Run ./format.sh

Author: fmeum

examples/src/main/java/com/example/ExampleKotlinFuzzer.kt

@@ -20,13 +20,16 @@ import com.code_intelligence.jazzer.api.FuzzedDataProvider
 import com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium
 
 object ExampleKotlinFuzzer {
-
     @JvmStatic
     fun fuzzerTestOneInput(data: FuzzedDataProvider) {
         exploreMe(data.consumeString(8), data.consumeInt(), data.consumeRemainingAsString())
     }
 
-    private fun exploreMe(prefix: String, n: Int, suffix: String) {
+    private fun exploreMe(
+        prefix: String,
+        n: Int,
+        suffix: String,
+    ) {
         if (prefix.findAnyOf(arrayListOf("Fuzz", "Test")) != null) {
             if (n >= 2000000) {
                 if (suffix.startsWith("@")) {

examples/src/main/java/com/example/ExampleKotlinValueProfileFuzzer.kt

@@ -20,7 +20,6 @@ import com.code_intelligence.jazzer.api.FuzzedDataProvider
 import com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium
 
 object ExampleKotlinValueProfileFuzzer {
-
     @JvmStatic
     fun fuzzerTestOneInput(data: FuzzedDataProvider) {
         if (data.consumeInt().compareTo(0x11223344) != 0) {
@@ -33,7 +32,5 @@ object ExampleKotlinValueProfileFuzzer {
         }
     }
 
-    private fun encrypt(n: Long): Long {
-        return n.xor(0x1122334455667788)
-    }
+    private fun encrypt(n: Long): Long = n.xor(0x1122334455667788)
 }

examples/src/main/java/com/example/KlaxonFuzzer.kt

@@ -22,7 +22,6 @@ import com.code_intelligence.jazzer.api.FuzzedDataProvider
 
 // Reproduces https://github.com/cbeust/klaxon/pull/330
 object KlaxonFuzzer {
-
     @JvmStatic
     fun fuzzerTestOneInput(data: FuzzedDataProvider) {
         try {

sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/Deserialization.kt

@@ -33,7 +33,6 @@ import java.util.WeakHashMap
  */
 @Suppress("unused_parameter", "unused")
 object Deserialization {
-
     private val OBJECT_INPUT_STREAM_HEADER =
         ObjectStreamConstants.STREAM_MAGIC.toBytes() + ObjectStreamConstants.STREAM_VERSION.toBytes()
 
@@ -88,13 +87,19 @@ object Deserialization {
         targetMethodDescriptor = "(Ljava/io/InputStream;)V",
     )
     @JvmStatic
-    fun objectInputStreamInitBeforeHook(method: MethodHandle?, alwaysNull: Any?, args: Array<Any?>, hookId: Int) {
+    fun objectInputStreamInitBeforeHook(
+        method: MethodHandle?,
+        alwaysNull: Any?,
+        args: Array<Any?>,
+        hookId: Int,
+    ) {
         val originalInputStream = args[0] as? InputStream ?: return
-        val fixedInputStream = if (originalInputStream.markSupported()) {
-            originalInputStream
-        } else {
-            BufferedInputStream(originalInputStream)
-        }
+        val fixedInputStream =
+            if (originalInputStream.markSupported()) {
+                originalInputStream
+            } else {
+                BufferedInputStream(originalInputStream)
+            }
         args[0] = fixedInputStream
         guideMarkableInputStreamTowardsEquality(fixedInputStream, OBJECT_INPUT_STREAM_HEADER, hookId)
     }

sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/ExpressionLanguageInjection.kt

@@ -28,7 +28,6 @@ import java.lang.invoke.MethodHandle
  */
 @Suppress("unused_parameter", "unused")
 object ExpressionLanguageInjection {
-
     /**
      * Try to call the default constructor of the honeypot class.
      */
@@ -71,7 +70,9 @@ object ExpressionLanguageInjection {
         hookId: Int,
     ) {
         // The overloads taking a second string argument have either three or four arguments
-        if (arguments.size < 3) { return }
+        if (arguments.size < 3) {
+            return
+        }
         val expression = arguments[1] as? String ?: return
         Jazzer.guideTowardsContainment(expression, EXPRESSION_LANGUAGE_ATTACK, hookId)
     }
@@ -95,7 +96,9 @@ object ExpressionLanguageInjection {
         arguments: Array<Any>,
         hookId: Int,
     ) {
-        if (arguments.size != 1) { return }
+        if (arguments.size != 1) {
+            return
+        }
         val message = arguments[0] as String
         Jazzer.guideTowardsContainment(message, EXPRESSION_LANGUAGE_ATTACK, hookId)
     }

sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/LdapInjection.kt

@@ -44,7 +44,6 @@ import javax.naming.directory.InvalidSearchFilterException
  */
 @Suppress("unused_parameter", "unused")
 object LdapInjection {
-
     // Characters to escape in DNs
     private const val NAME_CHARACTERS = "\\+<>,;\"="
 
