Add a harness for fuzzing make_safe_uri()

This commit is contained in:
Emil Mikulic 2015-01-01 18:14:28 +11:00
parent e50accedb8
commit f24c9d0d59
18 changed files with 40 additions and 64 deletions

7
devel/fuzz.sh Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash -e
AFL_PATH=~/afl/afl-1.06b
export AFL_PATH
TMP=/dev/shm/darkhttpd
AFL_HARDEN=1 $AFL_PATH/afl-gcc -O3 fuzz_make_safe_uri.c -o fuzz_make_safe_uri
mkdir $TMP
$AFL_PATH/afl-fuzz -i fuzz_testcases -o $TMP ./fuzz_make_safe_uri

View File

@ -1,72 +1,25 @@
// Wrapper around make_safe_url() for fuzzing.
// Aborts if the output is deemed safe but contains /../ or /./
#include <stdio.h>
#define main _main_disabled_ #define main _main_disabled_
#include "../darkhttpd.c" #include "../darkhttpd.c"
#undef main #undef main
static void int main(void) {
test(const char *input, const char *expected) char *buf = NULL;
{ size_t len = 0;
char *tmp = xstrdup(input); ssize_t num_read = getline(&buf, &len, stdin);
char *out = make_safe_url(tmp); if (num_read == -1) return 1;
int l = strlen(buf);
if (expected == NULL) { if (l > 0) {
if (out == NULL) buf[l-1] = '\0';
printf("PASS: \"%s\" is unsafe\n", input);
else
printf("FAIL: \"%s\" is unsafe, but got \"%s\"\n",
input, out);
} }
else if (out == NULL) char* safe = make_safe_url(buf);
printf("FAIL: \"%s\" should become \"%s\", got unsafe\n", if (safe) {
input, expected); if (strstr(safe, "/../") != NULL) abort();
else if (strcmp(out, expected) == 0) if (strstr(safe, "/./") != NULL) abort();
printf("PASS: \"%s\" => \"%s\"\n", input, out);
else
printf("FAIL: \"%s\" => \"%s\", expecting \"%s\"\n",
input, out, expected);
free(tmp);
} }
static char const *tests[] = {
"", NULL,
"/", "/",
"/.", "/",
"/./", "/",
"/../", NULL,
"/abc", "/abc",
"/abc/", "/abc/",
"/abc/.", "/abc",
"/abc/./", "/abc/",
"/abc/..", "/",
"/abc/../", "/",
"/abc/../def", "/def",
"/abc/../def/", "/def/",
"/abc/../def/..", "/",
"/abc/../def/../", "/",
"/abc/../def/../../", NULL,
"/abc/../def/.././", "/",
"/abc/../def/.././../", NULL,
"/a/b/c/../../d/", "/a/d/",
"/a/b/../../../c", NULL,
/* don't forget consolidate_slashes */
"//a///b////c/////", "/a/b/c/",
/* strip query params */
"/?a=b", "/",
"/index.html?", "/index.html",
"/index.html?a", "/index.html",
"/index.html?a=b", "/index.html",
NULL
};
int
main(void)
{
const char **curr = tests;
while (curr[0] != NULL) {
test(curr[0], curr[1]);
curr += 2;
}
return 0; return 0;
} }
/* vim:set tabstop=4 shiftwidth=4 expandtab tw=78: */ /* vim:set ts=4 sw=4 sts=4 expandtab tw=78: */

1
devel/fuzz_testcases/01 Normal file
View File

@ -0,0 +1 @@
/

1
devel/fuzz_testcases/04 Normal file
View File

@ -0,0 +1 @@
/..

1
devel/fuzz_testcases/08 Normal file
View File

@ -0,0 +1 @@
/abc/.

1
devel/fuzz_testcases/20 Normal file
View File

@ -0,0 +1 @@
../darkhttpd.c

1
devel/fuzz_testcases/21 Normal file
View File

@ -0,0 +1 @@

1
devel/fuzz_testcases/30 Normal file
View File

@ -0,0 +1 @@
/abc/..

1
devel/fuzz_testcases/34 Normal file
View File

@ -0,0 +1 @@
/abc/../def/..

1
devel/fuzz_testcases/36 Normal file
View File

@ -0,0 +1 @@
/abc/../def/../../

1
devel/fuzz_testcases/37 Normal file
View File

@ -0,0 +1 @@
/abc/../def/.././

1
devel/fuzz_testcases/38 Normal file
View File

@ -0,0 +1 @@
/abc/../def/.././../

1
devel/fuzz_testcases/40 Normal file
View File

@ -0,0 +1 @@
/a/b/../../../c

1
devel/fuzz_testcases/41 Normal file
View File

@ -0,0 +1 @@
//a///b////c/////

1
devel/fuzz_testcases/43 Normal file
View File

@ -0,0 +1 @@
/index.html?

1
devel/fuzz_testcases/48 Normal file
View File

@ -0,0 +1 @@
//

1
devel/fuzz_testcases/49 Normal file
View File

@ -0,0 +1 @@
/.//./

1
devel/fuzz_testcases/50 Normal file
View File

@ -0,0 +1 @@
/./abc/./defghi/../xyzz/a/b//c//d/