From f24c9d0d59e83555fa5ff8558c638054d478bd0c Mon Sep 17 00:00:00 2001
From: Emil Mikulic <emikulic@gmail.com>
Date: Thu, 1 Jan 2015 18:14:28 +1100
Subject: [PATCH] Add a harness for fuzzing make_safe_uri()

---
 devel/fuzz.sh              |  7 ++++
 devel/fuzz_make_safe_uri.c | 81 ++++++++------------------------------
 devel/fuzz_testcases/01    |  1 +
 devel/fuzz_testcases/04    |  1 +
 devel/fuzz_testcases/08    |  1 +
 devel/fuzz_testcases/20    |  1 +
 devel/fuzz_testcases/21    |  1 +
 devel/fuzz_testcases/30    |  1 +
 devel/fuzz_testcases/34    |  1 +
 devel/fuzz_testcases/36    |  1 +
 devel/fuzz_testcases/37    |  1 +
 devel/fuzz_testcases/38    |  1 +
 devel/fuzz_testcases/40    |  1 +
 devel/fuzz_testcases/41    |  1 +
 devel/fuzz_testcases/43    |  1 +
 devel/fuzz_testcases/48    |  1 +
 devel/fuzz_testcases/49    |  1 +
 devel/fuzz_testcases/50    |  1 +
 18 files changed, 40 insertions(+), 64 deletions(-)
 create mode 100755 devel/fuzz.sh
 create mode 100644 devel/fuzz_testcases/01
 create mode 100644 devel/fuzz_testcases/04
 create mode 100644 devel/fuzz_testcases/08
 create mode 100644 devel/fuzz_testcases/20
 create mode 100644 devel/fuzz_testcases/21
 create mode 100644 devel/fuzz_testcases/30
 create mode 100644 devel/fuzz_testcases/34
 create mode 100644 devel/fuzz_testcases/36
 create mode 100644 devel/fuzz_testcases/37
 create mode 100644 devel/fuzz_testcases/38
 create mode 100644 devel/fuzz_testcases/40
 create mode 100644 devel/fuzz_testcases/41
 create mode 100644 devel/fuzz_testcases/43
 create mode 100644 devel/fuzz_testcases/48
 create mode 100644 devel/fuzz_testcases/49
 create mode 100644 devel/fuzz_testcases/50

diff --git a/devel/fuzz.sh b/devel/fuzz.sh
new file mode 100755
index 0000000..a0d292a
--- /dev/null
+++ b/devel/fuzz.sh
@@ -0,0 +1,7 @@
+#!/bin/bash -e
+AFL_PATH=~/afl/afl-1.06b
+export AFL_PATH
+TMP=/dev/shm/darkhttpd
+AFL_HARDEN=1 $AFL_PATH/afl-gcc -O3 fuzz_make_safe_uri.c -o fuzz_make_safe_uri
+mkdir $TMP
+$AFL_PATH/afl-fuzz -i fuzz_testcases -o $TMP ./fuzz_make_safe_uri
diff --git a/devel/fuzz_make_safe_uri.c b/devel/fuzz_make_safe_uri.c
index 41fae78..b2c7ea8 100644
--- a/devel/fuzz_make_safe_uri.c
+++ b/devel/fuzz_make_safe_uri.c
@@ -1,72 +1,25 @@
+// Wrapper around make_safe_url() for fuzzing.
+// Aborts if the output is deemed safe but contains /../ or /./
+#include <stdio.h>
+
 #define main _main_disabled_
 #include "../darkhttpd.c"
 #undef main
 
