mirror of
https://github.com/xroche/httrack.git
synced 2026-07-12 03:46:58 +03:00
Compare commits
4 Commits
remove-dea
...
p3-3-codeq
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
1d290fb5fc | ||
|
|
407916e3f6 | ||
|
|
15021cd470 | ||
|
|
5f7045c3a4 |
39
.github/workflows/ci.yml
vendored
39
.github/workflows/ci.yml
vendored
@@ -278,6 +278,45 @@ jobs:
|
|||||||
if: failure()
|
if: failure()
|
||||||
run: cat tests/test-suite.log 2>/dev/null || true
|
run: cat tests/test-suite.log 2>/dev/null || true
|
||||||
|
|
||||||
|
# libFuzzer smoke: build the fuzz/ harnesses over the pure hostile-input
|
||||||
|
# parsers and replay each seed corpus under ASan+UBSan+LeakSanitizer. Replay
|
||||||
|
# (not open-ended mutation) keeps CI deterministic -- it can't hit strjoker's
|
||||||
|
# catastrophic backtracking -- and pins the regression seeds for the bugs the
|
||||||
|
# fuzzers found. Deep discovery is a maintainer / OSS-Fuzz activity.
|
||||||
|
fuzz:
|
||||||
|
name: fuzz (libFuzzer corpus replay, clang)
|
||||||
|
runs-on: ubuntu-24.04
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v6
|
||||||
|
with:
|
||||||
|
submodules: recursive
|
||||||
|
|
||||||
|
- name: Install build dependencies
|
||||||
|
run: |
|
||||||
|
set -euo pipefail
|
||||||
|
sudo apt-get update
|
||||||
|
sudo apt-get install -y --no-install-recommends \
|
||||||
|
build-essential clang autoconf automake libtool autoconf-archive \
|
||||||
|
zlib1g-dev libssl-dev
|
||||||
|
|
||||||
|
- name: Configure (fuzzers, static)
|
||||||
|
run: |
|
||||||
|
set -euo pipefail
|
||||||
|
autoreconf -fi
|
||||||
|
./configure CC=clang \
|
||||||
|
CFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=all -g -O1 -fno-omit-frame-pointer" \
|
||||||
|
LDFLAGS="-fsanitize=address,undefined" \
|
||||||
|
--enable-fuzzers --disable-shared
|
||||||
|
|
||||||
|
- name: Build
|
||||||
|
run: make -j"$(nproc)"
|
||||||
|
|
||||||
|
- name: Replay corpora
|
||||||
|
env:
|
||||||
|
ASAN_OPTIONS: detect_leaks=1:abort_on_error=1:halt_on_error=1
|
||||||
|
UBSAN_OPTIONS: print_stacktrace=1:halt_on_error=1
|
||||||
|
run: bash fuzz/run-fuzzers.sh fuzz check
|
||||||
|
|
||||||
# Optional-dependency build: compile and test with HTTPS/OpenSSL disabled --
|
# Optional-dependency build: compile and test with HTTPS/OpenSSL disabled --
|
||||||
# the configuration users on minimal systems build, and one libssl is not even
|
# the configuration users on minimal systems build, and one libssl is not even
|
||||||
# installed here so configure cannot silently re-enable it. The matrix above
|
# installed here so configure cannot silently re-enable it. The matrix above
|
||||||
|
|||||||
57
.github/workflows/codeql.yml
vendored
Normal file
57
.github/workflows/codeql.yml
vendored
Normal file
@@ -0,0 +1,57 @@
|
|||||||
|
# CodeQL static analysis (C). The security-extended suite covers the classes
|
||||||
|
# this codebase actually fights: overflows, tainted-size allocs, format bugs.
|
||||||
|
name: CodeQL
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches: [master]
|
||||||
|
pull_request:
|
||||||
|
schedule:
|
||||||
|
# Weekly re-scan of master so new/updated queries land without a push.
|
||||||
|
- cron: "17 4 * * 1"
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
|
concurrency:
|
||||||
|
group: codeql-${{ github.ref }}
|
||||||
|
cancel-in-progress: true
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
analyze:
|
||||||
|
name: analyze (c-cpp)
|
||||||
|
runs-on: ubuntu-24.04
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
# Upload findings to the repo's code-scanning dashboard.
|
||||||
|
security-events: write
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v6
|
||||||
|
with:
|
||||||
|
submodules: recursive
|
||||||
|
|
||||||
|
- name: Install build dependencies
|
||||||
|
run: |
|
||||||
|
set -euo pipefail
|
||||||
|
sudo apt-get update
|
||||||
|
sudo apt-get install -y --no-install-recommends \
|
||||||
|
build-essential autoconf automake libtool autoconf-archive \
|
||||||
|
zlib1g-dev libssl-dev
|
||||||
|
|
||||||
|
- uses: github/codeql-action/init@v4
|
||||||
|
with:
