blob: afb2b0a0c3d1a489a38db702732037adffcc78a3 [file] [view]
# OSS-Fuzz Integration for Axis2/Java
## Status: Implemented and Tested - Pending OSS-Fuzz Submission
This document describes the fuzz testing infrastructure developed for Apache Axis2/Java,
mirroring the approach used for Axis2/C. The implementation is complete and tested but
has not yet been submitted to Google's OSS-Fuzz service.
## Background
### What is OSS-Fuzz?
[OSS-Fuzz](https://google.github.io/oss-fuzz/) is Google's continuous fuzzing service
for open source projects. It runs fuzz targets 24/7 on Google's infrastructure,
automatically finding security vulnerabilities and stability bugs. When bugs are found,
OSS-Fuzz files issues and provides reproducer test cases.
### Why Fuzz Testing?
Fuzz testing (fuzzing) feeds random, malformed, or unexpected data to parsers and
processors to find:
- Buffer overflows and memory corruption
- Denial of service vulnerabilities (stack exhaustion, infinite loops)
- XML External Entity (XXE) injection
- Server-Side Request Forgery (SSRF)
- Injection attacks (SQL, LDAP, command injection)
- Resource exhaustion (billion laughs, zip bombs)
### Axis2/C OSS-Fuzz Integration
Axis2/C has an active OSS-Fuzz integration at:
https://github.com/google/oss-fuzz/tree/master/projects/axis2c
The Axis2/C fuzzers target:
- `fuzz_xml_parser.c` - Guththila XML parser
- `fuzz_http_header.c` - HTTP header parsing
- `fuzz_url_parser.c` - URL/URI parsing
- `fuzz_om_parser.c` - AXIOM object model
- `fuzz_json_parser.c` - JSON parsing
## Axis2/Java Fuzz Module
### Location
```
modules/fuzz/
├── pom.xml
├── README.md
├── run-fuzzers.sh
└── src/main/java/org/apache/axis2/fuzz/
├── XmlParserFuzzer.java
├── JsonParserFuzzer.java
├── HttpHeaderFuzzer.java
└── UrlParserFuzzer.java
```
### Fuzz Targets
#### 1. XmlParserFuzzer
Tests AXIOM/StAX XML parsing for:
- XXE (XML External Entity) injection
- Billion laughs / XML bomb attacks
- Buffer overflows in element/attribute handling
- Malformed XML handling
- Deep nesting stack exhaustion
```java
public static void fuzzerTestOneInput(FuzzedDataProvider data) {
byte[] xmlBytes = data.consumeBytes(MAX_INPUT_SIZE);
// Parse with AXIOM and exercise the DOM
OMXMLParserWrapper builder = OMXMLBuilderFactory.createOMBuilder(...);
OMElement root = builder.getDocumentElement();
exerciseElement(root, 0);
}
```
#### 2. JsonParserFuzzer
Tests Gson JSON parsing for:
- Deep nesting stack exhaustion (CVE-2024-57699 pattern)
- Integer overflow in size calculations
- Malformed JSON handling
- Memory exhaustion from large payloads
- Unicode handling issues
```java
public static void fuzzerTestOneInput(FuzzedDataProvider data) {
byte[] jsonBytes = data.consumeBytes(MAX_INPUT_SIZE);
JsonElement element = JsonParser.parseString(jsonString);
exerciseElement(element, 0);
}
```
#### 3. HttpHeaderFuzzer
Tests HTTP header parsing for:
- Header injection attacks (CRLF injection)
- Buffer overflows from long headers
- Content-Type parsing vulnerabilities
- Charset extraction issues
- Boundary parsing for multipart
```java
public static void fuzzerTestOneInput(FuzzedDataProvider data) {
byte[] headerBytes = data.consumeBytes(MAX_INPUT_SIZE);
testContentTypeParsing(headerString);
testHeaderLineParsing(headerString);
testMultipleHeaders(headerString);
}
```
#### 4. UrlParserFuzzer
Tests URL/URI parsing for:
- SSRF (Server-Side Request Forgery) bypass attempts
- Malformed URL handling
- URL encoding/decoding issues
- Path traversal attempts
- Protocol smuggling
```java
public static void fuzzerTestOneInput(FuzzedDataProvider data) {
byte[] urlBytes = data.consumeBytes(MAX_INPUT_SIZE);
testJavaUrl(urlString);
testJavaUri(urlString);
testEndpointReference(urlString);
testUrlEncoding(urlString);
}
```
### Technology Stack
- **Jazzer**: Java fuzzing framework compatible with libFuzzer
- https://github.com/CodeIntelligenceTesting/jazzer
- Version: 0.22.1
- **Axis2**: 2.0.0 (March 2025 release)
- **AXIOM**: 2.0.0
- **Gson**: 2.10.1
### Security Sanitizers
Jazzer automatically instruments code with security sanitizers that detect:
- SQL injection patterns
- LDAP injection
- Deserialization vulnerabilities
- Expression language injection
- OS command injection
- Server-side request forgery
