Make Jazzer tests safer / make dangerous tests opt-in

[Marcono1234]

See #932 (comment)

It seems some of Jazzer's own tests, especially related to the sanitizers, are inherently unsafe and could in the worst case damage the OS they are running on.

For example:

• OsCommandInjectionProcessBuilder, OsCommandInjectionRuntimeExec: run arbitrary OS commands
• ExpressionLanguageInjection, LdapDnInjection, LdapSearchInjection, ObjectInputStreamDeserialization, XPathInjection: run arbitrary code in the worst case?
• SsrfHttpClient, SsrfSocketConnect, SsrfSocketConnectToHost (?), SsrfUrlConnection: send network requests to arbitrary hosts

I am not completely sure for all of them, and maybe there are more problematic tests.

If possible it would be good to edit or extend these tests so that they don't perform any potentionally dangerous actions (e.g. by using dummy implementations, similar to how it is done for the ScriptEngineInjection test, or using no-op method hooks as suggested in #932 (comment)).
Or if that cannot be avoided, make the tests opt-in (with an explicit command line option, e.g. --enable-dangerous-tests) and then only run them on CI?

What do you think?

[simonresch]

I agree that having tests that are potentially destructive running in the default test suite is not ideal. The bazel sandboxing during test execution in theory protects against most harmful actions when running the tests on a Linux system but for running the tests on Windows this is not of help.

We'll look into making the tests non-destructive or at the minimum making them opt-in.