Add fuzz testers to //net for some functions with simple parsing APIs.

TBR=jshin@chromium.org Review URL: https://codereview.chromium.org/1735043004 Cr-Commit-Position: refs/heads/master@{#378865}
author: eroman <eroman@chromium.org> 2016-03-02 14:46:30 -0800
committer: Commit bot <commit-bot@chromium.org> 2016-03-02 22:48:45 +0000
commit: e6264fd9d125c729b60aad95924a6464e6d1b071 (patch)
tree: 5597e1066ad9f3cfb6320bd22e928368118acdde /net
parent: 2160ae0126d1adc88ec8abe5f97291119cb42d68 (diff)
download: chromium_src-e6264fd9d125c729b60aad95924a6464e6d1b071.zip
chromium_src-e6264fd9d125c729b60aad95924a6464e6d1b071.tar.gz
chromium_src-e6264fd9d125c729b60aad95924a6464e6d1b071.tar.bz2
13 files changed, 265 insertions, 0 deletions
diff --git a/net/BUILD.gn b/net/BUILD.gn
index 064ea28..d5bbb06 100644
--- a/net/BUILD.gn
+++ b/net/BUILD.gn
@@ -9,6 +9,7 @@ import("//build/config/crypto.gni")
 import("//build/config/features.gni")
 import("//build/config/ui.gni")
 import("//build_overrides/v8.gni")
+import("//testing/libfuzzer/fuzzer_test.gni")
 import("//testing/test.gni")
 import("//third_party/icu/config.gni")
 import("//third_party/protobuf/proto_library.gni")
@@ -1741,6 +1742,91 @@ executable("net_perftests") {
   }
 }
 
+fuzzer_test("parse_proxy_list_pac_fuzzer") {
+  sources = [
+    "proxy/parse_proxy_list_pac_fuzzer.cc",
+  ]
+  deps = [
+    "//net",
+  ]
+}
+
+fuzzer_test("parse_proxy_list_fuzzer") {
+  sources = [
+    "proxy/parse_proxy_list_fuzzer.cc",
+  ]
+  deps = [
+    "//net",
+  ]
+}
+
+fuzzer_test("parse_proxy_bypass_rules_fuzzer") {
+  sources = [
+    "proxy/parse_proxy_bypass_rules_fuzzer.cc",
+  ]
+  deps = [
+    "//net",
+  ]
+}
+
+fuzzer_test("parse_proxy_rules_fuzzer") {
+  sources = [
+    "proxy/parse_proxy_rules_fuzzer.cc",
+  ]
+  deps = [
+    "//net",
+  ]
+}
+
+fuzzer_test("parse_data_url_fuzzer") {
+  sources = [
+    "base/parse_data_url_fuzzer.cc",
+  ]
+  deps = [
+    "//base",
+    "//net",
+  ]
+}
+
+fuzzer_test("sniff_mime_type_fuzzer") {
+  sources = [
+    "base/sniff_mime_type_fuzzer.cc",
+  ]
+  deps = [
+    "//base",
+    "//net",
+  ]
+}
+
+fuzzer_test("parse_ip_pattern_fuzzer") {
+  sources = [
+    "base/parse_ip_pattern_fuzzer.cc",
+  ]
+  deps = [
+    "//net",
+  ]
+}
+
+fuzzer_test("get_domain_and_registry_fuzzer") {
+  sources = [
+    "base/registry_controlled_domains/get_domain_and_registry_fuzzer.cc",
+  ]
+  deps = [
+    "//base",
+    "//base:i18n",
+    "//net",
+  ]
+}
+
+fuzzer_test("parse_cookie_line_fuzzer") {
+  sources = [
+    "cookies/parse_cookie_line_fuzzer.cc",
+  ]
+  deps = [
+    "//net",
+  ]
+}
+
 buildflag_header("features") {
   header = "net_features.h"
 