|
||||||
|
languages: c-cpp
|
||||||
|
build-mode: manual
|
||||||
|
queries: security-extended
|
||||||
|
|
||||||
|
# Manual build: CodeQL traces the compiler, so build exactly what ships.
|
||||||
|
- name: Build
|
||||||
|
run: |
|
||||||
|
set -euo pipefail
|
||||||
|
autoreconf -fi
|
||||||
|
./configure
|
||||||
|
make -j"$(nproc)"
|
||||||
|
|
||||||
|
- uses: github/codeql-action/analyze@v4
|
||||||
|
with:
|
||||||
|
category: "/language:c-cpp"
|
||||||
@@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
SUBDIRS = src man m4 libtest templates lang html tests
|
SUBDIRS = src man m4 libtest templates lang html tests fuzz
|
||||||
|
|
||||||
ACLOCAL_AMFLAGS = -I m4
|
ACLOCAL_AMFLAGS = -I m4
|
||||||
|
|
||||||
|
|||||||
32
configure.ac
32
configure.ac
@@ -310,6 +310,37 @@ AC_ARG_ENABLE([online-unit-tests],
|
|||||||
])
|
])
|
||||||
AC_SUBST(ONLINE_UNIT_TESTS,$online_unit_tests)
|
AC_SUBST(ONLINE_UNIT_TESTS,$online_unit_tests)
|
||||||
|
|
||||||
|
## libFuzzer harnesses (fuzz/); requires clang
|
||||||
|
AC_MSG_CHECKING(whether to build fuzzers)
|
||||||
|
AC_ARG_ENABLE([fuzzers],
|
||||||
|
[AS_HELP_STRING([--enable-fuzzers],[Build libFuzzer harnesses in fuzz/ (requires clang) @<:@default=no@:>@])],
|
||||||
|
[
|
||||||
|
case "${enableval}" in
|
||||||
|
no|yes)
|
||||||
|
fuzzers=$enableval
|
||||||
|
AC_MSG_RESULT($enableval)
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
AC_MSG_ERROR(bad value for fuzzers, expected yes/no)
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
],
|
||||||
|
[
|
||||||
|
fuzzers=no
|
||||||
|
AC_MSG_RESULT(no)
|
||||||
|
])
|
||||||
|
if test x"$fuzzers" = x"yes"; then
|
||||||
|
# Instrument the whole build for coverage; harnesses link -fsanitize=fuzzer.
|
||||||
|
AX_CHECK_COMPILE_FLAG([-fsanitize=fuzzer-no-link],
|
||||||
|
[DEFAULT_CFLAGS="$DEFAULT_CFLAGS -fsanitize=fuzzer-no-link"],
|
||||||
|
[AC_MSG_ERROR([--enable-fuzzers requires libFuzzer support (clang)])])
|
||||||
|
# clang's static sanitizer runtimes clash with -Wl,--no-undefined on the .so.
|
||||||
|
if test x"$enable_shared" != x"no"; then
|
||||||
|
AC_MSG_ERROR([--enable-fuzzers requires --disable-shared])
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
AM_CONDITIONAL([FUZZERS], [test x"$fuzzers" = x"yes"])
|
||||||
|
|
||||||
# Final output
|
# Final output
|
||||||
AC_CONFIG_FILES([
|
AC_CONFIG_FILES([
|
||||||
Makefile
|
Makefile
|
||||||
@@ -321,5 +352,6 @@ lang/Makefile
|
|||||||
html/Makefile
|
html/Makefile
|
||||||
libtest/Makefile
|
libtest/Makefile
|
||||||
tests/Makefile
|
tests/Makefile
|
||||||
|
fuzz/Makefile
|
||||||
])
|
])
|
||||||
AC_OUTPUT
|
AC_OUTPUT
|
||||||
|
|||||||
38
fuzz/Makefile.am
Normal file
38
fuzz/Makefile.am
Normal file
@@ -0,0 +1,38 @@
|
|||||||
|
# libFuzzer harnesses; built only with --enable-fuzzers (requires clang).
|
||||||
|
if FUZZERS
|
||||||
|
noinst_PROGRAMS = fuzz-charset fuzz-meta fuzz-idna fuzz-entities \
|
||||||
|
fuzz-unescape fuzz-filters fuzz-url
|
||||||
|
endif
|
||||||
|
|
||||||
|
AM_CPPFLAGS = \
|
||||||
|
@DEFAULT_CFLAGS@ \
|
||||||
|
@THREADS_CFLAGS@ \
|
||||||
|
@V6_FLAG@ \
|
||||||
|
@LFS_FLAG@ \
|
||||||
|
-I$(top_srcdir)/src \
|
||||||
|
-I$(top_srcdir)/src/coucal
|
||||||
|
|
||||||
|
# Static-link libhttrack.la: the internal symbols are hidden in the .so.
|
||||||
|
AM_LDFLAGS = @DEFAULT_LDFLAGS@ -fsanitize=fuzzer -static-libtool-libs
|
||||||
|
LDADD = $(top_builddir)/src/libhttrack.la $(THREADS_LIBS)
