Add a harness for fuzzing make_safe_uri()

devel/fuzz.sh

@@ -0,0 +1,7 @@
+#!/bin/bash -e
+AFL_PATH=~/afl/afl-1.06b
+export AFL_PATH
+TMP=/dev/shm/darkhttpd
+AFL_HARDEN=1 $AFL_PATH/afl-gcc -O3 fuzz_make_safe_uri.c -o fuzz_make_safe_uri
+mkdir $TMP
+$AFL_PATH/afl-fuzz -i fuzz_testcases -o $TMP ./fuzz_make_safe_uri

devel/fuzz_make_safe_uri.c

@@ -1,72 +1,25 @@
+// Wrapper around make_safe_url() for fuzzing.
+// Aborts if the output is deemed safe but contains /../ or /./
+#include <stdio.h>
+
 #define main _main_disabled_
 #include "../darkhttpd.c"
 #undef main
 
-static void
+int main(void) {
-test(const char *input, const char *expected)
+    char *buf = NULL;
-{
+    size_t len = 0;
-    char *tmp = xstrdup(input);
+    ssize_t num_read = getline(&buf, &len, stdin);
-    char *out = make_safe_url(tmp);
+    if (num_read == -1) return 1;
-
+    int l = strlen(buf);
-    if (expected == NULL) {
+    if (l > 0) {
-        if (out == NULL)
+        buf[l-1] = '\0';
-            printf("PASS: \"%s\" is unsafe\n", input);
-        else
-            printf("FAIL: \"%s\" is unsafe, but got \"%s\"\n",
-                input, out);
     }
-    else if (out == NULL)
+    char* safe = make_safe_url(buf);
-        printf("FAIL: \"%s\" should become \"%s\", got unsafe\n",
+    if (safe) {
-            input, expected);
+        if (strstr(safe, "/../") != NULL) abort();
-    else if (strcmp(out, expected) == 0)
+        if (strstr(safe, "/./") != NULL) abort();
-        printf("PASS: \"%s\" => \"%s\"\n", input, out);
-    else
-        printf("FAIL: \"%s\" => \"%s\", expecting \"%s\"\n",
-            input, out, expected);
-    free(tmp);
-}
-
-static char const *tests[] = {
-    "", NULL,
-    "/", "/",
-    "/.", "/",
-    "/./", "/",
-    "/../", NULL,
-    "/abc", "/abc",
-    "/abc/", "/abc/",
-    "/abc/.", "/abc",
-    "/abc/./", "/abc/",
-    "/abc/..", "/",
-    "/abc/../", "/",
-    "/abc/../def", "/def",
-    "/abc/../def/", "/def/",
-    "/abc/../def/..", "/",
-    "/abc/../def/../", "/",
-    "/abc/../def/../../", NULL,
-    "/abc/../def/.././", "/",
-    "/abc/../def/.././../", NULL,
-    "/a/b/c/../../d/", "/a/d/",
-    "/a/b/../../../c", NULL,
-    /* don't forget consolidate_slashes */
-    "//a///b////c/////", "/a/b/c/",
-    /* strip query params */
-    "/?a=b", "/",
-    "/index.html?", "/index.html",
-    "/index.html?a", "/index.html",
-    "/index.html?a=b", "/index.html",
-    NULL
-};
-
-int
-main(void)
-{
-    const char **curr = tests;
-
-    while (curr[0] != NULL) {
-        test(curr[0], curr[1]);
-        curr += 2;
     }
-
     return 0;
 }
-/* vim:set tabstop=4 shiftwidth=4 expandtab tw=78: */
+/* vim:set ts=4 sw=4 sts=4 expandtab tw=78: */

devel/fuzz_testcases/01

@@ -0,0 +1 @@
+/

devel/fuzz_testcases/04

@@ -0,0 +1 @@
+/..

devel/fuzz_testcases/08

@@ -0,0 +1 @@
+/abc/.

devel/fuzz_testcases/20

@@ -0,0 +1 @@
+../darkhttpd.c

devel/fuzz_testcases/21

@@ -0,0 +1 @@
+

devel/fuzz_testcases/30

@@ -0,0 +1 @@
+/abc/..

devel/fuzz_testcases/34

@@ -0,0 +1 @@
+/abc/../def/..

devel/fuzz_testcases/36

@@ -0,0 +1 @@
+/abc/../def/../../

devel/fuzz_testcases/37

@@ -0,0 +1 @@
+/abc/../def/.././

devel/fuzz_testcases/38

@@ -0,0 +1 @@
+/abc/../def/.././../

devel/fuzz_testcases/40

@@ -0,0 +1 @@
+/a/b/../../../c

devel/fuzz_testcases/41

@@ -0,0 +1 @@
+//a///b////c/////

devel/fuzz_testcases/43

@@ -0,0 +1 @@
+/index.html?

devel/fuzz_testcases/48

@@ -0,0 +1 @@
+//

devel/fuzz_testcases/49

@@ -0,0 +1 @@
+/.//./

devel/fuzz_testcases/50

@@ -0,0 +1 @@
+/./abc/./defghi/../xyzz/a/b//c//d/