diff --git a/devel/fuzz.sh b/devel/fuzz.sh new file mode 100755 index 0000000..a0d292a --- /dev/null +++ b/devel/fuzz.sh @@ -0,0 +1,7 @@ +#!/bin/bash -e +AFL_PATH=~/afl/afl-1.06b +export AFL_PATH +TMP=/dev/shm/darkhttpd +AFL_HARDEN=1 $AFL_PATH/afl-gcc -O3 fuzz_make_safe_uri.c -o fuzz_make_safe_uri +mkdir $TMP +$AFL_PATH/afl-fuzz -i fuzz_testcases -o $TMP ./fuzz_make_safe_uri diff --git a/devel/fuzz_make_safe_uri.c b/devel/fuzz_make_safe_uri.c index 41fae78..b2c7ea8 100644 --- a/devel/fuzz_make_safe_uri.c +++ b/devel/fuzz_make_safe_uri.c @@ -1,72 +1,25 @@ +// Wrapper around make_safe_url() for fuzzing. +// Aborts if the output is deemed safe but contains /../ or /./ +#include + #define main _main_disabled_ #include "../darkhttpd.c" #undef main -static void -test(const char *input, const char *expected) -{ - char *tmp = xstrdup(input); - char *out = make_safe_url(tmp); - - if (expected == NULL) { - if (out == NULL) - printf("PASS: \"%s\" is unsafe\n", input); - else - printf("FAIL: \"%s\" is unsafe, but got \"%s\"\n", - input, out); +int main(void) { + char *buf = NULL; + size_t len = 0; + ssize_t num_read = getline(&buf, &len, stdin); + if (num_read == -1) return 1; + int l = strlen(buf); + if (l > 0) { + buf[l-1] = '\0'; } - else if (out == NULL) - printf("FAIL: \"%s\" should become \"%s\", got unsafe\n", - input, expected); - else if (strcmp(out, expected) == 0) - printf("PASS: \"%s\" => \"%s\"\n", input, out); - else - printf("FAIL: \"%s\" => \"%s\", expecting \"%s\"\n", - input, out, expected); - free(tmp); -} - -static char const *tests[] = { - "", NULL, - "/", "/", - "/.", "/", - "/./", "/", - "/../", NULL, - "/abc", "/abc", - "/abc/", "/abc/", - "/abc/.", "/abc", - "/abc/./", "/abc/", - "/abc/..", "/", - "/abc/../", "/", - "/abc/../def", "/def", - "/abc/../def/", "/def/", - "/abc/../def/..", "/", - "/abc/../def/../", "/", - "/abc/../def/../../", NULL, - "/abc/../def/.././", "/", - "/abc/../def/.././../", NULL, - "/a/b/c/../../d/", "/a/d/", - "/a/b/../../../c", NULL, - /* don't forget consolidate_slashes */ - "//a///b////c/////", "/a/b/c/", - /* strip query params */ - "/?a=b", "/", - "/index.html?", "/index.html", - "/index.html?a", "/index.html", - "/index.html?a=b", "/index.html", - NULL -}; - -int -main(void) -{ - const char **curr = tests; - - while (curr[0] != NULL) { - test(curr[0], curr[1]); - curr += 2; + char* safe = make_safe_url(buf); + if (safe) { + if (strstr(safe, "/../") != NULL) abort(); + if (strstr(safe, "/./") != NULL) abort(); } - return 0; } -/* vim:set tabstop=4 shiftwidth=4 expandtab tw=78: */ +/* vim:set ts=4 sw=4 sts=4 expandtab tw=78: */ diff --git a/devel/fuzz_testcases/01 b/devel/fuzz_testcases/01 new file mode 100644 index 0000000..b498fd4 --- /dev/null +++ b/devel/fuzz_testcases/01 @@ -0,0 +1 @@ +/ diff --git a/devel/fuzz_testcases/04 b/devel/fuzz_testcases/04 new file mode 100644 index 0000000..e6b064b --- /dev/null +++ b/devel/fuzz_testcases/04 @@ -0,0 +1 @@ +/.. diff --git a/devel/fuzz_testcases/08 b/devel/fuzz_testcases/08 new file mode 100644 index 0000000..2c56084 --- /dev/null +++ b/devel/fuzz_testcases/08 @@ -0,0 +1 @@ +/abc/. diff --git a/devel/fuzz_testcases/20 b/devel/fuzz_testcases/20 new file mode 100644 index 0000000..c8487ed --- /dev/null +++ b/devel/fuzz_testcases/20 @@ -0,0 +1 @@ +../darkhttpd.c diff --git a/devel/fuzz_testcases/21 b/devel/fuzz_testcases/21 new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/devel/fuzz_testcases/21 @@ -0,0 +1 @@ + diff --git a/devel/fuzz_testcases/30 b/devel/fuzz_testcases/30 new file mode 100644 index 0000000..3b2bb66 --- /dev/null +++ b/devel/fuzz_testcases/30 @@ -0,0 +1 @@ +/abc/.. diff --git a/devel/fuzz_testcases/34 b/devel/fuzz_testcases/34 new file mode 100644 index 0000000..42c7c44 --- /dev/null +++ b/devel/fuzz_testcases/34 @@ -0,0 +1 @@ +/abc/../def/.. diff --git a/devel/fuzz_testcases/36 b/devel/fuzz_testcases/36 new file mode 100644 index 0000000..b31bfd8 --- /dev/null +++ b/devel/fuzz_testcases/36 @@ -0,0 +1 @@ +/abc/../def/../../ diff --git a/devel/fuzz_testcases/37 b/devel/fuzz_testcases/37 new file mode 100644 index 0000000..0f47cb0 --- /dev/null +++ b/devel/fuzz_testcases/37 @@ -0,0 +1 @@ +/abc/../def/.././ diff --git a/devel/fuzz_testcases/38 b/devel/fuzz_testcases/38 new file mode 100644 index 0000000..d57d6de --- /dev/null +++ b/devel/fuzz_testcases/38 @@ -0,0 +1 @@ +/abc/../def/.././../ diff --git a/devel/fuzz_testcases/40 b/devel/fuzz_testcases/40 new file mode 100644 index 0000000..db9812d --- /dev/null +++ b/devel/fuzz_testcases/40 @@ -0,0 +1 @@ +/a/b/../../../c diff --git a/devel/fuzz_testcases/41 b/devel/fuzz_testcases/41 new file mode 100644 index 0000000..de1cd0e --- /dev/null +++ b/devel/fuzz_testcases/41 @@ -0,0 +1 @@ +//a///b////c///// diff --git a/devel/fuzz_testcases/43 b/devel/fuzz_testcases/43 new file mode 100644 index 0000000..1a03a0e --- /dev/null +++ b/devel/fuzz_testcases/43 @@ -0,0 +1 @@ +/index.html? diff --git a/devel/fuzz_testcases/48 b/devel/fuzz_testcases/48 new file mode 100644 index 0000000..8337712 --- /dev/null +++ b/devel/fuzz_testcases/48 @@ -0,0 +1 @@ +// diff --git a/devel/fuzz_testcases/49 b/devel/fuzz_testcases/49 new file mode 100644 index 0000000..8f36e17 --- /dev/null +++ b/devel/fuzz_testcases/49 @@ -0,0 +1 @@ +/.//./ diff --git a/devel/fuzz_testcases/50 b/devel/fuzz_testcases/50 new file mode 100644 index 0000000..511eb20 --- /dev/null +++ b/devel/fuzz_testcases/50 @@ -0,0 +1 @@ +/./abc/./defghi/../xyzz/a/b//c//d/