|
||||||
|
|
||||||
|
fuzz_charset_SOURCES = fuzz-charset.c fuzz.h
|
||||||
|
fuzz_meta_SOURCES = fuzz-meta.c fuzz.h
|
||||||
|
fuzz_idna_SOURCES = fuzz-idna.c fuzz.h
|
||||||
|
fuzz_entities_SOURCES = fuzz-entities.c fuzz.h
|
||||||
|
fuzz_unescape_SOURCES = fuzz-unescape.c fuzz.h
|
||||||
|
fuzz_filters_SOURCES = fuzz-filters.c fuzz.h
|
||||||
|
fuzz_url_SOURCES = fuzz-url.c fuzz.h
|
||||||
|
|
||||||
|
# List corpus files explicitly: automake does not expand EXTRA_DIST globs.
|
||||||
|
EXTRA_DIST = README.md run-fuzzers.sh \
|
||||||
|
corpus/charset/utf8.txt corpus/charset/latin1.txt corpus/charset/sjis.txt \
|
||||||
|
corpus/meta/meta-charset.html corpus/meta/meta-http-equiv.html \
|
||||||
|
corpus/idna/idna.txt corpus/idna/unicode.txt \
|
||||||
|
corpus/idna/regress-multilabel-leak.txt \
|
||||||
|
corpus/entities/entities.txt \
|
||||||
|
corpus/unescape/percent.txt \
|
||||||
|
corpus/filters/filter.bin corpus/filters/filter-size.bin \
|
||||||
|
corpus/filters/regress-empty-subject-unique.bin \
|
||||||
|
corpus/url/http-url.txt corpus/url/relative-path.txt \
|
||||||
|
corpus/url/regress-file-empty-path.txt corpus/url/regress-long-path-abort.txt
|
||||||
15
fuzz/README.md
Normal file
15
fuzz/README.md
Normal file
@@ -0,0 +1,15 @@
|
|||||||
|
# Fuzzing httrack
|
||||||
|
|
||||||
|
libFuzzer harnesses for the pure hostile-input parsers (charset/UTF-8/IDNA codecs, entity and percent decoders, wildcard filters, URL splitter). Off by default; needs clang.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
./bootstrap
|
||||||
|
mkdir /var/tmp/bld-fuzz && cd /var/tmp/bld-fuzz
|
||||||
|
CC=clang CFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=all -g -O1" \
|
||||||
|
LDFLAGS="-fsanitize=address,undefined" \
|
||||||
|
bash /path/to/httrack/configure --enable-fuzzers --disable-shared
|
||||||
|
make
|
||||||
|
bash /path/to/httrack/fuzz/run-fuzzers.sh fuzz 60 # 60s per target
|
||||||
|
```
|
||||||
|
|
||||||
|
Run one target by hand: `fuzz/fuzz-url -max_total_time=300 corpusdir fuzz/corpus/url`. Seed corpora live in `corpus/<target>/`; a crash reproducer is replayed with `fuzz/fuzz-url crash-file`.
|
||||||
1
fuzz/corpus/charset/latin1.txt
Normal file
1
fuzz/corpus/charset/latin1.txt
Normal file
@@ -0,0 +1 @@
|
|||||||
|
café naďve ¤
|
||||||
1
fuzz/corpus/charset/sjis.txt
Normal file
1
fuzz/corpus/charset/sjis.txt
Normal file
@@ -0,0 +1 @@
|
|||||||
|
コンピュータ
|
||||||
BIN
fuzz/corpus/charset/utf8.txt
Normal file
BIN
fuzz/corpus/charset/utf8.txt
Normal file
Binary file not shown.
1
fuzz/corpus/entities/entities.txt
Normal file
1
fuzz/corpus/entities/entities.txt
Normal file
@@ -0,0 +1 @@
|
|||||||
|
&<>A☃é¬arealentity;�
|
||||||
BIN
fuzz/corpus/filters/filter-size.bin
Normal file
BIN
fuzz/corpus/filters/filter-size.bin
Normal file
Binary file not shown.
BIN
fuzz/corpus/filters/filter.bin
Normal file
BIN
fuzz/corpus/filters/filter.bin
Normal file
Binary file not shown.
1
fuzz/corpus/filters/regress-empty-subject-unique.bin
Normal file
1
fuzz/corpus/filters/regress-empty-subject-unique.bin
Normal file
@@ -0,0 +1 @@
|
|||||||
|
**((
|
||||||
1
fuzz/corpus/idna/idna.txt
Normal file
1
fuzz/corpus/idna/idna.txt
Normal file
@@ -0,0 +1 @@
|
|||||||
|
xn--bcher-kva.example.com
|
||||||
1
fuzz/corpus/idna/regress-multilabel-leak.txt
Normal file
1
fuzz/corpus/idna/regress-multilabel-leak.txt
Normal file
@@ -0,0 +1 @@
|
|||||||
|
büchev.例åbücheple
|
||||||
1
fuzz/corpus/idna/unicode.txt
Normal file
1
fuzz/corpus/idna/unicode.txt
Normal file
@@ -0,0 +1 @@
|
|||||||
|
bücher.例子.example
|
||||||
1
fuzz/corpus/meta/meta-charset.html
Normal file
1
fuzz/corpus/meta/meta-charset.html
Normal file
@@ -0,0 +1 @@
|
|||||||
|
<html><head><meta charset="utf-8"></head><body>x</body></html>
|
||||||
1
fuzz/corpus/meta/meta-http-equiv.html
Normal file
1
fuzz/corpus/meta/meta-http-equiv.html
Normal file
@@ -0,0 +1 @@
|
|||||||
|
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
|
||||||
1
fuzz/corpus/unescape/percent.txt
Normal file
1
fuzz/corpus/unescape/percent.txt
Normal file
@@ -0,0 +1 @@
|
|||||||
|
%41%zz%%20%c3%a9+%2e%2e%2f
|
||||||
1
fuzz/corpus/url/http-url.txt
Normal file
1
fuzz/corpus/url/http-url.txt
Normal file
@@ -0,0 +1 @@
|
|||||||
|
http://user:pass@www.example.com:8080/a/b/../c/./d.html?q=1#frag
|
||||||
1
fuzz/corpus/url/regress-file-empty-path.txt
Normal file
1
fuzz/corpus/url/regress-file-empty-path.txt
Normal file
@@ -0,0 +1 @@
|
|||||||
|
file://
|
||||||
1
fuzz/corpus/url/regress-long-path-abort.txt
Normal file
1
fuzz/corpus/url/regress-long-path-abort.txt
Normal file
@@ -0,0 +1 @@
|
|||||||
|
