jsoup: add cleaner fuzzers

[acornall]

[WIP] Introduce fuzzers to detect regressions or bugs in jsoup's cleaner module. These are/will be intended to be more security oriented checks and may help proactively identify regressions like https://github.com/jhy/jsoup/issues/2320.

[google-cla[bot]]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[github-actions[bot]]

acornall is a new contributor to projects/jsoup. The PR must be approved by known contributors before it can be merged. The past contributors are: jhy, henryrneh, fmeum, inferno-chromium, 0roman

[acornall]

Hey @jhy I wanted to get your thoughts on introducing this style of fuzzer to the project and if they'd be welcome? I plan to introduce some other variations of this for different safelist configs if so :)

[jhy]

Hi @acornall, conceptually I definitely think it would be good to build out coverage for the Cleaner.

As it stands this fuzzer could just about be a unit test though in Cleaner IMV. The codepath to emit any output regardless of what elements were passed in pretty closed. So the fuzzer is going to spend a lot of resources without hitting anything, and not meaningfully extending the fuzzed code coverage. (I assume that's true; and that after running it you haven't had any hits?)

Do you have a suggestion on how you would extend to implement a fuller test that would add more fuzz coverage within the cleaner / safelist? That would have identified the SVG script example?

Also I would point out that I have plans to refactor the API to be more Document + Parser oriented; see https://github.com/jhy/jsoup/issues/2284. That doesn't really change how we could fuzz it, just that we would want to align it once done.