diff --git a/net/DEPS b/net/DEPS
index d06c81a..f0e65ad 100644
--- a/net/DEPS
+++ b/net/DEPS
@@ -60,6 +60,10 @@ specific_include_rules = {
   "brotli_filter\.cc": [
     "+third_party/brotli",
   ],
+
+  "get_domain_and_registry_fuzzer.cc": [
+    "+base/i18n",
+  ],
 }
 
 skip_child_includes = [
diff --git a/net/base/data_url.cc b/net/base/data_url.cc
index 07b8fb0..4d29bf6 100644
--- a/net/base/data_url.cc
+++ b/net/base/data_url.cc
@@ -21,6 +21,9 @@ namespace net {
 // static
 bool DataURL::Parse(const GURL& url, std::string* mime_type,
                     std::string* charset, std::string* data) {
+  if (!url.is_valid())
+    return false;
+
   DCHECK(mime_type->empty());
   DCHECK(charset->empty());
   std::string::const_iterator begin = url.spec().begin();
diff --git a/net/base/parse_data_url_fuzzer.cc b/net/base/parse_data_url_fuzzer.cc
new file mode 100644
index 0000000..f91b691
--- /dev/null
+++ b/net/base/parse_data_url_fuzzer.cc
@@ -0,0 +1,19 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "net/base/data_url.h"
+#include "url/gurl.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  std::string input(data, data + size);
+  std::string mime_type;
+  std::string charset;
+  std::string urldata;
+  net::DataURL::Parse(GURL(input), &mime_type, &charset, &urldata);
+  return 0;
+}
diff --git a/net/base/parse_ip_pattern_fuzzer.cc b/net/base/parse_ip_pattern_fuzzer.cc
new file mode 100644
index 0000000..67044e1
--- /dev/null
+++ b/net/base/parse_ip_pattern_fuzzer.cc
@@ -0,0 +1,16 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "net/base/ip_pattern.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  std::string input(data, data + size);
+  net::IPPattern pattern;
+  pattern.ParsePattern(input);
+  return 0;
+}
diff --git a/net/base/registry_controlled_domains/get_domain_and_registry_fuzzer.cc b/net/base/registry_controlled_domains/get_domain_and_registry_fuzzer.cc
new file mode 100644
index 0000000..8b749c1
--- /dev/null
+++ b/net/base/registry_controlled_domains/get_domain_and_registry_fuzzer.cc
@@ -0,0 +1,35 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "base/at_exit.h"
+#include "base/i18n/icu_util.h"
+#include "base/strings/string_piece.h"
+#include "net/base/registry_controlled_domains/registry_controlled_domain.h"
+#include "url/gurl.h"
+
+// Initialize ICU.
+struct InitICU {
+  InitICU() { CHECK(base::i18n::InitializeICU()); }
+  base::AtExitManager at_exit_manager;
+};
+
+InitICU* init_icu = new InitICU();
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  // Call GetDomainAndRegistry() twice - once with each filter type to ensure
+  // both code paths are exercised.
