feat: add hooks for additional EL evaluation methods

Author: florianGla

MODULE.bazel

@@ -81,6 +81,7 @@ TEST_MAVEN_ARTIFACTS = [
     "com.google.truth.extensions:truth-proto-extension:1.4.5",
     "com.google.truth:truth:1.4.5",
     "jakarta.el:jakarta.el-api:6.0.1",
+    "jakarta.validation:jakarta.validation-api:3.0.2",
     "javax.persistence:javax.persistence-api:2.2",
     "junit:junit:4.13.2",
     "org.assertj:assertj-core:3.27.6",

maven_install.json

@@ -1,7 +1,7 @@
 {
   "__AUTOGENERATED_FILE_DO_NOT_MODIFY_THIS_FILE_MANUALLY": "THERE_IS_NO_DATA_ONLY_ZUUL",
-  "__INPUT_ARTIFACTS_HASH": 547805092,
-  "__RESOLVED_ARTIFACTS_HASH": 467856921,
+  "__INPUT_ARTIFACTS_HASH": 109726797,
+  "__RESOLVED_ARTIFACTS_HASH": -368514076,
   "conflict_resolution": {
     "com.google.code.gson:gson:2.8.6": "com.google.code.gson:gson:2.8.9",
     "com.google.j2objc:j2objc-annotations:2.8": "com.google.j2objc:j2objc-annotations:3.1",
@@ -188,6 +188,12 @@
       },
       "version": "6.0.1"
     },
+    "jakarta.validation:jakarta.validation-api": {
+      "shasums": {
+        "jar": "291c25e6910cc6a7ebd96d4c6baebf6d7c37676c5482c2d96146e901b62c1fc9"
+      },
+      "version": "3.0.2"
+    },
     "javax.activation:javax.activation-api": {
       "shasums": {
         "jar": "43fdef0b5b6ceb31b0424b208b930c74ab58fac2ceeb7b3f6fd3aeb8b5ca4393"
@@ -1295,6 +1301,17 @@
     "jakarta.el:jakarta.el-api": [
       "jakarta.el"
     ],
+    "jakarta.validation:jakarta.validation-api": [
+      "jakarta.validation",
+      "jakarta.validation.bootstrap",
+      "jakarta.validation.constraints",
+      "jakarta.validation.constraintvalidation",
+      "jakarta.validation.executable",
+      "jakarta.validation.groups",
+      "jakarta.validation.metadata",
+      "jakarta.validation.spi",
+      "jakarta.validation.valueextraction"
+    ],
     "javax.activation:javax.activation-api": [
       "javax.activation"
     ],
@@ -2692,6 +2709,7 @@
       "io.github.classgraph:classgraph",
       "io.projectreactor:reactor-core",
       "jakarta.el:jakarta.el-api",
+      "jakarta.validation:jakarta.validation-api",
       "javax.activation:javax.activation-api",
       "javax.annotation:javax.annotation-api",
       "javax.el:javax.el-api",

sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/ExpressionLanguageInjection.kt

@@ -33,6 +33,8 @@ object ExpressionLanguageInjection {
     private const val EXPRESSION_LANGUAGE_ATTACK =
         "\${Byte.class.forName(\"$HONEYPOT_CLASS_NAME\").getMethod(\"el\").invoke(null)}"
     private const val SPRING_EXPRESSION_LANGUAGE_ATTACK = "T($HONEYPOT_CLASS_NAME).el()"
+    private const val ELPROCESSOR_LANGUAGE_ATTACK =
+        "\"\".getClass().forName(\"$HONEYPOT_CLASS_NAME\").getMethod(\"el\").invoke(null)"
 
     init {
         require(EXPRESSION_LANGUAGE_ATTACK.length <= 64) {
@@ -41,6 +43,9 @@ object ExpressionLanguageInjection {
         require(SPRING_EXPRESSION_LANGUAGE_ATTACK.length <= 64) {
             "Expression language exploit must fit in a table of recent compares entry (64 bytes)"
         }
+        require(ELPROCESSOR_LANGUAGE_ATTACK.length <= 64) {
+            "Expression language exploit must fit in a table of recent compares entry (64 bytes)"
+        }
     }
 
     @MethodHooks(
@@ -80,17 +85,50 @@ object ExpressionLanguageInjection {
         Jazzer.guideTowardsContainment(expression, EXPRESSION_LANGUAGE_ATTACK, hookId)
     }
 