ftpumŠ[/../e0O/../itpumÙ/ftpumŠ[/../e0O/../itpumÙ<6D>Š[/../O/../f9O_i<5F>W/../O/../90O/../itpumÙ/ftpumŠ[/../e0O/../itpumÙ<6D>Š[/.../e0O/../itpumÙ<6D>Š[/../O/../f9O_i<5F>W/.¿ù../O/../9O_imÙ<6D>Š<EFBFBD>W/../_/../../e0O/../f9O_./f9O_i<5F>W/../O/../90O/./e0O/../itpumÙ<6D>Š[/../O/../f9O_i<5F>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/../../e/../f9OmÙ<6D>Š<EFBFBD>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/..O_imÙ<6D>Š<EFBFBD>W/../O/../../e0O/../f9O_imÙ<6D>Š<EFBFBD>W/../O/.._i<5F>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/../../e0O/../f9O_i/../O/../f9O_i<5F>W/../O/../90O/../itpumÙ/ftpumŠ[/../e0O/../itpumÙ<6D>Š[/../O/../f9O_i<5F>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/../../e0O/../f9OmÙ<6D>Š<EFBFBD>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/..O_imÙ<6D>Š<EFBFBD>W//O/../f9O_i../f9O_i<5F>W/../O/../90O/../itpumÙ/ftpumŠ[/../e0O/../itpumÙ<6D>Š[/.../e0O/../itpumÙ<6D>Š[/../O/../f9O_i<5F>W/.¿ù../O/../9O_imÙ<6D>Š<EFBFBD>W/../_/../../e0O/../f9O_./f9O_i<5F>W/../O/../90O/./e0O/../itpumÙ<6D>Š[/../O/../f9O_i<5F>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/../../e/../f9OmÙ<6D>Š<EFBFBD>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/..O_imÙ<6D>Š<EFBFBD>W/../O/../../e0O/../f9O_imÙ<6D>Š<EFBFBD>W/../O/.._i<5F>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/../../e0O/../f9O_i/../O/../f9O_i<5F>W/../O/../90O/../itpumÙ/ftpumŠ[/../e0O/../itpumÙ<6D>Š[/../O/../f9O_i<5F>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/../../e0O/../f9OmÙ<6D>Š<EFBFBD>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/..O_imÙ<6D>Š<EFBFBD>W//O/../f9O_i<5F>W/.¿ù../O/../9O_imÙ<6D>Š<EFBFBD>W/../_/../../e0O/../f9O_./f9O_i<5F>W/../O/../90O/./e0O/../itpumÙ<6D>Š[/../O/../f9O_i<5F>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/../../e/../f9OmÙ<6D>Š<EFBFBD>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/..O_imÙ<6D>Š<EFBFBD>W/../O/../../e0O/../f9O_imÙ<6D>Š<EFBFBD>W/../O/.._f9O_i../f9O_i<5F>W/../O/../90O/../itpumÙ/ftpumŠ[/../e0O/../itpumÙ<6D>Š[/.../e0O/../itpumÙ<6D>Š[/../O/../f9O_i<5F>W/.¿ù../O/../9O_imÙ<6D>Š<EFBFBD>W/../_/../../e0O/../f9O_./f9O_i<5F>W/../O/../90O/./e0O/../itpumÙ<6D>Š[/../O/../f9O_i<5F>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/../../e/../f9OmÙ<6D>Š<EFBFBD>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/..O_imÙ<6D>Š<EFBFBD>W/../O/../../e0O/../f9O_imÙ<6D>Š<EFBFBD>W/../O/.._i<5F>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/../../e0O/../f9O_i/../O/../f9O_i<5F>W/../O/../90O/../itpumÙ/ftpumŠ[/../e0O/../itpumÙ<6D>Š[/../O/../f9O_i<5F>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/../../e0O/../f9OmÙ<6D>Š<EFBFBD>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/..O_imÙ<6D>Š<EFBFBD>W//O/../f9O_i<5F>W/.¿ù../O/../9O_imÙ<6D>Š<EFBFBD>W/../_/../../e0O/../f9O_./f9O_i<5F>W/../O/../90O/./e0O/../itpumÙ<6D>Š[/../O/../f9O_i<5F>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/../../e/../f9OmÙ<6D>Š<EFBFBD>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/..O_imÙ<6D>Š<EFBFBD>W/../O/../../e0O/../f9O_imÙ<6D>Š<EFBFBD>W/../O/.._i<5F>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/../../e0O/../f9O_i/../O/../f9O_i<5F>W/../O/../90O/../itpumÙ/ftpumŠ[/../e0O/../itpumÙ<6D>Š[/../O/../f9O_i<5F>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/i<>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/../../e0O/../f9O_i/../O/../f9O_i<5F>W/../O/../90O/../itpumÙ/ftpumŠ[/../e0O/../itpumÙ<6D>Š[/../O/../f9O_i<5F>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/../../e0O/../f9OmÙ<6D>Š<EFBFBD>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/..O_im<69>W/.¿ù../O/../9O_imÙ<6D>Š<EFBFBD>W/../_/../../e0O/../f9O_./f9O_i<5F>W/../O/../90O/./e0O/../itpumÙ<6D>Š[/../O/../f9O_i<5F>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/../../e/../f9OmÙ<6D>Š<EFBFBD>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/..O_imÙ<6D>Š<EFBFBD>W/../O/../../e0O/../f9O_imÙ<6D>Š<EFBFBD>W/../O/.._i<5F>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/../../e0O/../f9O_i/../O/../f9O_i<5F>W/../O/../90O/../itpumÙ/ftpumŠ[/../e0O/../itpumÙ<6D>Š[/../O/../f9O_i<5F>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/../../e0O/../f9OmÙ<6D>Š<EFBFBD>W/../O/../9O_imÙ<6D>Š<EFBFBD>W/../O/..O_imÙ<6D>Š<EFBFBD>W/../O/../../e0O/9O_imÙ<6D>Š<EFBFBD>W/../O/../
|
||||||
1
fuzz/corpus/url/relative-path.txt
Normal file
1
fuzz/corpus/url/relative-path.txt
Normal file
@@ -0,0 +1 @@
|
|||||||
|
ftp://ftp.example.com/pub/../file.txt
|
||||||
84
fuzz/fuzz-charset.c
Normal file
84
fuzz/fuzz-charset.c
Normal file
@@ -0,0 +1,84 @@
|
|||||||
|
/* ------------------------------------------------------------ */
|
||||||
|
/*
|
||||||
|
HTTrack Website Copier, Offline Browser for Windows and Unix
|
||||||
|
Copyright (C) 1998 Xavier Roche and other contributors
|
||||||
|
|
||||||
|
SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
|
|
||||||
|
This program is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
This program is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
Ethical use: we kindly ask that you NOT use this software to harvest email
|
||||||
|
addresses or to collect any other private information about people. Doing so
|
||||||
|
would dishonor our work and waste the many hours we have spent on it.
