fix: split disabled hooks by correct delimiter

simonresch · simonresch · commit 5476d840f66a · 2025-10-23T10:24:35.000+02:00
diff --git a/sanitizers/src/test/java/com/example/DisabledHooksTest.java b/sanitizers/src/test/java/com/example/DisabledHooksTest.java
@@ -17,8 +17,11 @@
 package com.example;
 
 import com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh;
-import java.io.*;
 import java.lang.reflect.InvocationTargetException;
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.IOException;
+import java.io.ObjectInputStream;
 import java.util.Base64;
 import org.junit.After;
 import org.junit.Test;
@@ -104,9 +107,9 @@ public void disableReflectiveCallAndEnableDeserialization() {
   public void disableAllSanitizers() throws Throwable {
     System.setProperty(
         "jazzer.disabled_hooks",
-        "com.code_intelligence.jazzer.sanitizers.ReflectiveCall,"
-            + "com.code_intelligence.jazzer.sanitizers.Deserialization,"
-            + "com.code_intelligence.jazzer.sanitizers.ExpressionLanguageInjection");
+        "com.code_intelligence.jazzer.sanitizers.ReflectiveCall"
+            + File.pathSeparatorChar
+            + "com.code_intelligence.jazzer.sanitizers.Deserialization");
     triggerReflectiveCallSanitizer();
     triggerExpressionLanguageInjectionSanitizer();
     triggerDeserializationSanitizer();
diff --git a/src/main/java/jaz/Zer.java b/src/main/java/jaz/Zer.java
@@ -18,8 +18,18 @@
 
 import com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh;
 import com.code_intelligence.jazzer.api.Jazzer;
-import java.io.*;
-import java.util.*;
+import java.io.Closeable;
+import java.io.File;
+import java.io.Flushable;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.Serializable;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Comparator;
+import java.util.Iterator;
+import java.util.List;
+import java.util.ListIterator;
 import java.util.concurrent.Callable;
 import java.util.function.Function;
 
@@ -116,6 +126,7 @@ private static void reportFinding() {
   }
 
   private static boolean isSanitizerEnabled(byte sanitizerId) {
+    // FIXME: This does not take into account disabled hooks set via CLI args or env.
     String allDisabledHooks = System.getProperty("jazzer.disabled_hooks");
     if (allDisabledHooks == null || allDisabledHooks.equals("")) {
       return true;
@@ -132,7 +143,8 @@ private static boolean isSanitizerEnabled(byte sanitizerId) {
       default:
         sanitizer = "com.code_intelligence.jazzer.sanitizers.ReflectiveCall";
     }
-    return Arrays.stream(allDisabledHooks.split(",")).noneMatch(sanitizer::equals);
+    return Arrays.stream(allDisabledHooks.split(String.valueOf(File.pathSeparatorChar)))
+        .noneMatch(sanitizer::equals);
   }
 
   // Getter/Setter