+  net::registry_controlled_domains::GetDomainAndRegistry(
+      base::StringPiece(reinterpret_cast<const char*>(data), size),
+      net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES);
+
+  net::registry_controlled_domains::GetDomainAndRegistry(
+      base::StringPiece(reinterpret_cast<const char*>(data), size),
+      net::registry_controlled_domains::EXCLUDE_PRIVATE_REGISTRIES);
+
+  return 0;
+}
diff --git a/net/base/sniff_mime_type_fuzzer.cc b/net/base/sniff_mime_type_fuzzer.cc
new file mode 100644
index 0000000..02fbc15
--- /dev/null
+++ b/net/base/sniff_mime_type_fuzzer.cc
@@ -0,0 +1,18 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "net/base/mime_sniffer.h"
+#include "url/gurl.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  std::string result;
+  net::SniffMimeType(reinterpret_cast<const char*>(data), size,
+                     GURL("http://www.example-url.com/xyz"), "", &result);
+
+  return 0;
+}
diff --git a/net/cookies/parse_cookie_line_fuzzer.cc b/net/cookies/parse_cookie_line_fuzzer.cc
new file mode 100644
index 0000000..9978398
--- /dev/null
+++ b/net/cookies/parse_cookie_line_fuzzer.cc
@@ -0,0 +1,15 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "net/cookies/parsed_cookie.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  std::string input(data, data + size);
+  net::ParsedCookie parsed_cookie(input);
+  return 0;
+}
diff --git a/net/proxy/parse_proxy_bypass_rules_fuzzer.cc b/net/proxy/parse_proxy_bypass_rules_fuzzer.cc
new file mode 100644
index 0000000..1a9c63c
--- /dev/null
+++ b/net/proxy/parse_proxy_bypass_rules_fuzzer.cc
@@ -0,0 +1,16 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "net/proxy/proxy_bypass_rules.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  net::ProxyBypassRules rules;
+  std::string input(data, data + size);
+  rules.ParseFromString(input);
+  return 0;
+}
diff --git a/net/proxy/parse_proxy_list_fuzzer.cc b/net/proxy/parse_proxy_list_fuzzer.cc
new file mode 100644
index 0000000..0488549
--- /dev/null
+++ b/net/proxy/parse_proxy_list_fuzzer.cc
@@ -0,0 +1,16 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "net/proxy/proxy_list.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  net::ProxyList list;
+  std::string input(data, data + size);
+  list.Set(input);
+  return 0;
+}
diff --git a/net/proxy/parse_proxy_list_pac_fuzzer.cc b/net/proxy/parse_proxy_list_pac_fuzzer.cc
new file mode 100644
index 0000000..556773c
--- /dev/null
+++ b/net/proxy/parse_proxy_list_pac_fuzzer.cc
@@ -0,0 +1,16 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "net/proxy/proxy_list.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  net::ProxyList list;
+  std::string input(data, data + size);
+  list.SetFromPacString(input);
+  return 0;
+}
diff --git a/net/proxy/parse_proxy_rules_fuzzer.cc b/net/proxy/parse_proxy_rules_fuzzer.cc
new file mode 100644
index 0000000..cd88cdd
--- /dev/null
+++ b/net/proxy/parse_proxy_rules_fuzzer.cc
@@ -0,0 +1,16 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "net/proxy/proxy_config.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  net::ProxyConfig::ProxyRules rules;
+  std::string input(data, data + size);
+  rules.ParseFromString(input);
+  return 0;
+}
diff --git a/net/proxy/proxy_bypass_rules.cc b/net/proxy/proxy_bypass_rules.cc
index f31fa7b..e74d9e6 100644
--- a/net/proxy/proxy_bypass_rules.cc
+++ b/net/proxy/proxy_bypass_rules.cc
@@ -301,6 +301,11 @@ bool ProxyBypassRules::AddRuleFromStringInternal(
   std::string host;
   int port;
   if (ParseHostAndPort(raw, &host, &port)) {
+    // TODO(eroman): HostForURL() below DCHECKs() when |host| contains an
+    // embedded NULL.
+    if (host.find('\0') != std::string::npos)
+      return false;
+
     // Note that HostPortPair is used to merely to convert any IPv6 literals to
     // a URL-safe format that can be used by canonicalization below.
     std::string bracketed_host = HostPortPair(host, 80).HostForURL();
author	eroman <eroman@chromium.org>	2016-03-02 14:46:30 -0800
committer	Commit bot <commit-bot@chromium.org>	2016-03-02 22:48:45 +0000
commit	e6264fd9d125c729b60aad95924a6464e6d1b071 (patch)
tree	5597e1066ad9f3cfb6320bd22e928368118acdde /net
parent	2160ae0126d1adc88ec8abe5f97291119cb42d68 (diff)
download	chromium_src-e6264fd9d125c729b60aad95924a6464e6d1b071.zip chromium_src-e6264fd9d125c729b60aad95924a6464e6d1b071.tar.gz chromium_src-e6264fd9d125c729b60aad95924a6464e6d1b071.tar.bz2