Skip to content

fix(sdk): Fuzz testing and protocol fixes #214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Dec 4, 2024
Merged

fix(sdk): Fuzz testing and protocol fixes #214

merged 9 commits into from
Dec 4, 2024

Conversation

@jentfoo
Copy link
Contributor

@jentfoo jentfoo commented Nov 27, 2024
edited
Loading

This PR includes a variety of fixes found with fuzz testing. This PR is likely easiest to consume by reviewing commit by commit. Here is a highlevel of the changes:

  • Protocol Exception improvements - NullPointerExceptions have been converted to other exception types. Please provde feedback on if other exception types should be used for these cases. In Fuzzing.java now also serves to define in testing what exception types are acceptable. The catch specifically lists the types of exceptions that were discovered for each API call, and throws are checked exceptions that are not expected to be possible. As a future improvement we may want to refine this list further and better document what exceptions happen under what conditions. For now I thought it was best to start with just the NullPointerException cases. Since these cases were numerous, these changes span multiple commits, with each commit focused on a specific area of the protocol.
  • Protocol DoS Fixes - The only memory consumption issue discovered was the counterpart found in the go sdk. A matching fix with the same defaults was implemented here in the java sdk.
  • Finally the testing itself is added as Fuzzing.java executed through sdk/fuzz.sh. This script is long running, and there are occasional Jazzer failures which are not believed to be real deficiencies (timeouts when .position() is called on the stream). For that reason this testing needs to be done manually, and not expected to be included in CI
  • A few optimizations and clarity improvements were also included, as they were noticed while generally trying to get familiar with the codebase.

I look forward to questions and recommendations, thank you!

PR closes #168

@jentfoo jentfoo self-assigned this Nov 27, 2024
@jentfoo jentfoo requested review from a team as code owners November 27, 2024 19:04
@jentfoo jentfoo changed the title Fuzz testing and protocol fixes fix: Fuzz testing and protocol fixes Nov 27, 2024
@jentfoo jentfoo changed the title fix: Fuzz testing and protocol fixes fix(sdk): Fuzz testing and protocol fixes Nov 27, 2024
@jentfoo
ZipReader: Fix for possible protocol attacks
a2409b0 
This change fixes a couple possible protocol attacks:
* Possible NullPointerExceptions from `readLong/Int/Short` when a full value could not be read.  This is assumed to be unexpected, and may not be handled by users.  Instead `InvalidZipException` is now thrown.
* A permutation of the above is also possible when reading the Signature. The behavior was changed to defer to the existing signature validation failure (logging and existing InvalidZipException).
* Loops where a partial read is handled (see example reading in the filename) could result in a tight loop thread if content is shorter than the defined length.  The logic now expects a blocking input which will only return a zero value if the content has reached the end.  A premature end will result in an `EOFException`.
@jentfoo
Minor memory optimization to initialize ArrayList with known sizes
46388f4 
When the list size is known initializing at that value reduces the minor memory overhead of expanding and copying the underline array.
@jentfoo
TDFTest: Remove unecessary attributeGrpcStub
cf0e71a 
This mocked class is not needed due to TDF only being used with auto configure set to `false`.  To simplify this test the mock was removed and instead null is passed in to validate it's not used.
@jentfoo
Validate TDF Manifest to prevent possible NullPointerException condit…
2f8147a 
…ions

This commit validates the fields were read from the Manifest before the TDF is read.  This results in convering previous NullPointerExceptions into `IllegalArgumentExceptions` with a message that indicates what field had an unexpected state.
@jentfoo
PolicyInfo: Prevent policy length overflow, resulting in a negative …
1552cc0 
…length
@jentfoo
TDF: Set min and max limits for segment sizes
0cb040d 
This matches the protections introduced in the go SDK PR: opentdf/platform#1536
@jentfoo
Add fuzz testing that was used to find previous fixes
29b472d 
This fuzz testing and seed corpus helped validate for protocol flaws in decoding TDF's.
This testing is time consuming, and Jazzer sometimes has some weird IO blocking behavior that is not actually indicative of a flaw.  For that reason this is not part of CI, and instead is run through `fuzz.sh` when needed.
@jentfoo
Fix test from minimum segment size enforcement
786c557 
This change was applied easily in go, but there are issues with integration and other existing test payloads.
Because this is low risk, I believe it's ok to remove this protection in the Java SDK, but leave commented so it's known to be explict.  Alternatively we could update test payloads.
@jentfoo
Style fixes from Sonar CI
90aa02f
@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 3, 2024

Quality Gate Failed Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

@jentfoo jentfoo merged commit cf6f932 into main Dec 4, 2024
7 of 8 checks passed
@jentfoo jentfoo deleted the jent/fuzzing branch December 4, 2024 16:00
@opentdf-automation opentdf-automation bot mentioned this pull request Feb 6, 2025
Merged
mkleene pushed a commit that referenced this pull request Feb 6, 2025
@opentdf-automation
chore(main): release 0.7.6 (#222)
cc75fe5 
🤖 I have created a release *beep* *boop*
---


<details><summary>0.7.6</summary>

## [0.7.6](v0.7.5...v0.7.6)
(2025-02-06)


### Features

* Add assertion verification
([#216](#216))
([e0f8caf](e0f8caf))
* **cmdline:** assertions cli support
([#204](#204))
([3325114](3325114))
* **sdk:** Add and expose tamper error types
([#187](#187))
([b4f95e6](b4f95e6))
* **sdk:** adds Collections API
([#212](#212))
([1ee1367](1ee1367))


### Bug Fixes

* Correct null assertions when deserializing
([#211](#211))
([b075194](b075194))
* incorrect isStreamable serialized name
([#210](#210))
([32825b0](32825b0))
* NanoTDF secure key from debug logging and iv conflict risk
([#208](#208))
([6301d32](6301d32))
* **sdk:** deserialize object statement values correctly
([#219](#219))
([c513e8c](c513e8c))
* **sdk:** Fuzz testing and protocol fixes
([#214](#214))
([cf6f932](cf6f932))
* **sdk:** group splits with empty/missing split IDs together
([#217](#217))
([0f47702](0f47702))
* **sdk:** remove hex encoding
([#213](#213))
([e076d11](e076d11))
* **sdk:** uses offset for ByteBuffer array offset
([#209](#209))
([0d6e761](0d6e761))
* Use reusable start-additional-kas workflow
([#215](#215))
([cb6f757](cb6f757))
</details>

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mkleene mkleene mkleene approved these changes

@pflynn-virtru pflynn-virtru pflynn-virtru approved these changes

Assignees

@jentfoo jentfoo

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

We should also fix the DOS issues with segment size

4 participants

@jentfoo @mkleene @pflynn-virtru