@@ -67,7 +66,6 @@ object LdapInjection {
             targetMethodDescriptor = "(Ljava/lang/String;Ljavax/naming.directory/Attributes;[Ljava/lang/Sting;)Ljavax/naming/NamingEnumeration;",
             additionalClassesToHook = ["javax.naming.directory.InitialDirContext"],
         ),
-
         // Object search, possible DN and search filter injection
         MethodHook(
             type = HookType.REPLACE,
@@ -92,7 +90,12 @@ object LdapInjection {
         ),
     )
     @JvmStatic
-    fun searchLdapContext(method: MethodHandle, thisObject: Any?, args: Array<Any>, hookId: Int): Any? {
+    fun searchLdapContext(
+        method: MethodHandle,
+        thisObject: Any?,
+        args: Array<Any>,
+        hookId: Int,
+    ): Any? {
         try {
             return method.invokeWithArguments(thisObject, *args).also {
                 (args[0] as? String)?.let { name ->

sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/NamingContextLookup.kt

@@ -26,7 +26,6 @@ import javax.naming.CommunicationException
 
 @Suppress("unused")
 object NamingContextLookup {
-
     // The particular URL g.co is used here since it is:
     // - short, which makes it easier for the fuzzer to incorporate into the input;
     // - valid, which means that a `lookup` call on it could actually result in RCE;
@@ -50,7 +49,12 @@ object NamingContextLookup {
         ),
     )
     @JvmStatic
-    fun lookupHook(method: MethodHandle?, thisObject: Any?, args: Array<Any?>, hookId: Int): Any {
+    fun lookupHook(
+        method: MethodHandle?,
+        thisObject: Any?,
+        args: Array<Any?>,
+        hookId: Int,
+    ): Any {
         val name = args[0] as? String ?: throw CommunicationException()
         if (name.startsWith(RMI_MARKER) || name.startsWith(LDAP_MARKER)) {
             Jazzer.reportFindingFromHook(

sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/OsCommandInjection.kt

@@ -33,7 +33,6 @@ import java.lang.invoke.MethodHandle
  */
 @Suppress("unused_parameter", "unused")
 object OsCommandInjection {
-
     // Short and probably non-existing command name
     private const val COMMAND = "jazze"
 
@@ -44,8 +43,15 @@ object OsCommandInjection {
         additionalClassesToHook = ["java.lang.ProcessBuilder"],
     )
     @JvmStatic
-    fun processImplStartHook(method: MethodHandle?, alwaysNull: Any?, args: Array<Any?>, hookId: Int) {
-        if (args.isEmpty()) { return }
+    fun processImplStartHook(
+        method: MethodHandle?,
+        alwaysNull: Any?,
+        args: Array<Any?>,
+        hookId: Int,
+    ) {
+        if (args.isEmpty()) {
+            return
+        }
         // Calling ProcessBuilder already checks if command array is empty
         @Suppress("UNCHECKED_CAST")
         (args[0] as? Array<String>)?.first().let { cmd ->

sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/ReflectiveCall.kt

@@ -30,25 +30,64 @@ import java.lang.invoke.MethodHandle
  */
 @Suppress("unused_parameter", "unused")
 object ReflectiveCall {
-
     @MethodHooks(
-        MethodHook(type = HookType.BEFORE, targetClassName = "java.lang.Class", targetMethod = "forName", targetMethodDescriptor = "(Ljava/lang/String;)Ljava/lang/Class;"),
-        MethodHook(type = HookType.BEFORE, targetClassName = "java.lang.Class", targetMethod = "forName", targetMethodDescriptor = "(Ljava/lang/String;ZLjava/lang/ClassLoader;)Ljava/lang/Class;"),
-        MethodHook(type = HookType.BEFORE, targetClassName = "java.lang.ClassLoader", targetMethod = "loadClass", targetMethodDescriptor = "(Ljava/lang/String;)Ljava/lang/Class;"),
-        MethodHook(type = HookType.BEFORE, targetClassName = "java.lang.ClassLoader", targetMethod = "loadClass", targetMethodDescriptor = "(Ljava/lang/String;Z)Ljava/lang/Class;"),
+        MethodHook(
+            type = HookType.BEFORE,
+            targetClassName = "java.lang.Class",
+            targetMethod = "forName",
+            targetMethodDescriptor = "(Ljava/lang/String;)Ljava/lang/Class;",
+        ),
+        MethodHook(
+            type = HookType.BEFORE,
+            targetClassName = "java.lang.Class",
+            targetMethod = "forName",
+            targetMethodDescriptor = "(Ljava/lang/String;ZLjava/lang/ClassLoader;)Ljava/lang/Class;",
+        ),
+        MethodHook(
+            type = HookType.BEFORE,
+            targetClassName = "java.lang.ClassLoader",
+            targetMethod = "loadClass",
+            targetMethodDescriptor = "(Ljava/lang/String;)Ljava/lang/Class;",
+        ),
+        MethodHook(
+            type = HookType.BEFORE,
+            targetClassName = "java.lang.ClassLoader",
+            targetMethod = "loadClass",
+            targetMethodDescriptor = "(Ljava/lang/String;Z)Ljava/lang/Class;",
+        ),
     )
     @JvmStatic
-    fun loadClassHook(method: MethodHandle?, alwaysNull: Any?, args: Array<Any?>, hookId: Int) {
+    fun loadClassHook(
+        method: MethodHandle?,
+        alwaysNull: Any?,
+        args: Array<Any?>,
+        hookId: Int,
+    ) {
         val className = args[0] as? String ?: return
         Jazzer.guideTowardsEquality(className, HONEYPOT_CLASS_NAME, hookId)
     }
 
     @MethodHooks(
-        MethodHook(type = HookType.BEFORE, targetClassName = "java.lang.Class", targetMethod = "forName", targetMethodDescriptor = "(Ljava/lang/Module;Ljava/lang/String;)Ljava/lang/Class;"),
-        MethodHook(type = HookType.BEFORE, targetClassName = "java.lang.ClassLoader", targetMethod = "loadClass", targetMethodDescriptor = "(Ljava/lang/Module;Ljava/lang/String;)Ljava/lang/Class;"),
+        MethodHook(
+            type = HookType.BEFORE,
+            targetClassName = "java.lang.Class",
+            targetMethod = "forName",
+            targetMethodDescriptor = "(Ljava/lang/Module;Ljava/lang/String;)Ljava/lang/Class;",
+        ),
+        MethodHook(
+            type = HookType.BEFORE,
+            targetClassName = "java.lang.ClassLoader",
+            targetMethod = "loadClass",
+            targetMethodDescriptor = "(Ljava/lang/Module;Ljava/lang/String;)Ljava/lang/Class;",
+        ),
     )
     @JvmStatic
-    fun loadClassWithModuleHook(method: MethodHandle?, alwaysNull: Any?, args: Array<Any?>, hookId: Int) {
+    fun loadClassWithModuleHook(
+        method: MethodHandle?,
+        alwaysNull: Any?,
+        args: Array<Any?>,
+        hookId: Int,
+    ) {
         val className = args[1] as? String ?: return
         Jazzer.guideTowardsEquality(className, HONEYPOT_CLASS_NAME, hookId)
     }
@@ -62,8 +101,15 @@ object ReflectiveCall {
         MethodHook(type = HookType.BEFORE, targetClassName = "java.lang.ClassLoader", targetMethod = "findLibrary"),
     )
     @JvmStatic
-    fun loadLibraryHook(method: MethodHandle?, alwaysNull: Any?, args: Array<Any?>, hookId: Int) {
-        if (args.isEmpty()) { return }
+    fun loadLibraryHook(
+        method: MethodHandle?,
+        alwaysNull: Any?,
+        args: Array<Any?>,
+        hookId: Int,
+    ) {
+        if (args.isEmpty()) {
+            return
+        }
         val libraryName = args[0] as? String ?: return
         if (libraryName == HONEYPOT_LIBRARY_NAME) {
             Jazzer.reportFindingFromHook(

sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/RegexInjection.kt

@@ -51,7 +51,12 @@ object RegexInjection {
         targetMethodDescriptor = "(Ljava/lang/String;I)Ljava/util/regex/Pattern;",
     )
     @JvmStatic
-    fun compileWithFlagsHook(method: MethodHandle, alwaysNull: Any?, args: Array<Any?>, hookId: Int): Any? {
+    fun compileWithFlagsHook(
+        method: MethodHandle,
+        alwaysNull: Any?,
+        args: Array<Any?>,
+        hookId: Int,
+    ): Any? {
         val pattern = args[0] as String?
         val hasCanonEqFlag = ((args[1] as Int) and Pattern.CANON_EQ) != 0
         return hookInternal(method, pattern, hasCanonEqFlag, hookId, *args)
@@ -72,9 +77,12 @@ object RegexInjection {
         ),
     )
     @JvmStatic
-    fun patternHook(method: MethodHandle, alwaysNull: Any?, args: Array<Any?>, hookId: Int): Any? {
-        return hookInternal(method, args[0] as String?, false, hookId, *args)
-    }
+    fun patternHook(
+        method: MethodHandle,
+        alwaysNull: Any?,
+        args: Array<Any?>,
+        hookId: Int,
+    ): Any? = hookInternal(method, args[0] as String?, false, hookId, *args)
 
     @MethodHooks(
         MethodHook(
@@ -109,9 +117,12 @@ object RegexInjection {
         ),
     )
     @JvmStatic
-    fun stringHook(method: MethodHandle, thisObject: Any?, args: Array<Any?>, hookId: Int): Any? {
-        return hookInternal(method, args[0] as String?, false, hookId, thisObject, *args)
-    }
+    fun stringHook(
+        method: MethodHandle,
+        thisObject: Any?,
+        args: Array<Any?>,
+        hookId: Int,
+    ): Any? = hookInternal(method, args[0] as String?, false, hookId, thisObject, *args)
 
     private fun hookInternal(
         method: MethodHandle,

sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/Utils.kt

@@ -25,12 +25,11 @@ import java.io.InputStream
 const val HONEYPOT_CLASS_NAME = "jaz.Zer"
 const val HONEYPOT_LIBRARY_NAME = "jazzer_honeypot"
 
-internal fun Short.toBytes(): ByteArray {
-    return byteArrayOf(
+internal fun Short.toBytes(): ByteArray =
+    byteArrayOf(
         ((toInt() shr 8) and 0xFF).toByte(),
         (toInt() and 0xFF).toByte(),
     )
-}
 
 // Runtime is only O(size * needle.size), only use for small arrays.
 internal fun ByteArray.indexOf(needle: ByteArray): Int {
@@ -45,8 +44,15 @@ internal fun ByteArray.indexOf(needle: ByteArray): Int {
     return -1
 }
 
-internal fun guideMarkableInputStreamTowardsEquality(stream: InputStream, target: ByteArray, id: Int) {
-    fun readBytes(stream: InputStream, size: Int): ByteArray {
+internal fun guideMarkableInputStreamTowardsEquality(
+    stream: InputStream,
+    target: ByteArray,
+    id: Int,
+) {
+    fun readBytes(
+        stream: InputStream,
+        size: Int,
+    ): ByteArray {
         val current = ByteArray(size)
         var n = 0
         while (n < size) {

sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/XPathInjection.kt

@@ -36,7 +36,6 @@ import javax.xml.xpath.XPathExpressionException
  */
 @Suppress("unused_parameter", "unused")
 object XPathInjection {
-
     // Characters that should be escaped in user input.
     // https://owasp.org/www-community/attacks/XPATH_Injection
     private const val CHARACTERS_TO_ESCAPE = "'\""
@@ -49,7 +48,12 @@ object XPathInjection {
         MethodHook(type = HookType.REPLACE, targetClassName = "javax.xml.xpath.XPath", targetMethod = "evaluateExpression"),
     )
     @JvmStatic
-    fun checkXpathExecute(method: MethodHandle, thisObject: Any?, arguments: Array<Any>, hookId: Int): Any {
+    fun checkXpathExecute(
+        method: MethodHandle,
+        thisObject: Any?,
+        arguments: Array<Any>,
+        hookId: Int,
+    ): Any {
         if (arguments.isNotEmpty() && arguments[0] is String) {
             val query = arguments[0] as String
             Jazzer.guideTowardsContainment(query, CHARACTERS_TO_ESCAPE, hookId)
@@ -67,8 +71,8 @@ object XPathInjection {
                 Jazzer.reportFindingFromHook(
                     FuzzerSecurityIssueHigh(
                         """
-                    XPath Injection
-                    Injected query: ${arguments[0]}
+                        XPath Injection
+                        Injected query: ${arguments[0]}
                         """.trimIndent(),
                         exception,
                     ),