apache
diff --git a/‎modules/fuzz/README.md‎
Lines changed: 126 additions & 0 deletions b/‎modules/fuzz/README.md‎
Lines changed: 126 additions & 0 deletions
diff --git a/‎modules/fuzz/pom.xml‎
Lines changed: 137 additions & 0 deletions b/‎modules/fuzz/pom.xml‎
Lines changed: 137 additions & 0 deletions
diff --git a/‎modules/fuzz/run-fuzzers.sh‎
Lines changed: 100 additions & 0 deletions b/‎modules/fuzz/run-fuzzers.sh‎
Lines changed: 100 additions & 0 deletions
@@ -0,0 +1,126 @@
+# Apache Axis2/Java Fuzz Testing Module
+
+Comprehensive fuzz testing for Axis2/Java parsers, mirroring the [Axis2/C OSS-Fuzz approach](https://github.com/apache/axis-axis2-c-core/tree/master/fuzz).
+
+## Overview
+
+This module provides Jazzer-compatible fuzz targets for security testing:
+
+| Fuzzer | Component | Attack Vectors |
+|--------|-----------|----------------|
+| `XmlParserFuzzer` | AXIOM/StAX | XXE, XML bombs, buffer overflows |
+| `JsonParserFuzzer` | Gson | Deep nesting, integer overflow, malformed JSON |
+| `HttpHeaderFuzzer` | HTTP headers | CRLF injection, header parsing |
+| `UrlParserFuzzer` | URL/URI parsing | SSRF, path traversal, malformed URLs |
+
+## Running Fuzzers Locally
+
+### Prerequisites
+
+```bash
+# Install Jazzer
+# Option 1: Download from GitHub releases
+wget https://github.com/CodeIntelligenceTesting/jazzer/releases/download/v0.22.1/jazzer-linux.tar.gz
+tar xzf jazzer-linux.tar.gz
+
+# Option 2: Use Docker
+docker pull cifuzz/jazzer
+```
+
+### Build the Fuzz Module
+
+```bash
+cd /path/to/axis-axis2-java-core
+
+# Build all modules first
+mvn install -DskipTests
+
+# Build the fuzz module
+cd modules/fuzz
+mvn package
+```
+
+### Run Individual Fuzzers
+
+```bash
+# XML Parser Fuzzer
+./jazzer --cp=target/axis2-fuzz-2.0.1-SNAPSHOT.jar \
+    --target_class=org.apache.axis2.fuzz.XmlParserFuzzer \
+    --instrumentation_includes=org.apache.axiom.** \
+    -max_total_time=300
+
+# JSON Parser Fuzzer
+./jazzer --cp=target/axis2-fuzz-2.0.1-SNAPSHOT.jar \
+    --target_class=org.apache.axis2.fuzz.JsonParserFuzzer \
+    --instrumentation_includes=com.google.gson.** \
+    -max_total_time=300
+
+# HTTP Header Fuzzer
+./jazzer --cp=target/axis2-fuzz-2.0.1-SNAPSHOT.jar \
+    --target_class=org.apache.axis2.fuzz.HttpHeaderFuzzer \
+    --instrumentation_includes=org.apache.axis2.** \
+    -max_total_time=300
+
+# URL Parser Fuzzer
+./jazzer --cp=target/axis2-fuzz-2.0.1-SNAPSHOT.jar \
+    --target_class=org.apache.axis2.fuzz.UrlParserFuzzer \
+    --instrumentation_includes=org.apache.axis2.** \
+    -max_total_time=300
+```
+
+### Run with JUnit (Regression Testing)
+
+The fuzzers can also be run as JUnit tests for CI integration:
+
+```bash
+mvn test -Djazzer.fuzz=true
+```
+
+## Understanding Output
+
+### Successful Run
+```
+INFO: Seed: 1234567890
+#1000000 DONE cov: 1234 ft: 5678 corp: 100/10Kb exec/s: 50000
+```
+
+### Crash Found
+```
+== Java Exception: java.lang.OutOfMemoryError
+    at org.apache.axiom.om.impl.builder.StAXOMBuilder.<init>
+Crash file: crash-abc123def456
+```
+
+The crash file contains the input that triggered the bug. Reproduce with:
+```bash
+./jazzer --cp=target/axis2-fuzz-2.0.1-SNAPSHOT.jar \
+    --target_class=org.apache.axis2.fuzz.XmlParserFuzzer \
+    crash-abc123def456
+```
+
+## Comparison with Axis2/C Fuzzers
+
+| Axis2/C | Axis2/Java | Component |
+|---------|------------|-----------|
+| `fuzz_xml_parser.c` | `XmlParserFuzzer.java` | XML/AXIOM |
+| `fuzz_json_parser.c` | `JsonParserFuzzer.java` | JSON |
+| `fuzz_json_reader.c` | (integrated in JsonParserFuzzer) | JSON→XML |
+| `fuzz_http_header.c` | `HttpHeaderFuzzer.java` | HTTP headers |
+| `fuzz_url_parser.c` | `UrlParserFuzzer.java` | URL parsing |
+
+## Security Vulnerability Reporting
