Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update JXPathFuzzer.java Refactor JXPath Fuzzer for Improved Fuzzing Coverage, Security, and Error Handling #12847

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update JXPathFuzzer.java Refactor JXPath Fuzzer for Improved Fuzzing Coverage, Security, and Error Handling #12847

wants to merge 1 commit into from

Conversation

Shivam7-1
Copy link
Contributor

PR Description:

Here in This PR several improvements to the original JXPathFuzzer.java file for better fuzzing coverage, error handling, and security.
Changes:

  1. Refactoring of Document Creation Logic:

    • Extracted the XML document creation and parsing logic into a separate method createDocument() for better code organization and readability.
    • The method consumes fuzzed data to configure the DocumentBuilderFactory, including additional configuration for better security.
    • The code now consumes a random length for the XML input (between 100 and 500 characters) instead of always consuming a fixed length of 2000 characters.
    • If the generated XML input is empty, it defaults to a valid but empty XML structure (<root></root>).
    • Added a security feature to disable DTD declarations (setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)) to mitigate potential XXE attacks.

  2. Improved XPath Query Handling:

    • The logic for performing the XPath query has been moved to a separate method performXPathQuery().
    • The XPath query now handles cases where the query is too short (less than 5 characters) by replacing it with an invalid XPath query (//invalid_xpath) to simulate malformed queries.
    • Enhanced exception handling by logging XPath-related errors (JXPathException).

  3. Improved Error Handling:

    • Detailed error logging has been added to capture issues during document creation, XML parsing, and XPath query execution. This will provide better visibility into failures during fuzzing.

  4. Fuzzing Enhancements:

    • The fuzzerTestOneInput method now calls the refactored methods for document creation and XPath query execution.
    • The changes ensure more diverse and randomized input sizes, improving fuzzing coverage and testing for edge cases.

@github-actions GitHub Actions
Copy link

Shivam7-1 is a new contributor to projects/apache-commons-jxpath. The PR must be approved by known contributors before it can be merged. The past contributors are: henryrneh, bharathmohanraj, fmeum, 0roman

@Shivam7-1
Copy link
Contributor Author

Hii @henryrneh @bharathmohanraj Could Team Review This PR
Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Shivam7-1