-static void
-test(const char *input, const char *expected)
-{
-    char *tmp = xstrdup(input);
-    char *out = make_safe_url(tmp);
-
-    if (expected == NULL) {
-        if (out == NULL)
-            printf("PASS: \"%s\" is unsafe\n", input);
-        else
-            printf("FAIL: \"%s\" is unsafe, but got \"%s\"\n",
-                input, out);
+int main(void) {
+    char *buf = NULL;
+    size_t len = 0;
+    ssize_t num_read = getline(&buf, &len, stdin);
+    if (num_read == -1) return 1;
+    int l = strlen(buf);
+    if (l > 0) {
+        buf[l-1] = '\0';
     }
-    else if (out == NULL)
-        printf("FAIL: \"%s\" should become \"%s\", got unsafe\n",
-            input, expected);
-    else if (strcmp(out, expected) == 0)
-        printf("PASS: \"%s\" => \"%s\"\n", input, out);
-    else
-        printf("FAIL: \"%s\" => \"%s\", expecting \"%s\"\n",
-            input, out, expected);
-    free(tmp);
-}
-
-static char const *tests[] = {
-    "", NULL,
-    "/", "/",
-    "/.", "/",
-    "/./", "/",
-    "/../", NULL,
-    "/abc", "/abc",
-    "/abc/", "/abc/",
-    "/abc/.", "/abc",
-    "/abc/./", "/abc/",
-    "/abc/..", "/",
-    "/abc/../", "/",
-    "/abc/../def", "/def",
-    "/abc/../def/", "/def/",
-    "/abc/../def/..", "/",
-    "/abc/../def/../", "/",
-    "/abc/../def/../../", NULL,
-    "/abc/../def/.././", "/",
-    "/abc/../def/.././../", NULL,
-    "/a/b/c/../../d/", "/a/d/",
-    "/a/b/../../../c", NULL,
-    /* don't forget consolidate_slashes */
-    "//a///b////c/////", "/a/b/c/",
-    /* strip query params */
-    "/?a=b", "/",
-    "/index.html?", "/index.html",
-    "/index.html?a", "/index.html",
-    "/index.html?a=b", "/index.html",
-    NULL
-};
-
-int
-main(void)
-{
-    const char **curr = tests;
-
-    while (curr[0] != NULL) {
-        test(curr[0], curr[1]);
-        curr += 2;
+    char* safe = make_safe_url(buf);
+    if (safe) {
+        if (strstr(safe, "/../") != NULL) abort();
+        if (strstr(safe, "/./") != NULL) abort();
     }
-
     return 0;
 }
-/* vim:set tabstop=4 shiftwidth=4 expandtab tw=78: */
+/* vim:set ts=4 sw=4 sts=4 expandtab tw=78: */
diff --git a/devel/fuzz_testcases/01 b/devel/fuzz_testcases/01
new file mode 100644
index 0000000..b498fd4
--- /dev/null
+++ b/devel/fuzz_testcases/01
@@ -0,0 +1 @@
+/
diff --git a/devel/fuzz_testcases/04 b/devel/fuzz_testcases/04
new file mode 100644
index 0000000..e6b064b
--- /dev/null
+++ b/devel/fuzz_testcases/04
@@ -0,0 +1 @@
+/..
diff --git a/devel/fuzz_testcases/08 b/devel/fuzz_testcases/08
new file mode 100644
index 0000000..2c56084
--- /dev/null
+++ b/devel/fuzz_testcases/08
@@ -0,0 +1 @@
+/abc/.
diff --git a/devel/fuzz_testcases/20 b/devel/fuzz_testcases/20
new file mode 100644
index 0000000..c8487ed
--- /dev/null
+++ b/devel/fuzz_testcases/20
@@ -0,0 +1 @@
+../darkhttpd.c
diff --git a/devel/fuzz_testcases/21 b/devel/fuzz_testcases/21
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/devel/fuzz_testcases/21
@@ -0,0 +1 @@
+
diff --git a/devel/fuzz_testcases/30 b/devel/fuzz_testcases/30
new file mode 100644
index 0000000..3b2bb66
--- /dev/null
+++ b/devel/fuzz_testcases/30
@@ -0,0 +1 @@
+/abc/..
diff --git a/devel/fuzz_testcases/34 b/devel/fuzz_testcases/34
new file mode 100644
index 0000000..42c7c44
--- /dev/null
+++ b/devel/fuzz_testcases/34
@@ -0,0 +1 @@
+/abc/../def/..
diff --git a/devel/fuzz_testcases/36 b/devel/fuzz_testcases/36
new file mode 100644
index 0000000..b31bfd8
--- /dev/null
+++ b/devel/fuzz_testcases/36
@@ -0,0 +1 @@
+/abc/../def/../../
diff --git a/devel/fuzz_testcases/37 b/devel/fuzz_testcases/37
new file mode 100644
index 0000000..0f47cb0
--- /dev/null
+++ b/devel/fuzz_testcases/37
@@ -0,0 +1 @@
+/abc/../def/.././
diff --git a/devel/fuzz_testcases/38 b/devel/fuzz_testcases/38
new file mode 100644
index 0000000..d57d6de
--- /dev/null
+++ b/devel/fuzz_testcases/38
@@ -0,0 +1 @@
+/abc/../def/.././../
diff --git a/devel/fuzz_testcases/40 b/devel/fuzz_testcases/40
new file mode 100644
index 0000000..db9812d
--- /dev/null
+++ b/devel/fuzz_testcases/40
@@ -0,0 +1 @@
+/a/b/../../../c
diff --git a/devel/fuzz_testcases/41 b/devel/fuzz_testcases/41
new file mode 100644
index 0000000..de1cd0e
--- /dev/null
+++ b/devel/fuzz_testcases/41
@@ -0,0 +1 @@
+//a///b////c/////
diff --git a/devel/fuzz_testcases/43 b/devel/fuzz_testcases/43
new file mode 100644
index 0000000..1a03a0e
--- /dev/null
+++ b/devel/fuzz_testcases/43
@@ -0,0 +1 @@
+/index.html?
diff --git a/devel/fuzz_testcases/48 b/devel/fuzz_testcases/48
new file mode 100644
index 0000000..8337712
--- /dev/null
+++ b/devel/fuzz_testcases/48
@@ -0,0 +1 @@
+//
diff --git a/devel/fuzz_testcases/49 b/devel/fuzz_testcases/49
new file mode 100644
index 0000000..8f36e17
--- /dev/null
+++ b/devel/fuzz_testcases/49
@@ -0,0 +1 @@
+/.//./
diff --git a/devel/fuzz_testcases/50 b/devel/fuzz_testcases/50
new file mode 100644
index 0000000..511eb20
--- /dev/null
+++ b/devel/fuzz_testcases/50
@@ -0,0 +1 @@
+/./abc/./defghi/../xyzz/a/b//c//d/