+
+If fuzzing finds a security vulnerability:
+
+1. **Do NOT** open a public GitHub issue
+2. Report to Apache Security Team: security@apache.org
+3. Include:
+   - Crash file (input that triggers the bug)
+   - Stack trace
+   - Axis2/Java version
+
+## Related Documentation
+
+- [Axis2/C OSS-Fuzz Integration](https://github.com/apache/axis-axis2-c-core/blob/master/docs/OSS-FUZZ.md)
+- [Jazzer Documentation](https://github.com/CodeIntelligenceTesting/jazzer)
+- [OSS-Fuzz Documentation](https://google.github.io/oss-fuzz/)
@@ -0,0 +1,137 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one
+  ~ or more contributor license agreements. See the NOTICE file
+  ~ distributed with this work for additional information
+  ~ regarding copyright ownership. The ASF licenses this file
+  ~ to you under the Apache License, Version 2.0 (the
+  ~ "License"); you may not use this file except in compliance
+  ~ with the License. You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing,
+  ~ software distributed under the License is distributed on an
+  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~ KIND, either express or implied. See the License for the
+  ~ specific language governing permissions and limitations
+  ~ under the License.
+  -->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>org.apache.axis2</groupId>
+    <artifactId>axis2-fuzz</artifactId>
+    <version>2.0.1-SNAPSHOT</version>
+    <packaging>jar</packaging>
+    <name>Apache Axis2 - Fuzz Testing</name>
+    <description>
+        Comprehensive fuzz testing for Axis2/Java parsers.
+        Mirrors the Axis2/C OSS-Fuzz approach for finding security vulnerabilities.
+
+        Fuzz targets:
+        - XmlParserFuzzer: AXIOM/StAX XML parsing (XXE, XML bombs, buffer overflows)
+        - JsonParserFuzzer: Gson JSON parsing (deep nesting, malformed JSON)
+        - HttpHeaderFuzzer: HTTP header parsing (injection, overflows)
+        - UrlParserFuzzer: URL/URI parsing (SSRF, malformed URLs)
+    </description>
+
+    <properties>
+        <maven.compiler.source>11</maven.compiler.source>
+        <maven.compiler.target>11</maven.compiler.target>
+        <jazzer.version>0.22.1</jazzer.version>
+        <!-- Use 2.0.0 release (March 2025) for standalone testing; change to ${project.version} when integrated -->
+        <axis2.test.version>2.0.0</axis2.test.version>
+    </properties>
+
+    <dependencies>
+        <!-- Jazzer fuzzing framework -->
+        <dependency>
+            <groupId>com.code-intelligence</groupId>
+            <artifactId>jazzer-api</artifactId>
+            <version>${jazzer.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>com.code-intelligence</groupId>
+            <artifactId>jazzer-junit</artifactId>
+            <version>${jazzer.version}</version>
+            <scope>test</scope>
+        </dependency>
+
+        <!-- Axis2 modules to fuzz (using released version for standalone testing) -->
+        <dependency>
+            <groupId>org.apache.axis2</groupId>
+            <artifactId>axis2-kernel</artifactId>
+            <version>${axis2.test.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.axis2</groupId>
+            <artifactId>axis2-json</artifactId>
+            <version>${axis2.test.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.axis2</groupId>
+            <artifactId>axis2-transport-http</artifactId>
+            <version>${axis2.test.version}</version>
+        </dependency>
+
+        <!-- AXIOM for XML parsing (matches Axis2 2.0.0) -->
+        <dependency>
+            <groupId>org.apache.ws.commons.axiom</groupId>
+            <artifactId>axiom-api</artifactId>
+            <version>2.0.0</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.ws.commons.axiom</groupId>
