Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix fuzzing issues #473

Merged
merged 1 commit into from
Aug 4, 2023
Merged

Fix fuzzing issues #473

merged 1 commit into from
Aug 4, 2023

Conversation

loosebazooka
Copy link
Member

@loosebazooka loosebazooka commented Aug 3, 2023
edited
Loading

  • handle invalid json for rekor response
  • handle bundle with no tlog entry

@loosebazooka loosebazooka requested a review from vlsi August 3, 2023 18:28
@loosebazooka loosebazooka changed the title Catch json parse exception in rekor response Fix fuzzing issues Aug 3, 2023
vlsi
vlsi reviewed Aug 3, 2023
View reviewed changes
sigstore-java/src/main/java/dev/sigstore/rekor/client/RekorResponse.java Outdated
try {
entryMap = GSON.get().fromJson(rawResponse, type);
} catch (JsonSyntaxException jse) {
throw new RekorParseException("Rekor entry json could not be parsed", jse);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WDYT of mentioning the problematic response in the error message?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the stack trace should show it? but yeah I can just do jse.getMessage() too. I'll add that in.

vlsi
vlsi previously approved these changes Aug 3, 2023
View reviewed changes
@loosebazooka
Copy link
Member Author

turns out parsing bad data can create npes too.

@loosebazooka
Copy link
Member Author

I think we can logger.error the whole rekor response? Is that what you were kinda looking for?

@loosebazooka loosebazooka force-pushed the fix-a-fuzzing-issue branch 3 times, most recently from 742382d to d1e75d2 Compare August 4, 2023 00:12
@loosebazooka loosebazooka requested a review from vlsi August 4, 2023 12:22
vlsi
vlsi requested changes Aug 4, 2023
View reviewed changes
sigstore-java/src/main/java/dev/sigstore/rekor/client/RekorResponse.java Outdated
Comment on lines 66 to 68
log.severe("Rekor entry could not be parsed");
log.severe(rawResponse);
throw new RekorParseException("Rekor entry json could not be parsed: " + ex.getMessage(), ex);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logging messages as several lines would be hard to analyze.
I suggest skip logging here.

Suggested change
log.severe("Rekor entry could not be parsed");
log.severe(rawResponse);
throw new RekorParseException("Rekor entry json could not be parsed: " + ex.getMessage(), ex);
throw new RekorParseException("Rekor entry json could not be parsed: " + rawResponse, ex);

ex.getMessage() would be automatically included as a part of Caused by:..., so explicitly concatenating ex.getMessage() is not useful.

Copy link
Member Author

@loosebazooka loosebazooka Aug 4, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sgtm... I imagine that response could be pretty huge, but whatever, this appears to be a pretty edge error case.

@loosebazooka
Fix some issues found by fuzzer
53dd398 
- Catch parsing exceptions when handling rekor response
- Check bundle before reading first tlog entry

Signed-off-by: Appu Goundan <appu@google.com>
vlsi
vlsi reviewed Aug 4, 2023
View reviewed changes
sigstore-java/src/main/java/dev/sigstore/rekor/client/RekorResponse.java
Map<String, RekorEntry> entryMap;
try {
entryMap = GSON.get().fromJson(rawResponse, type);
} catch (JsonSyntaxException | NullPointerException | StringIndexOutOfBoundsException ex) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should report npe to gson team

@loosebazooka
Copy link
Member Author

I think fuzzing caught a number format exception issue, but I'll fix that in a followup.

@loosebazooka loosebazooka merged commit 59dae85 into main Aug 4, 2023
@loosebazooka loosebazooka deleted the fix-a-fuzzing-issue branch August 4, 2023 17:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vlsi vlsi vlsi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@loosebazooka @vlsi