+    @MethodHooks(
+        MethodHook(
+            type = HookType.BEFORE,
+            targetClassName = "javax.el.ELProcessor",
+            targetMethod = "eval",
+        ),
+        MethodHook(
+            type = HookType.BEFORE,
+            targetClassName = "jakarta.el.ELProcessor",
+            targetMethod = "eval",
+        ),
+    )
+    @JvmStatic
+    fun hookElProcessor(
+        method: MethodHandle?,
+        thisObject: Any?,
+        arguments: Array<Any>,
+        hookId: Int,
+    ) {
+        if (arguments.size != 1) {
+            return
+        }
+        val message = arguments[0] as String
+        Jazzer.guideTowardsContainment(message, ELPROCESSOR_LANGUAGE_ATTACK, hookId)
+    }
+
     // With default configurations the argument to
     // ConstraintValidatorContext.buildConstraintViolationWithTemplate() will be evaluated by an
     // Expression Language interpreter which allows arbitrary code execution if the attacker has
     // control of the method argument.
     //
     // References: CVE-2018-16621
     // https://securitylab.github.com/research/bean-validation-RCE/
-    @MethodHook(
-        type = HookType.BEFORE,
-        targetClassName = "javax.validation.ConstraintValidatorContext",
-        targetMethod = "buildConstraintViolationWithTemplate",
+    @MethodHooks(
+        MethodHook(
+            type = HookType.BEFORE,
+            targetClassName = "javax.validation.ConstraintValidatorContext",
+            targetMethod = "buildConstraintViolationWithTemplate",
+        ),
+        MethodHook(
+            type = HookType.BEFORE,
+            targetClassName = "jakarta.validation.ConstraintValidatorContext",
+            targetMethod = "buildConstraintViolationWithTemplate",
+        ),
     )
     @JvmStatic
     fun hookBuildConstraintViolationWithTemplate(

sanitizers/src/test/java/com/code_intelligence/jazzer/sanitizers/BUILD.bazel

@@ -20,6 +20,7 @@ java_junit5_test(
         "//src/main/java/com/code_intelligence/jazzer/api:hooks",
         "@clojure_jar//jar",
         "@maven//:jakarta_el_jakarta_el_api",
+        "@maven//:jakarta_validation_jakarta_validation_api",
         "@maven//:javax_el_javax_el_api",
         "@maven//:javax_persistence_javax_persistence_api",
         "@maven//:javax_validation_validation_api",

sanitizers/src/test/java/com/code_intelligence/jazzer/sanitizers/HookBindingSanityTest.java

@@ -114,6 +114,7 @@ public boolean equals(Object o) {
                   new MethodRef(
                       "org.springframework.expression.spel.standard.SpelExpressionParser"),
                   new MethodRef("jakarta.el.ExpressionFactory"),
+                  new MethodRef("jakarta.el.ELProcessor"),
                   new MethodRef("java.util.regex.Pattern$CharPredicate"),
                   new MethodRef("javax.xml.xpath.XPath", "evaluateExpression", null),
                   new MethodRef(

sanitizers/src/test/java/com/example/BUILD.bazel

@@ -45,22 +45,31 @@ java_fuzz_target_test(
     verify_crash_reproducer = False,
 )
 
-java_fuzz_target_test(
-    name = "ExpressionLanguageInjection",
+[java_fuzz_target_test(
+    name = "ExpressionLanguageInjection_" + method,
     srcs = [
         "ExpressionLanguageInjection.java",
     ],
     allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh"],
-    expected_warning_or_error = "WARN: Some hooks could not be applied to class files built for Java 7 or lower.",
     tags = ["dangerous"],
     target_class = "com.example.ExpressionLanguageInjection",
+    target_method = method,
     # The reproducer can't find jaz.Zer and thus doesn't crash.
     verify_crash_reproducer = False,
+    runtime_deps = [
+        "@maven//:org_junit_jupiter_junit_jupiter_engine",
+    ],
     deps = [
+        "//deploy:jazzer-junit",
         "//sanitizers/src/test/java/com/example/el:ExpressionLanguageExample",
+        "@maven//:javax_el_javax_el_api",
         "@maven//:javax_validation_validation_api",
+        "@maven//:org_junit_jupiter_junit_jupiter_api",
     ],
-)
+) for method in [
+    "fuzzValidator",
+    "fuzzEval",
+]]
 
 java_fuzz_target_test(
     name = "AbsoluteFilePathTraversal",

sanitizers/src/test/java/com/example/ExpressionLanguageInjection.java

@@ -16,23 +16,41 @@
 
 package com.example;
 
-import com.code_intelligence.jazzer.api.FuzzedDataProvider;
+import com.code_intelligence.jazzer.junit.FuzzTest;
+import com.code_intelligence.jazzer.mutation.annotation.NotNull;
 import com.example.el.UserData;
 import java.util.logging.Level;
 import java.util.logging.LogManager;
+import javax.el.ELException;
+import javax.el.ELProcessor;
 import javax.validation.Validation;
 import javax.validation.Validator;
+import org.junit.jupiter.api.BeforeEach;
 
 public class ExpressionLanguageInjection {
   private static final Validator validator =
       Validation.buildDefaultValidatorFactory().getValidator();
 
-  public static void fuzzerInitialize() {
+  @BeforeEach
+  public void setUp() {
     LogManager.getLogManager().getLogger("").setLevel(Level.SEVERE);
   }
 
-  public static void fuzzerTestOneInput(FuzzedDataProvider data) {
-    UserData uncheckedUserData = new UserData(data.consumeRemainingAsString());
+  @FuzzTest
+  void fuzzValidator(@NotNull String data) {
+    UserData uncheckedUserData = new UserData(data);
     validator.validate(uncheckedUserData);
   }
+
+  @FuzzTest
+  void fuzzEval(@NotNull String data) {
+    ELProcessor elp = new ELProcessor();
+    try {
+      elp.eval(data);
+    } catch (ELException
+        | IllegalStateException
+        | IllegalArgumentException
+        | ArithmeticException ignored) {
+    }
+  }
 }