|
||||||
|
|
||||||
|
Please visit our Website: http://www.httrack.com
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* Fuzz the charset codecs: hts_convertStringToUTF8/FromUTF8 and the
|
||||||
|
UTF-8/UCS4 primitives (htscharset.c). First input byte picks the charset. */
|
||||||
|
#include "fuzz.h"
|
||||||
|
#include "htscharset.h"
|
||||||
|
|
||||||
|
static const char *const charsets[] = {
|
||||||
|
"utf-8", "iso-8859-1", "iso-8859-2", "iso-8859-15", "windows-1252",
|
||||||
|
"us-ascii", "shift_jis", "euc-jp", "iso-2022-jp", "gb2312",
|
||||||
|
"big5", "euc-kr", "koi8-r", "utf-16", "unknown-charset",
|
||||||
|
};
|
||||||
|
|
||||||
|
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
|
||||||
|
const char *charset;
|
||||||
|
char *s;
|
||||||
|
|
||||||
|
if (size == 0)
|
||||||
|
return 0;
|
||||||
|
charset = charsets[data[0] % (sizeof(charsets) / sizeof(charsets[0]))];
|
||||||
|
data++, size--;
|
||||||
|
s = fuzz_strdup(data, size);
|
||||||
|
|
||||||
|
{
|
||||||
|
char *utf8 = hts_convertStringToUTF8(s, size, charset);
|
||||||
|
freet(utf8);
|
||||||
|
}
|
||||||
|
{
|
||||||
|
char *enc = hts_convertStringFromUTF8(s, size, charset);
|
||||||
|
freet(enc);
|
||||||
|
}
|
||||||
|
{
|
||||||
|
size_t nChars = 0;
|
||||||
|
hts_UCS4 *ucs = hts_convertUTF8StringToUCS4(s, size, &nChars);
|
||||||
|
|
||||||
|
if (ucs != NULL) {
|
||||||
|
char *back = hts_convertUCS4StringToUTF8(ucs, nChars);
|
||||||
|
freet(back);
|
||||||
|
freet(ucs);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
{
|
||||||
|
size_t i = 0;
|
||||||
|
|
||||||
|
while (i < size) {
|
||||||
|
hts_UCS4 uc = 0;
|
||||||
|
const size_t nr = hts_readUTF8(s + i, size - i, &uc);
|
||||||
|
char out[8];
|
||||||
|
|
||||||
|
if (nr == 0)
|
||||||
|
break;
|
||||||
|
hts_writeUTF8(uc, out, sizeof(out));
|
||||||
|
i += nr;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
freet(s);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
51
fuzz/fuzz-entities.c
Normal file
51
fuzz/fuzz-entities.c
Normal file
@@ -0,0 +1,51 @@
|
|||||||
|
/* ------------------------------------------------------------ */
|
||||||
|
/*
|
||||||
|
HTTrack Website Copier, Offline Browser for Windows and Unix
|
||||||
|
Copyright (C) 1998 Xavier Roche and other contributors
|
||||||
|
|
||||||
|
SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
|
|
||||||
|
This program is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
This program is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
Ethical use: we kindly ask that you NOT use this software to harvest email
|
||||||
|
addresses or to collect any other private information about people. Doing so
|
||||||
|
would dishonor our work and waste the many hours we have spent on it.
|
||||||
|
|
||||||
|
Please visit our Website: http://www.httrack.com
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* Fuzz the HTML entity decoder (htsencoding.c). First input byte picks the
|
||||||
|
destination size, so truncation bounds get exercised too. */
|
||||||
|
#include "fuzz.h"
|
||||||
|
#include "htsencoding.h"
|
||||||
|
|
||||||
|
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
|
||||||
|
static const size_t dsizes[] = {1, 2, 8, 64, 4096};
|
||||||
|
size_t dsize;
|
||||||
|
char *src, *dest;
|
||||||
|
|
||||||
|
if (size == 0)
|
||||||
|
return 0;
|
||||||
|
dsize = dsizes[data[0] % (sizeof(dsizes) / sizeof(dsizes[0]))];
|
||||||
|
data++, size--;
|
||||||
|
src = fuzz_strdup(data, size);
|
||||||
|
dest = malloct(dsize);
|
||||||
|
|
||||||
|
(void) hts_unescapeEntities(src, dest, dsize);
|
||||||
|
(void) hts_unescapeEntitiesWithCharset(src, dest, dsize, "iso-8859-1");
|
||||||
|
|
||||||
|
freet(dest);
|
||||||
|
freet(src);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
65
fuzz/fuzz-filters.c
Normal file
65
fuzz/fuzz-filters.c
Normal file
@@ -0,0 +1,65 @@
|
|||||||
|
/* ------------------------------------------------------------ */
|
||||||
|
/*
|
||||||
|
HTTrack Website Copier, Offline Browser for Windows and Unix
|
||||||
|
Copyright (C) 1998 Xavier Roche and other contributors
|
||||||
|
|
||||||
|
SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
|
|
||||||
|
This program is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
This program is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
Ethical use: we kindly ask that you NOT use this software to harvest email
|
||||||
|
addresses or to collect any other private information about people. Doing so
|
||||||
|
would dishonor our work and waste the many hours we have spent on it.
