Virtue Pot
Challenge Information
Project: tika
Type: delta
Harnesses: 9
Vulnerabilities: 1
AFC Challenge Performance
Number of Unique Vulnerabilities Discovered: #
Number of Teams with Scoring PoVs: 4
Number of Teams with Scoring Patches: 2
Number of Teams with Scoring Bundles: 2
Total Points Scored for this Challenge: 22.219870216992597
What design decisions were considered for this challenge?
The delta resembles a standard “new feature” pull request, making it a realistic scenario for vulnerability discovery.
Why this set of vulnerabilities?
This is the sole Tika delta challenge in finals, focusing on an algorithmic complexity vulnerability that requires both recognition of the flaw and knowledge of efficient alternatives.
Delta vs Full and why?
Delta format is appropriate since Tika appeared in semi-finals as a full challenge, and this introduces a focused new-feature patch for analysis.
Challenge Harnesses
- HtmlParserFuzzer
- M3U8ParserFuzzer
- RTFParserFuzzer
- TextAndCSVParserFuzzer
- ThreeDXMLParserFuzzer
- TikaAppRUnpackerFuzzer
- TikaAppUnpackerFuzzer
- TikaAppUntarringFuzzer
- XliffParserFuzzer
Challenge Timeouts
enabled
Challenge Vulnerabilities
Brute Fractions
Vulnerability Information
Author: Tim Allison
Harness: TextAndCSVParserFuzzer
CWE Classification: CWE-834 , CWE-407
What functions and functionality is relevant?
This adds new functionality of formatting a decimal value as a fraction. This is vaguely similar to what is possible in xls and xlsx files.
Why is this vulnerable?
The vulnerability is an algorithmic complexity issue. The fraction formatter uses an inefficient algorithm with no safeguards against expensive inputs.
Is this a replay and/or is inspired by anything?
This is based on a vulnerability in Apache POI reported here:
https://issues.apache.org/jira/browse/TIKA-1132
What makes it interesting?
This requires recognizing algorithmic complexity and knowing about the more efficient fraction algorithm. A good patch requires algorithmic knowledge.
Additional details
The good patch is based on: https://github.com/apache/poi/blob/trunk/poi/src/main/java/org/apache/poi/ss/format/SimpleFraction.java