fix(path traversal): sanitizers should not cause exceptions

oetr · oetr · commit 7b52088872cd · 2025-07-03T23:41:19.000+02:00
diff --git a/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/FilePathTraversal.java b/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/FilePathTraversal.java
@@ -342,7 +342,14 @@ private static void check(Path p) {
       return;
     }
 
-    if (p.toAbsolutePath().normalize().equals(ABSOLUTE_TARGET)) {
+    // catch all exceptions that might be thrown by the sanitizer
+    Path normalized;
+    try {
+      normalized = p.toAbsolutePath().normalize();
+    } catch (InvalidPathException e) {
+      return;
+    }
+    if (normalized.equals(ABSOLUTE_TARGET)) {
       Jazzer.reportFindingFromHook(new FuzzerSecurityIssueCritical("File path traversal: " + p));
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -342,7 +342,14 @@ private static void check(Path p) {`
`342`	`342`	`return;`
`343`	`343`	`}`
`344`	`344`
`345`		`- if (p.toAbsolutePath().normalize().equals(ABSOLUTE_TARGET)) {`
	`345`	`+ // catch all exceptions that might be thrown by the sanitizer`
	`346`	`+ Path normalized;`
	`347`	`+ try {`
	`348`	`+ normalized = p.toAbsolutePath().normalize();`
	`349`	`+ } catch (InvalidPathException e) {`
	`350`	`+ return;`
	`351`	`+ }`
	`352`	`+ if (normalized.equals(ABSOLUTE_TARGET)) {`
`346`	`353`	`Jazzer.reportFindingFromHook(new FuzzerSecurityIssueCritical("File path traversal: " + p));`
`347`	`354`	`}`
`348`	`355`	`}`