+            <artifactId>axiom-impl</artifactId>
+            <version>2.0.0</version>
+        </dependency>
+
+        <!-- Gson for JSON parsing -->
+        <dependency>
+            <groupId>com.google.code.gson</groupId>
+            <artifactId>gson</artifactId>
+            <version>2.10.1</version>
+        </dependency>
+
+        <!-- Testing -->
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>4.13.2</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-shade-plugin</artifactId>
+                <version>3.5.1</version>
+                <executions>
+                    <execution>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>shade</goal>
+                        </goals>
+                        <configuration>
+                            <filters>
+                                <filter>
+                                    <artifact>*:*</artifact>
+                                    <excludes>
+                                        <exclude>META-INF/*.SF</exclude>
+                                        <exclude>META-INF/*.DSA</exclude>
+                                        <exclude>META-INF/*.RSA</exclude>
+                                    </excludes>
+                                </filter>
+                            </filters>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+</project>
@@ -0,0 +1,100 @@
+#!/bin/bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+# Run all Axis2/Java fuzzers locally
+#
+# Usage: ./run-fuzzers.sh [duration_seconds]
+#
+# Prerequisites:
+#   - Jazzer installed and in PATH (or set JAZZER_PATH)
+#   - Axis2/Java built with: mvn install -DskipTests
+#   - Fuzz module built with: cd modules/fuzz && mvn package
+#
+
+set -e
+
+DURATION=${1:-60}  # Default 60 seconds per fuzzer
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+JAR_PATH="${SCRIPT_DIR}/target/axis2-fuzz-2.0.1-SNAPSHOT.jar"
+
+# Find Jazzer
+JAZZER="${JAZZER_PATH:-jazzer}"
+if ! command -v "$JAZZER" &> /dev/null; then
+    echo "Error: Jazzer not found. Install from:"
+    echo "  https://github.com/CodeIntelligenceTesting/jazzer/releases"
+    exit 1
+fi
+
+# Check if JAR exists
+if [ ! -f "$JAR_PATH" ]; then
+    echo "Error: Fuzz JAR not found at $JAR_PATH"
+    echo "Build with: cd modules/fuzz && mvn package"
+    exit 1
+fi
+
+echo "========================================"
+echo "Axis2/Java Fuzz Testing"
+echo "Duration per fuzzer: ${DURATION}s"
+echo "========================================"
+
+FUZZERS=(
+    "org.apache.axis2.fuzz.XmlParserFuzzer"
+    "org.apache.axis2.fuzz.JsonParserFuzzer"
+    "org.apache.axis2.fuzz.HttpHeaderFuzzer"
+    "org.apache.axis2.fuzz.UrlParserFuzzer"
+)
+
+RESULTS=()
+
+for FUZZER in "${FUZZERS[@]}"; do
+    echo ""
+    echo "----------------------------------------"
+    echo "Running: $FUZZER"
+    echo "----------------------------------------"
+
+    FUZZER_NAME=$(echo "$FUZZER" | sed 's/.*\.//')
+    CORPUS_DIR="${SCRIPT_DIR}/corpus/${FUZZER_NAME}"
+    mkdir -p "$CORPUS_DIR"
+
+    if "$JAZZER" \
+        --cp="$JAR_PATH" \
+        --target_class="$FUZZER" \
+        --keep_going=10 \
+        "$CORPUS_DIR" \
+        -- \
+        -max_total_time="$DURATION" \
+        -print_final_stats=1 2>&1; then
+        RESULTS+=("✅ $FUZZER_NAME: PASS")
+    else
+        EXIT_CODE=$?
+        if [ $EXIT_CODE -eq 77 ]; then
+            RESULTS+=("⚠️  $FUZZER_NAME: Crash found (see crash-* file)")
+        else
+            RESULTS+=("❌ $FUZZER_NAME: Error (exit code $EXIT_CODE)")
+        fi
+    fi
+done
+
+echo ""
+echo "========================================"
+echo "Summary"
+echo "========================================"
+for RESULT in "${RESULTS[@]}"; do
+    echo "$RESULT"
+done