Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(sdk): Fuzz testing and protocol fixes #214

Merged
merged 9 commits into from
Dec 4, 2024
Merged

fix(sdk): Fuzz testing and protocol fixes #214

merged 9 commits into from
Dec 4, 2024

Conversation

jentfoo
Copy link
Contributor

@jentfoo jentfoo commented Nov 27, 2024

This PR includes a variety of fixes found with fuzz testing. This PR is likely easiest to consume by reviewing commit by commit. Here is a highlevel of the changes:

  • Protocol Exception improvements - NullPointerExceptions have been converted to other exception types. Please provde feedback on if other exception types should be used for these cases. In Fuzzing.java now also serves to define in testing what exception types are acceptable. The catch specifically lists the types of exceptions that were discovered for each API call, and throws are checked exceptions that are not expected to be possible. As a future improvement we may want to refine this list further and better document what exceptions happen under what conditions. For now I thought it was best to start with just the NullPointerException cases. Since these cases were numerous, these changes span multiple commits, with each commit focused on a specific area of the protocol.
  • Protocol DoS Fixes - The only memory consumption issue discovered was the counterpart found in the go sdk. A matching fix with the same defaults was implemented here in the java sdk.
  • Finally the testing itself is added as Fuzzing.java executed through sdk/fuzz.sh. This script is long running, and there are occasional Jazzer failures which are not believed to be real deficiencies (timeouts when .position() is called on the stream). For that reason this testing needs to be done manually, and not expected to be included in CI
  • A few optimizations and clarity improvements were also included, as they were noticed while generally trying to get familiar with the codebase.

I look forward to questions and recommendations, thank you!

PR closes #168

@jentfoo jentfoo self-assigned this Nov 27, 2024
@jentfoo jentfoo requested review from a team as code owners November 27, 2024 19:04
@jentfoo jentfoo changed the title Fuzz testing and protocol fixes fix: Fuzz testing and protocol fixes Nov 27, 2024
@jentfoo jentfoo changed the title fix: Fuzz testing and protocol fixes fix(sdk): Fuzz testing and protocol fixes Nov 27, 2024
This change fixes a couple possible protocol attacks:
* Possible NullPointerExceptions from `readLong/Int/Short` when a full value could not be read.  This is assumed to be unexpected, and may not be handled by users.  Instead `InvalidZipException` is now thrown.
* A permutation of the above is also possible when reading the Signature. The behavior was changed to defer to the existing signature validation failure (logging and existing InvalidZipException).
* Loops where a partial read is handled (see example reading in the filename) could result in a tight loop thread if content is shorter than the defined length.  The logic now expects a blocking input which will only return a zero value if the content has reached the end.  A premature end will result in an `EOFException`.
When the list size is known initializing at that value reduces the minor memory overhead of expanding and copying the underline array.
This mocked class is not needed due to TDF only being used with auto configure set to `false`.  To simplify this test the mock was removed and instead null is passed in to validate it's not used.
…ions

This commit validates the fields were read from the Manifest before the TDF is read.  This results in convering previous NullPointerExceptions into `IllegalArgumentExceptions` with a message that indicates what field had an unexpected state.
This matches the protections introduced in the go SDK PR: opentdf/platform#1536
This fuzz testing and seed corpus helped validate for protocol flaws in decoding TDF's.
This testing is time consuming, and Jazzer sometimes has some weird IO blocking behavior that is not actually indicative of a flaw.  For that reason this is not part of CI, and instead is run through `fuzz.sh` when needed.
This change was applied easily in go, but there are issues with integration and other existing test payloads.
Because this is low risk, I believe it's ok to remove this protection in the Java SDK, but leave commented so it's known to be explict.  Alternatively we could update test payloads.
Copy link

sonarqubecloud bot commented Dec 3, 2024

Quality Gate Failed Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

@jentfoo jentfoo merged commit cf6f932 into main Dec 4, 2024
7 of 8 checks passed
@jentfoo jentfoo deleted the jent/fuzzing branch December 4, 2024 16:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

We should also fix the DOS issues with segment size
3 participants