View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one or more
3    * contributor license agreements.  See the NOTICE file distributed with
4    * this work for additional information regarding copyright ownership.
5    * The ASF licenses this file to You under the Apache License, Version 2.0
6    * (the "License"); you may not use this file except in compliance with
7    * the License.  You may obtain a copy of the License at
8    *
9    *      https://www.apache.org/licenses/LICENSE-2.0
10   *
11   * Unless required by applicable law or agreed to in writing, software
12   * distributed under the License is distributed on an "AS IS" BASIS,
13   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14   * See the License for the specific language governing permissions and
15   * limitations under the License.
16   */
17  
18  package org.apache.commons.text;
19  
20  import static org.junit.jupiter.api.Assertions.assertThrows;
21  
22  import java.io.IOException;
23  import java.nio.charset.StandardCharsets;
24  import java.nio.file.Files;
25  import java.nio.file.Paths;
26  
27  import org.junit.jupiter.api.Test;
28  
29  class StringSubstitutorOssFuzzTest {
30  
31      private String readAllString(final String testCase) throws IOException {
32          final byte[] allBytes = Files.readAllBytes(Paths.get("src/test/resources/org/apache/commons/text/oss-fuzz/" + testCase));
33          return new String(allBytes, StandardCharsets.UTF_8);
34      }
35  
36      /**
37       * Tests OSS-Fuzz issue 42522985.
38       *
39       * apache-commons-text:StringSubstitutorInterpolatorFuzzer: Security exception in java.base/java.util.Arrays.copyOf
40       *
41       * https://issues.oss-fuzz.com/issues/42522985
42       */
43      @Test
44      void test42522985() throws IOException {
45          StringSubstitutor.createInterpolator().replace(readAllString("clusterfuzz-testcase-StringSubstitutorInterpolatorFuzzer-6287296750813184"));
46      }
47  
48      /**
49       * Tests OSS-Fuzz issue 42527553.
50       *
51       * apache-commons-text:StringSubstitutorInterpolatorFuzzer: Security exception in java.base/java.util.Arrays.copyOf
52       *
53       * https://issues.oss-fuzz.com/issues/42527553
54       */
55      @Test
56      void test42527553() {
57          StringSubstitutor.createInterpolator().replace("${date:swswswswsws\177sw\001\000swswswswswwswsswswswsws\177sw\001\000swswswsswswswswswswswswswswsws}");
58      }
59  
60      /**
61       * Tests OSS-Fuzz issue 42527776.
62       *
63       * apache-commons-text:StringSubstitutorInterpolatorFuzzer: Security exception in java.base/java.util.Arrays.copyOf
64       *
65       * https://issues.oss-fuzz.com/issues/42527776
66       */
67      @Test
68      void test42527776() throws IOException {
69          assertThrows(IllegalArgumentException.class, () -> StringSubstitutor.createInterpolator()
70                  .replace(readAllString("clusterfuzz-testcase-StringSubstitutorInterpolatorFuzzer-5149898315268096")));
71      }
72  }