|
||||||
|
|
||||||
|
Please visit our Website: http://www.httrack.com
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* Fuzz the wildcard filter matcher (htsfilters.c; #148 bracket-range OOB was
|
||||||
|
here). Input splits on the first NUL: pattern, then subject string. */
|
||||||
|
#include "fuzz.h"
|
||||||
|
#include "htsfilters.h"
|
||||||
|
|
||||||
|
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
|
||||||
|
char *buf = fuzz_strdup(data, size);
|
||||||
|
const char *joker = buf;
|
||||||
|
const uint8_t *sep = memchr(data, '\0', size);
|
||||||
|
/* subject in its own allocation so ASan bounds it apart from the pattern */
|
||||||
|
char *nom = sep != NULL ? fuzz_strdup(sep + 1, (data + size) - (sep + 1))
|
||||||
|
: fuzz_strdup(data + size, 0);
|
||||||
|
|
||||||
|
(void) strjoker(nom, joker, NULL, NULL);
|
||||||
|
{
|
||||||
|
LLint sz = (LLint) size;
|
||||||
|
int size_flag = 0;
|
||||||
|
|
||||||
|
(void) strjoker(nom, joker, &sz, &size_flag);
|
||||||
|
}
|
||||||
|
(void) strjokerfind(nom, joker);
|
||||||
|
{
|
||||||
|
char *filter = malloct(strlen(joker) + 2);
|
||||||
|
char *filters[1];
|
||||||
|
LLint sz = (LLint) size;
|
||||||
|
int size_flag = 0, depth = 0;
|
||||||
|
|
||||||
|
filter[0] = '-';
|
||||||
|
memcpy(filter + 1, joker, strlen(joker) + 1);
|
||||||
|
filters[0] = filter;
|
||||||
|
(void) fa_strjoker(0, filters, 1, nom, &sz, &size_flag, &depth);
|
||||||
|
freet(filter);
|
||||||
|
}
|
||||||
|
|
||||||
|
freet(nom);
|
||||||
|
freet(buf);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
47
fuzz/fuzz-idna.c
Normal file
47
fuzz/fuzz-idna.c
Normal file
@@ -0,0 +1,47 @@
|
|||||||
|
/* ------------------------------------------------------------ */
|
||||||
|
/*
|
||||||
|
HTTrack Website Copier, Offline Browser for Windows and Unix
|
||||||
|
Copyright (C) 1998 Xavier Roche and other contributors
|
||||||
|
|
||||||
|
SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
|
|
||||||
|
This program is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
This program is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
Ethical use: we kindly ask that you NOT use this software to harvest email
|
||||||
|
addresses or to collect any other private information about people. Doing so
|
||||||
|
would dishonor our work and waste the many hours we have spent on it.
|
||||||
|
|
||||||
|
Please visit our Website: http://www.httrack.com
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* Fuzz the IDNA/punycode codec (htscharset.c, CVE-prone lineage). */
|
||||||
|
#include "fuzz.h"
|
||||||
|
#include "htscharset.h"
|
||||||
|
|
||||||
|
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
|
||||||
|
char *s = fuzz_strdup(data, size);
|
||||||
|
|
||||||
|
{
|
||||||
|
char *idna = hts_convertStringUTF8ToIDNA(s, size);
|
||||||
|
freet(idna);
|
||||||
|
}
|
||||||
|
{
|
||||||
|
char *utf8 = hts_convertStringIDNAToUTF8(s, size);
|
||||||
|
freet(utf8);
|
||||||
|
}
|
||||||
|
(void) hts_isStringIDNA(s, size);
|
||||||
|
|
||||||
|
freet(s);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
40
fuzz/fuzz-meta.c
Normal file
40
fuzz/fuzz-meta.c
Normal file
@@ -0,0 +1,40 @@
|
|||||||
|
/* ------------------------------------------------------------ */
|
||||||
|
/*
|
||||||
|
HTTrack Website Copier, Offline Browser for Windows and Unix
|
||||||
|
Copyright (C) 1998 Xavier Roche and other contributors
|
||||||
|
|
||||||
|
SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
|
|
||||||
|
This program is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
This program is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
Ethical use: we kindly ask that you NOT use this software to harvest email
|
||||||
|
addresses or to collect any other private information about people. Doing so
|
||||||
|
would dishonor our work and waste the many hours we have spent on it.
|
||||||
|
|
||||||
|
Please visit our Website: http://www.httrack.com
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* Fuzz hts_getCharsetFromMeta (htscharset.c): scans raw attacker HTML for a
|
||||||
|
<meta> charset declaration. */
|
||||||
|
#include "fuzz.h"
|
||||||
|
#include "htscharset.h"
|
||||||
|
|
||||||
|
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
|
||||||
|
char *html = fuzz_strdup(data, size);
|
||||||
|
char *charset = hts_getCharsetFromMeta(html, size);
|
||||||
|
|
||||||
|
freet(charset);
|
||||||
|
freet(html);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
53
fuzz/fuzz-unescape.c
Normal file
53
fuzz/fuzz-unescape.c
Normal file
@@ -0,0 +1,53 @@
|
|||||||
|
/* ------------------------------------------------------------ */
|
||||||
|
/*
|
||||||
|
HTTrack Website Copier, Offline Browser for Windows and Unix
|
||||||
|
Copyright (C) 1998 Xavier Roche and other contributors
|
||||||
|
|
||||||
|
SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
|
|
||||||
|
This program is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
This program is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
Ethical use: we kindly ask that you NOT use this software to harvest email
|
||||||
|
addresses or to collect any other private information about people. Doing so
|
||||||
|
would dishonor our work and waste the many hours we have spent on it.
