Merge pull request #473 from sigstore/fix-a-fuzzing-issue

Fix fuzzing issues

Author: loosebazooka

sigstore-java/src/main/java/dev/sigstore/bundle/BundleFactoryInternal.java

@@ -158,6 +158,9 @@ static KeylessSignature readBundle(Reader jsonReader) throws BundleParseExceptio
     }
     Bundle bundle = bundleBuilder.build();
 
+    if (bundle.getVerificationMaterial().getTlogEntriesCount() == 0) {
+      throw new BundleParseException("Could not find any tlog entries in bundle json");
+    }
     var bundleEntry = bundle.getVerificationMaterial().getTlogEntries(0);
     var bundleInclusionProof = bundleEntry.getInclusionProof();
 

sigstore-java/src/main/java/dev/sigstore/rekor/client/RekorParseException.java

@@ -19,4 +19,8 @@ public class RekorParseException extends Exception {
   public RekorParseException(String message) {
     super(message);
   }
+
+  public RekorParseException(String message, Throwable cause) {
+    super(message, cause);
+  }
 }

sigstore-java/src/main/java/dev/sigstore/rekor/client/RekorResponse.java

@@ -18,6 +18,7 @@
 import static dev.sigstore.json.GsonSupplier.GSON;
 
 import com.google.common.reflect.TypeToken;
+import com.google.gson.JsonSyntaxException;
 import java.net.URI;
 import java.util.Map;
 import org.immutables.value.Value;
@@ -53,10 +54,15 @@ public interface RekorResponse {
    * @return an immutable {@link RekorResponse} instance
    * @throws RekorParseException if the rawResponse doesn't parse directly to a single rekor entry
    */
-  static RekorResponse newRekorResponse(URI entryLocation, String rawResponse)
+  public static RekorResponse newRekorResponse(URI entryLocation, String rawResponse)
       throws RekorParseException {
     var type = new TypeToken<Map<String, RekorEntry>>() {}.getType();
-    Map<String, RekorEntry> entryMap = GSON.get().fromJson(rawResponse, type);
+    Map<String, RekorEntry> entryMap;
+    try {
+      entryMap = GSON.get().fromJson(rawResponse, type);
+    } catch (JsonSyntaxException | NullPointerException | StringIndexOutOfBoundsException ex) {
+      throw new RekorParseException("Rekor entry json could not be parsed: " + rawResponse, ex);
+    }
     if (entryMap == null) {
       throw new RekorParseException("Expecting a single rekor entry in response but found none");
     }