From 781b03b089ec6ab29d8114c57e6a577cfadd6a09 Mon Sep 17 00:00:00 2001
From: Appu Goundan <appu@google.com>
Date: Thu, 3 Aug 2023 14:26:40 -0400
Subject: [PATCH] Fix some issues found by fuzzer

- Catch json parse exception in rekor response
- Check bundle before reading first tlog entry

Signed-off-by: Appu Goundan <appu@google.com>
---
 .../java/dev/sigstore/bundle/BundleFactoryInternal.java   | 3 +++
 .../dev/sigstore/rekor/client/RekorParseException.java    | 4 ++++
 .../java/dev/sigstore/rekor/client/RekorResponse.java     | 8 +++++++-
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/sigstore-java/src/main/java/dev/sigstore/bundle/BundleFactoryInternal.java b/sigstore-java/src/main/java/dev/sigstore/bundle/BundleFactoryInternal.java
index 2df52b54a..1a11d59e2 100644
--- a/sigstore-java/src/main/java/dev/sigstore/bundle/BundleFactoryInternal.java
+++ b/sigstore-java/src/main/java/dev/sigstore/bundle/BundleFactoryInternal.java
@@ -158,6 +158,9 @@ static KeylessSignature readBundle(Reader jsonReader) throws BundleParseExceptio
     }
     Bundle bundle = bundleBuilder.build();
 
+    if (bundle.getVerificationMaterial().getTlogEntriesCount() == 0) {
+      throw new BundleParseException("Could not find an tlog entries in bundle json");
+    }
     var bundleEntry = bundle.getVerificationMaterial().getTlogEntries(0);
     var bundleInclusionProof = bundleEntry.getInclusionProof();
 
diff --git a/sigstore-java/src/main/java/dev/sigstore/rekor/client/RekorParseException.java b/sigstore-java/src/main/java/dev/sigstore/rekor/client/RekorParseException.java
index 7a65b85d6..d4b42643f 100644
--- a/sigstore-java/src/main/java/dev/sigstore/rekor/client/RekorParseException.java
+++ b/sigstore-java/src/main/java/dev/sigstore/rekor/client/RekorParseException.java
@@ -19,4 +19,8 @@ public class RekorParseException extends Exception {
   public RekorParseException(String message) {
     super(message);
   }
+
+  public RekorParseException(String message, Throwable cause) {
+    super(message, cause);
+  }
 }
diff --git a/sigstore-java/src/main/java/dev/sigstore/rekor/client/RekorResponse.java b/sigstore-java/src/main/java/dev/sigstore/rekor/client/RekorResponse.java
index ede4695d1..3c40b1713 100644
--- a/sigstore-java/src/main/java/dev/sigstore/rekor/client/RekorResponse.java
+++ b/sigstore-java/src/main/java/dev/sigstore/rekor/client/RekorResponse.java
@@ -18,6 +18,7 @@
 import static dev.sigstore.json.GsonSupplier.GSON;
 
 import com.google.common.reflect.TypeToken;
+import com.google.gson.JsonSyntaxException;
 import java.net.URI;
 import java.util.Map;
 import org.immutables.value.Value;
@@ -56,7 +57,12 @@ public interface RekorResponse {
   static RekorResponse newRekorResponse(URI entryLocation, String rawResponse)
       throws RekorParseException {
     var type = new TypeToken<Map<String, RekorEntry>>() {}.getType();
-    Map<String, RekorEntry> entryMap = GSON.get().fromJson(rawResponse, type);
+    Map<String, RekorEntry> entryMap;
+    try {
+      entryMap = GSON.get().fromJson(rawResponse, type);
+    } catch (JsonSyntaxException jse) {
+      throw new RekorParseException("Rekor entry json could not be parsed", jse);
+    }
     if (entryMap == null) {
       throw new RekorParseException("Expecting a single rekor entry in response but found none");
     }