|
||||||
|
|
||||||
|
Please visit our Website: http://www.httrack.com
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* Fuzz the URL percent-decoders (htslib.c). First input byte picks the
|
||||||
|
output buffer size, so the bounded-copy contract is exercised. */
|
||||||
|
#include "fuzz.h"
|
||||||
|
#include "httrack-library.h"
|
||||||
|
|
||||||
|
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
|
||||||
|
static const size_t bsizes[] = {1, 2, 16, 256, 8192};
|
||||||
|
size_t bsize;
|
||||||
|
char *s, *catbuff;
|
||||||
|
|
||||||
|
if (size == 0)
|
||||||
|
return 0;
|
||||||
|
bsize = bsizes[data[0] % (sizeof(bsizes) / sizeof(bsizes[0]))];
|
||||||
|
data++, size--;
|
||||||
|
s = fuzz_strdup(data, size);
|
||||||
|
catbuff = malloct(bsize);
|
||||||
|
|
||||||
|
(void) unescape_http(catbuff, bsize, s);
|
||||||
|
(void) unescape_http_unharm(catbuff, bsize, s, 0);
|
||||||
|
(void) unescape_http_unharm(catbuff, bsize, s, 1);
|
||||||
|
unescape_amp(s);
|
||||||
|
|
||||||
|
freet(catbuff);
|
||||||
|
freet(s);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
49
fuzz/fuzz-url.c
Normal file
49
fuzz/fuzz-url.c
Normal file
@@ -0,0 +1,49 @@
|
|||||||
|
/* ------------------------------------------------------------ */
|
||||||
|
/*
|
||||||
|
HTTrack Website Copier, Offline Browser for Windows and Unix
|
||||||
|
Copyright (C) 1998 Xavier Roche and other contributors
|
||||||
|
|
||||||
|
SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
|
|
||||||
|
This program is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
This program is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
Ethical use: we kindly ask that you NOT use this software to harvest email
|
||||||
|
addresses or to collect any other private information about people. Doing so
|
||||||
|
would dishonor our work and waste the many hours we have spent on it.
|
||||||
|
|
||||||
|
Please visit our Website: http://www.httrack.com
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* Fuzz the URL splitter and path normalizer (htslib.c): ident_url_absolute
|
||||||
|
is the first parser to touch a raw URL; fil_simplifie collapses ./ and ../
|
||||||
|
in place. */
|
||||||
|
#include "fuzz.h"
|
||||||
|
#include "htscore.h"
|
||||||
|
#include "htslib.h"
|
||||||
|
|
||||||
|
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
|
||||||
|
char *s = fuzz_strdup(data, size);
|
||||||
|
lien_adrfil *af = calloct(1, sizeof(*af));
|
||||||
|
/* fil_simplifie rewrites in place and may grow an empty path to "./" */
|
||||||
|
char *path = malloct(size + 3);
|
||||||
|
|
||||||
|
(void) ident_url_absolute(s, af);
|
||||||
|
memcpy(path, s, size + 1);
|
||||||
|
fil_simplifie(path);
|
||||||
|
|
||||||
|
freet(path);
|
||||||
|
freet(af);
|
||||||
|
freet(s);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
51
fuzz/fuzz.h
Normal file
51
fuzz/fuzz.h
Normal file
@@ -0,0 +1,51 @@
|
|||||||
|
/* ------------------------------------------------------------ */
|
||||||
|
/*
|
||||||
|
HTTrack Website Copier, Offline Browser for Windows and Unix
|
||||||
|
Copyright (C) 1998 Xavier Roche and other contributors
|
||||||
|
|
||||||
|
SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
|
|
||||||
|
This program is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
This program is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
Ethical use: we kindly ask that you NOT use this software to harvest email
|
||||||
|
addresses or to collect any other private information about people. Doing so
|
||||||
|
would dishonor our work and waste the many hours we have spent on it.
|
||||||
|
|
||||||
|
Please visit our Website: http://www.httrack.com
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* Shared helpers for the libFuzzer harnesses. */
|
||||||
|
#ifndef FUZZ_H
|
||||||
|
#define FUZZ_H
|
||||||
|
|
||||||
|
#define HTS_INTERNAL_BYTECODE
|
||||||
|
|
||||||
|
#include <stddef.h>
|
||||||
|
#include <stdint.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
#include "htsbase.h"
|
||||||
|
|
||||||
|
/* Heap NUL-terminated copy of the fuzzer input, so ASan bounds every read. */
|
||||||
|
static char *fuzz_strdup(const uint8_t *data, size_t size) {
|
||||||
|
char *s = malloct(size + 1);
|
||||||
|
|
||||||
|
memcpy(s, data, size);
|
||||||
|
s[size] = '\0';
|
||||||
|
return s;
|
||||||
|
}
|
||||||
|
|
||||||
|
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
|
||||||
|
|
||||||
|
#endif
|
||||||
41
fuzz/run-fuzzers.sh
Executable file
41
fuzz/run-fuzzers.sh
Executable file
@@ -0,0 +1,41 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Drive every built harness against its seed corpus.
