fix: don't report RCE finding if hook is disabled

simonresch · simonresch · commit f2a603f871ce · 2025-10-23T10:24:35.000+02:00
With this commit no RCE finding will be reported from the jaz.Zer.el() method if
the ReflectiveCall sanitizer is not enabled.
diff --git a/sanitizers/src/test/java/com/example/DisabledHooksTest.java b/sanitizers/src/test/java/com/example/DisabledHooksTest.java
@@ -17,7 +17,6 @@
 package com.example;
 
 import com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh;
-import java.lang.reflect.InvocationTargetException;
 import java.io.ByteArrayInputStream;
 import java.io.File;
 import java.io.IOException;
@@ -34,15 +33,6 @@ public static void triggerReflectiveCallSanitizer() {
     }
   }
 
-  public static void triggerExpressionLanguageInjectionSanitizer() throws Throwable {
-    try {
-      Class.forName("jaz.Zer").getMethod("el").invoke(null);
-    } catch (InvocationTargetException e) {
-      throw e.getCause();
-    } catch (IllegalAccessException | ClassNotFoundException | NoSuchMethodException ignore) {
-    }
-  }
-
   public static void triggerDeserializationSanitizer() {
     byte[] data =
         Base64.getDecoder().decode("rO0ABXNyAAdqYXouWmVyAAAAAAAAACoCAAFCAAlzYW5pdGl6ZXJ4cAEK");
@@ -68,11 +58,6 @@ public void enableDeserializationSanitizer() {
     triggerDeserializationSanitizer();
   }
 
-  @Test(expected = FuzzerSecurityIssueHigh.class)
-  public void enableExpressionLanguageInjectionSanitizer() throws Throwable {
-    triggerExpressionLanguageInjectionSanitizer();
-  }
-
   @Test
   public void disableReflectiveCallSanitizer() {
     System.setProperty(
@@ -87,14 +72,6 @@ public void disableDeserializationSanitizer() {
     triggerDeserializationSanitizer();
   }
 
-  @Test
-  public void disableExpressionLanguageSanitizer() throws Throwable {
-    System.setProperty(
-        "jazzer.disabled_hooks",
-        "com.code_intelligence.jazzer.sanitizers.ExpressionLanguageInjection");
-    triggerExpressionLanguageInjectionSanitizer();
-  }
-
   @Test(expected = FuzzerSecurityIssueHigh.class)
   public void disableReflectiveCallAndEnableDeserialization() {
     System.setProperty(
@@ -111,7 +88,6 @@ public void disableAllSanitizers() throws Throwable {
             + File.pathSeparatorChar
             + "com.code_intelligence.jazzer.sanitizers.Deserialization");
     triggerReflectiveCallSanitizer();
-    triggerExpressionLanguageInjectionSanitizer();
     triggerDeserializationSanitizer();
   }
 }
diff --git a/src/main/java/jaz/Ter.java b/src/main/java/jaz/Ter.java
@@ -26,7 +26,6 @@ public class Ter implements java.io.Serializable {
 
   public static final byte REFLECTIVE_CALL_SANITIZER_ID = 0;
   public static final byte DESERIALIZATION_SANITIZER_ID = 1;
-  public static final byte EXPRESSION_LANGUAGE_SANITIZER_ID = 2;
 
   private byte sanitizer = REFLECTIVE_CALL_SANITIZER_ID;
 
diff --git a/src/main/java/jaz/Zer.java b/src/main/java/jaz/Zer.java
@@ -71,7 +71,6 @@ public class Zer
   // serialized size is 41 bytes
   private static final byte REFLECTIVE_CALL_SANITIZER_ID = 0;
   private static final byte DESERIALIZATION_SANITIZER_ID = 1;
-  private static final byte EXPRESSION_LANGUAGE_SANITIZER_ID = 2;
 
   // A byte representing the relevant sanitizer for a given jaz.Zer instance. It is used to check
   // whether the corresponding sanitizer is disabled and jaz.Zer will not report a finding in this
@@ -101,11 +100,13 @@ public Zer(byte sanitizer) {
     reportFindingIfEnabled();
   }
 
-  // A special static method that is called by the expression language injection sanitizer. We
+  // A special static method that is guided to by the expression language injection sanitizer. We
   // choose a parameterless method to keep the string that the sanitizer guides the fuzzer to
   // generate within the 64-byte boundary required by the corresponding guiding methods.
+  // A RCE finding is only reported if the ReflectiveCall sanitizer is active to give users a way to
+  // silence it.
   public static void el() {
-    if (isSanitizerEnabled(EXPRESSION_LANGUAGE_SANITIZER_ID)) {
+    if (isSanitizerEnabled(REFLECTIVE_CALL_SANITIZER_ID)) {
       reportFinding();
     }
   }
@@ -137,9 +138,6 @@ private static boolean isSanitizerEnabled(byte sanitizerId) {
       case DESERIALIZATION_SANITIZER_ID:
         sanitizer = "com.code_intelligence.jazzer.sanitizers.Deserialization";
         break;
-      case EXPRESSION_LANGUAGE_SANITIZER_ID:
-        sanitizer = "com.code_intelligence.jazzer.sanitizers.ExpressionLanguageInjection";
-        break;
       default:
         sanitizer = "com.code_intelligence.jazzer.sanitizers.ReflectiveCall";
     }
