaysNull: Any?, args: Array<Any?>, hookId: Int) {
-        if (args.isEmpty()) { return }
+    fun processImplStartHook(
+        method: MethodHandle?,
+        alwaysNull: Any?,
+        args: Array<Any?>,
+        hookId: Int,
+    ) {
+        if (args.isEmpty()) {
+            return
+        }
         // Calling ProcessBuilder already checks if command array is empty
         @Suppress("UNCHECKED_CAST")
         (args[0] as? Array<String>)?.first().let { cmd ->

diff --git a/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/ReflectiveCall.kt b/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/ReflectiveCall.kt
@@ -30,25 +30,64 @@ import java.lang.invoke.MethodHandle
  */
 @Suppress("unused_parameter", "unused")
 object ReflectiveCall {
-
     @MethodHooks(
-        MethodHook(type = HookType.BEFORE, targetClassName = "java.lang.Class", targetMethod = "forName", targetMethodDescriptor = "(Ljava/lang/String;)Ljava/lang/Class;"),
-        MethodHook(type = HookType.BEFORE, targetClassName = "java.lang.Class", targetMethod = "forName", targetMethodDescriptor = "(Ljava/lang/String;ZLjava/lang/ClassLoader;)Ljava/lang/Class;"),
-        MethodHook(type = HookType.BEFORE, targetClassName = "java.lang.ClassLoader", targetMethod = "loadClass", targetMethodDescriptor = "(Ljava/lang/String;)Ljava/lang/Class;"),
-        MethodHook(type = HookType.BEFORE, targetClassName = "java.lang.ClassLoader", targetMethod = "loadClass", targetMethodDescriptor = "(Ljava/lang/String;Z)Ljava/lang/Class;"),
+        MethodHook(
+            type = HookType.BEFORE,
+            targetClassName = "java.lang.Class",
+            targetMethod = "forName",
+            targetMethodDescriptor = "(Ljava/lang/String;)Ljava/lang/Class;",
+        ),
+        MethodHook(
+            type = HookType.BEFORE,
+            targetClassName = "java.lang.Class",
+            targetMethod = "forName",
+            targetMethodDescriptor = "(Ljava/lang/String;ZLjava/lang/ClassLoader;)Ljava/lang/Class;",
+        ),
+        MethodHook(
+            type = HookType.BEFORE,
+            targetClassName = "java.lang.ClassLoader",
+            targetMethod = "loadClass",
+            targetMethodDescriptor = "(Ljava/lang/String;)Ljava/lang/Class;",
+        ),
+        MethodHook(
+            type = HookType.BEFORE,
+            targetClassName = "java.lang.ClassLoader",
+            targetMethod = "loadClass",
+            targetMethodDescriptor = "(Ljava/lang/String;Z)Ljava/lang/Class;",
+        ),
     )
     @JvmStatic
-    fun loadClassHook(method: MethodHandle?, alwaysNull: Any?, args: Array<Any?>, hookId: Int) {
+    fun loadClassHook(
+        method: MethodHandle?,
+        alwaysNull: Any?,
+        args: Array<Any?>,
+        hookId: Int,
+    ) {
         val className = args[0] as? String ?: return
         Jazzer.guideTowardsEquality(className, HONEYPOT_CLASS_NAME, hookId)
     }
 
     @MethodHooks(
-        MethodHook(type = HookType.BEFORE, targetClassName = "java.lang.Class", targetMethod = "forName", targetMethodDescriptor = "(Ljava/lang/Module;Ljava/lang/String;)Ljava/lang/Class;"),
-        MethodHook(type = HookType.BEFORE, targetClassName = "java.lang.ClassLoader", targetMethod = "loadClass", targetMethodDescriptor = "(Ljava/lang/Module;Ljava/lang/String;)Ljava/lang/Class;"),
+        MethodHook(
+            type = HookType.BEFORE,
+            targetClassName = "java.lang.Class",
+            targetMethod = "forName",
+            targetMethodDescriptor = "(Ljava/lang/Module;Ljava/lang/String;)Ljava/lang/Class;",
+        ),
+        MethodHook(
+            type = HookType.BEFORE,
+            targetClassName = "java.lang.ClassLoader",
+            targetMethod = "loadClass",
+            targetMethodDescriptor = "(Ljava/lang/Module;Ljava/lang/String;)Ljava/lang/Class;",
+        ),
     )
     @JvmStatic
-    fun loadClassWithModuleHook(method: MethodHandle?, alwaysNull: Any?, args: Array<Any?>, hookId: Int) {
+    fun loadClassWithModuleHook(
+        method: MethodHandle?,
+        alwaysNull: Any?,
+        args: Array<Any?>,
+        hookId: Int,
+    ) {
         val className = args[1] as? String ?: return
         Jazzer.guideTowardsEquality(className, HONEYPOT_CLASS_NAME, hookId)
     }
@@ -62,8 +101,15 @@ object ReflectiveCall {
         MethodHook(type = HookType.BEFORE, targetClassName = "java.lang.ClassLoader", targetMethod = "findLibrary"),
     )
     @JvmStatic
-    fun loadLibraryHook(method: MethodHandle?, alwaysNull: Any?, args: Array<Any?>, hookId: Int) {
-        if (args.isEmpty()) { return }
+    fun loadLibraryHook(
+        method: MethodHandle?,
+        alwaysNull: Any?,
+        args: Array<Any?>,
+        hookId: Int,
+    ) {
+        if (args.isEmpty()) {
+            return
+        }
         val libraryName = args[0] as? String ?: return
         if (libraryName == HONEYPOT_LIBRARY_NAME) {
             Jazzer.reportFindingFromHook(

diff --git a/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/RegexInjection.kt b/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/RegexInjection.kt
@@ -51,7 +51,12 @@ object RegexInjection {
         targetMethodDescriptor = "(Ljava/lang/String;I)Ljava/util/regex/Pattern;",
     )
     @JvmStatic
-    fun compileWithFlagsHook(method: MethodHandle, alwaysNull: Any?, args: Array<Any?>, hookId: Int): Any? {
+    fun compileWithFlagsHook(
+        method: MethodHandle,
+        alwaysNull: Any?,
+        args: Array<Any?>,
+        hookId: Int,
+    ): Any? {
         val pattern = args[0] as String?
         val hasCanonEqFlag = ((args[1] as Int) and Pattern.CANON_EQ) != 0
         return hookInternal(method, pattern, hasCanonEqFlag, hookId, *args)
@@ -72,9 +77,12 @@ object RegexInjection {
         ),
     )
     @JvmStatic
-    fun patternHook(method: MethodHandle, alwaysNull: Any?, args: Array<Any?>, hookId: Int): Any? {
-        return hookInternal(method, args[0] as String?, false, hookId, *args)
-    }
+    fun patternHook(
+        method: MethodHandle,
+        alwaysNull: Any?,
+        args: Array<Any?>,
+        hookId: Int,
+    ): Any? = hookInternal(method, args[0] as String?, false, hookId, *args)
 
     @MethodHooks(
         MethodHook(
@@ -109,9 +117,12 @@ object RegexInjection {
         ),
     )
     @JvmStatic
-    fun stringHook(method: MethodHandle, thisObject: Any?, args: Array<Any?>, hookId: Int): Any? {
-        return hookInternal(method, args[0] as String?, false, hookId, thisObject, *args)
-    }
+    fun stringHook(
+        method: MethodHandle,
+        thisObject: Any?,
+        args: Array<Any?>,
+        hookId: Int,
+    ): Any? = hookInternal(method, args[0] as String?, false, hookId, thisObject, *args)
 
     private fun hookInternal(
         method: MethodHandle,