brillo/http/http_form_data_fuzzer.cc


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123

// Copyright 2019 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include <stddef.h>
#include <stdint.h>

#include <base/files/file_path.h>
#include <base/files/file_util.h>
#include <base/files/scoped_temp_dir.h>
#include <base/logging.h>
#include <brillo/http/http_form_data.h>
#include <brillo/streams/memory_stream.h>
#include <fuzzer/FuzzedDataProvider.h>

namespace {
constexpr int kRandomDataMaxLength = 64;

std::unique_ptr<brillo::http::TextFormField> CreateTextFormField(
    FuzzedDataProvider* data_provider) {
  return std::make_unique<brillo::http::TextFormField>(
      data_provider->ConsumeRandomLengthString(kRandomDataMaxLength),
      data_provider->ConsumeRandomLengthString(kRandomDataMaxLength),
      data_provider->ConsumeRandomLengthString(kRandomDataMaxLength),
      data_provider->ConsumeRandomLengthString(kRandomDataMaxLength));
}

std::unique_ptr<brillo::http::FileFormField> CreateFileFormField(
    FuzzedDataProvider* data_provider) {
  brillo::StreamPtr mem_stream = brillo::MemoryStream::OpenCopyOf(
      data_provider->ConsumeRandomLengthString(kRandomDataMaxLength), nullptr);
  return std::make_unique<brillo::http::FileFormField>(
      data_provider->ConsumeRandomLengthString(kRandomDataMaxLength),
      std::move(mem_stream),
      data_provider->ConsumeRandomLengthString(kRandomDataMaxLength),
      data_provider->ConsumeRandomLengthString(kRandomDataMaxLength),
      data_provider->ConsumeRandomLengthString(kRandomDataMaxLength),
      data_provider->ConsumeRandomLengthString(kRandomDataMaxLength));
}

std::unique_ptr<brillo::http::MultiPartFormField> CreateMultipartFormField(
    FuzzedDataProvider* data_provider) {
  std::unique_ptr<brillo::http::MultiPartFormField> multipart_field =
      std::make_unique<brillo::http::MultiPartFormField>(
          data_provider->ConsumeRandomLengthString(kRandomDataMaxLength),
          data_provider->ConsumeRandomLengthString(kRandomDataMaxLength),
          data_provider->ConsumeRandomLengthString(kRandomDataMaxLength));

  // Randomly add fields to this like we do the base FormData, but don't loop
  // forever.
  while (data_provider->ConsumeBool()) {
    if (data_provider->ConsumeBool()) {
      // Add a random text field to the form.
      multipart_field->AddCustomField(CreateTextFormField(data_provider));
    }
    if (data_provider->ConsumeBool()) {
      // Add a random file field to the form.
      multipart_field->AddCustomField(CreateFileFormField(data_provider));
    }
    if (data_provider->ConsumeBool()) {
      // Add a random multipart form field to the form.
      multipart_field->AddCustomField(CreateMultipartFormField(data_provider));
    }
  }

  return multipart_field;
}

}  // namespace

bool IgnoreLogging(int, const char*, int, size_t, const std::string&) {
  return true;
}

class Environment {
 public:
  Environment() {
    // Disable logging. Normally this would be done with logging::SetMinLogLevel
    // but that doesn't work for brillo::Error for because it's not using the
    // LOG(ERROR) macro which is where the actual log level check occurs.
    logging::SetLogMessageHandler(&IgnoreLogging);
  }
};

extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  static Environment env;
  FuzzedDataProvider data_provider(data, size);
  // Randomly add a bunch of fields to the FormData and then when done extract
  // and consume the data stream.
  brillo::http::FormData form_data(
      data_provider.ConsumeRandomLengthString(kRandomDataMaxLength));
  while (data_provider.remaining_bytes() > 0) {
    if (data_provider.ConsumeBool()) {
      // Add a random text field to the form.
      form_data.AddCustomField(CreateTextFormField(&data_provider));
    }
    if (data_provider.ConsumeBool()) {
      // Add a random file field to the form.
      form_data.AddCustomField(CreateFileFormField(&data_provider));
    }
    if (data_provider.ConsumeBool()) {
      // Add a random multipart form field to the form.
      form_data.AddCustomField(CreateMultipartFormField(&data_provider));
    }
  }

  brillo::StreamPtr form_stream = form_data.ExtractDataStream();
  if (!form_stream)
    return 0;

  // We need to use a decent sized buffer and call ReadAllBlocking to avoid
  // excess overhead with reading here that can make the fuzzer timeout.
  uint8_t buffer[32768];
  while (form_stream->GetRemainingSize() > 0) {
    if (!form_stream->ReadAllBlocking(buffer, sizeof(buffer), nullptr)) {
      // If there's an error reading from the stream, then bail since we'd
      // likely just see repeated errors and never exit.
      break;
    }
  }

  return 0;
}