- XPath injection
- Reflective call abuse
## Test Results (February 5, 2026)
### Summary: All Tests Passed
All four fuzzers were tested locally with Jazzer against Axis2/Java 2.0.0:
| Fuzzer | Iterations | Duration | Crashes | Security Findings | Result |
|--------|------------|----------|---------|-------------------|--------|
| XmlParserFuzzer | 2,160,477 | 61s | 0 | 0 | **PASS** |
| JsonParserFuzzer | 1,681,234 | 61s | 0 | 0 | **PASS** |
| HttpHeaderFuzzer | 1,206,672 | 61s | 0 | 0 | **PASS** |
| UrlParserFuzzer | 40,630,962 | 61s | 0 | 0 | **PASS** |
**Total: 45,679,345 fuzzing iterations with zero crashes or security findings.**
### What Was Verified
The successful test run confirms:
1. **No Memory Safety Issues**
- No OutOfMemoryError from malformed input
- No StackOverflowError from deep nesting attacks
- Proper bounds checking in all parsers
2. **No Injection Vulnerabilities Detected**
- XXE attempts handled safely by AXIOM
- CRLF injection in HTTP headers rejected
- URL parsing resistant to SSRF bypass patterns
- Path traversal attempts detected
3. **Robust Error Handling**
- Malformed XML gracefully rejected
- Invalid JSON syntax properly caught
- Truncated/malformed headers handled safely
- Invalid URL schemes rejected appropriately
4. **Active Security Sanitizers (No Triggers)**
- SQL injection patterns: 0 findings
- LDAP injection: 0 findings
- Deserialization attacks: 0 findings
- OS command injection: 0 findings
- Server-side request forgery: 0 findings
- XPath injection: 0 findings
### Test Environment
- **OS**: Linux 6.17.0-8-generic
- **Java**: OpenJDK 11+
- **Fuzzer**: Jazzer 0.22.1 with libFuzzer backend
- **Target**: Axis2/Java 2.0.0, AXIOM 2.0.0, Gson 2.10.1
### Interpretation
The parsers in Axis2/Java 2.0.0 are handling malformed input robustly. While 45.7 million
iterations provides good initial confidence, continuous fuzzing via OSS-Fuzz (running 24/7
for months) would provide deeper assurance by exploring billions of code paths.
## Why Not Submitted to OSS-Fuzz Yet
### Waiting for Axis2/C Response
Google's OSS-Fuzz team is currently reviewing the Axis2/C integration. We are waiting
for their response before submitting Axis2/Java to:
1. **Avoid duplicate review overhead** - Both projects are Apache Axis2 family
2. **Learn from Axis2/C feedback** - Apply any requested changes to Java version
3. **Coordinate project naming** - Ensure consistent naming (axis2c, axis2java)
4. **Establish maintainer relationships** - Same security contacts for both projects
### Google's Review Process
OSS-Fuzz submissions require:
- Project must have significant user base or be critical infrastructure
- Maintainers must be responsive to bug reports (90-day disclosure)
- Fuzzing must provide meaningful coverage
- Project must accept and fix reported bugs
Apache Axis2 qualifies on all criteria given its use in enterprise SOAP/REST services.
## Running Fuzzers Locally
### Prerequisites
1. Java 11+
2. Maven 3.6+
3. Jazzer (download from GitHub releases)
### Build
```bash
cd modules/fuzz
mvn package -DskipTests
```
### Run Individual Fuzzer
```bash
JAVA_OPTS="" jazzer \
--cp=target/axis2-fuzz-2.0.1-SNAPSHOT.jar \
--target_class=org.apache.axis2.fuzz.XmlParserFuzzer \
-max_total_time=3600
```
### Run All Fuzzers
```bash
./run-fuzzers.sh
```
## Future Work
1. **Submit to OSS-Fuzz** once Axis2/C integration is approved
2. **Add SOAP-specific fuzzers** for envelope parsing
3. **Add WSDL fuzzer** for service description parsing
4. **Integrate with CI** for pre-commit fuzzing (ClusterFuzzLite)
5. **Add corpus seeds** with real-world SOAP/XML samples
6. **Coverage-guided improvements** based on OSS-Fuzz metrics
## Security Contact
Security issues found by fuzzing should be reported to:
security@apache.org
Following Apache's coordinated disclosure policy.
## References
- [OSS-Fuzz Documentation](https://google.github.io/oss-fuzz/)
- [Jazzer GitHub](https://github.com/CodeIntelligenceTesting/jazzer)
- [Axis2/C OSS-Fuzz Project](https://github.com/google/oss-fuzz/tree/master/projects/axis2c)
- [Apache Security Policy](https://www.apache.org/security/)
- [AXIOM Documentation](https://ws.apache.org/axiom/)
---
*Document created: February 5, 2026*
*Fuzz module tested against Axis2/Java 2.0.0*