|
||||||
|
# run-fuzzers.sh <build-fuzz-dir> check deterministic replay (CI smoke)
|
||||||
|
# run-fuzzers.sh <build-fuzz-dir> [seconds] timed mutation run (discovery)
|
||||||
|
# Replay is crash/leak-only and never mutates, so it can't hit strjoker's
|
||||||
|
# catastrophic backtracking; the timed mode can, hence the per-unit -timeout.
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
srcdir=$(cd "$(dirname "$0")" && pwd)
|
||||||
|
bld=${1:?usage: run-fuzzers.sh <build-fuzz-dir> [check|seconds]}
|
||||||
|
mode=${2:-20}
|
||||||
|
|
||||||
|
status=0
|
||||||
|
for f in "$bld"/fuzz-*; do
|
||||||
|
if [ ! -f "$f" ] || [ ! -r "$f" ]; then continue; fi
|
||||||
|
case "$f" in *.o | *.c | *.dSYM) continue ;; esac
|
||||||
|
name=$(basename "$f")
|
||||||
|
corpus="$srcdir/corpus/${name#fuzz-}"
|
||||||
|
if [ "$mode" = "check" ]; then
|
||||||
|
echo "=== $name (replay) ==="
|
||||||
|
[ -d "$corpus" ] || continue
|
||||||
|
if ! "$f" -runs=0 -timeout=25 -rss_limit_mb=2048 "$corpus"; then
|
||||||
|
echo "*** $name FAILED on its corpus" >&2
|
||||||
|
status=1
|
||||||
|
fi
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
work=$(mktemp -d)
|
||||||
|
args=("$work")
|
||||||
|
[ -d "$corpus" ] && args+=("$corpus")
|
||||||
|
echo "=== $name (${mode}s) ==="
|
||||||
|
if ! "$f" -max_total_time="$mode" -timeout=25 -rss_limit_mb=2048 \
|
||||||
|
-artifact_prefix="$work/" -print_final_stats=1 "${args[@]}"; then
|
||||||
|
echo "*** $name FAILED; artifacts:" >&2
|
||||||
|
ls -l "$work" >&2
|
||||||
|
status=1
|
||||||
|
else
|
||||||
|
rm -rf "$work"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
exit $status
|
||||||
@@ -910,19 +910,19 @@ char *hts_convertStringUTF8ToIDNA(const char *s, size_t size) {
|
|||||||
/* Reader: can read bytes up to j */
|
/* Reader: can read bytes up to j */
|
||||||
#define RD ( utfSeq < j ? segData[utfSeq++] : -1 )
|
#define RD ( utfSeq < j ? segData[utfSeq++] : -1 )
|
||||||
|
|
||||||
/* Writer: upon error, return FFFD (replacement character) */
|
/* Writer: a malformed sequence abandons the encode (NULL) */
|
||||||
#define WR(C) do { \
|
#define WR(C) \
|
||||||
if ((C) != -1) { \
|
do { \
|
||||||
/* copy character */ \
|
if ((C) != -1) { \
|
||||||
assertf(segOutputSize < segSize); \
|
/* copy character */ \
|
||||||
segInt[segOutputSize++] = (C); \
|
assertf(segOutputSize < segSize); \
|
||||||
} \
|
segInt[segOutputSize++] = (C); \
|
||||||
/* In case of error, abort. */ \
|
} else { \
|
||||||
else { \
|
freet(segInt); \
|
||||||
FREE_BUFFER(); \
|
FREE_BUFFER(); \
|
||||||
return NULL; \
|
return NULL; \
|
||||||
} \
|
} \
|
||||||
} while(0)
|
} while (0)
|
||||||
|
|
||||||
/* Read/Write Unicode character. */
|
/* Read/Write Unicode character. */
|
||||||
READ_UNICODE(RD, WR);
|
READ_UNICODE(RD, WR);
|
||||||
@@ -1144,7 +1144,7 @@ int hts_isStringUTF8(const char *s, size_t size) {
|
|||||||
/* Reader: can read bytes up to j */
|
/* Reader: can read bytes up to j */
|
||||||
#define RD ( i < size ? data[i++] : -1 )
|
#define RD ( i < size ? data[i++] : -1 )
|
||||||
|
|
||||||
/* Writer: upon error, return FFFD (replacement character) */
|
/* Writer: a malformed sequence means the string is not UTF-8 (return 0) */
|
||||||
#define WR(C) if ((C) == -1) { return 0; }
|
#define WR(C) if ((C) == -1) { return 0; }
|
||||||
|
|
||||||
/* Read Unicode character. */
|
/* Read Unicode character. */
|
||||||
|
|||||||
@@ -286,7 +286,7 @@ HTS_INLINE const char *strjoker(const char *chaine, const char *joker,
|
|||||||
if (!unique)
|
if (!unique)
|
||||||
max = (int) strlen(chaine);
|
max = (int) strlen(chaine);
|
||||||
else /* *(a) only match a (not aaaaa) */
|
else /* *(a) only match a (not aaaaa) */
|
||||||
max = 1;
|
max = strnotempty(chaine) ? 1 : 0; /* empty chaine: no char to eat */
|
||||||
while(i < (int) max) {
|
while(i < (int) max) {
|
||||||
if (pass[(int) (unsigned char) chaine[i]]) { // caractère autorisé
|
if (pass[(int) (unsigned char) chaine[i]]) { // caractère autorisé
|
||||||
if ((adr = strjoker(chaine + i + 1, joker + jmp, size, size_flag))) {
|
if ((adr = strjoker(chaine + i + 1, joker + jmp, size, size_flag))) {
|
||||||
|
|||||||
@@ -2497,6 +2497,10 @@ int ident_url_absolute(const char *url, lien_adrfil *adrfil) {
|
|||||||
// effacer adrfil->adr et adrfil->fil
|
// effacer adrfil->adr et adrfil->fil
|
||||||
adrfil->adr[0] = adrfil->fil[0] = '\0';
|
adrfil->adr[0] = adrfil->fil[0] = '\0';
|
||||||
|
|
||||||
|
// Reject an over-long URL: a root-relative path is copied whole into fil[].
|
||||||
|
if (strlen(url) >= HTS_URLMAXSIZE * 2)
|
||||||
|
return -1;
|
||||||
|
|
||||||
#if HDEBUG
|
#if HDEBUG
|
||||||
printf("protocol: %s\n", url);
|
printf("protocol: %s\n", url);
|
||||||
#endif
|
#endif
|
||||||
@@ -2572,7 +2576,7 @@ int ident_url_absolute(const char *url, lien_adrfil *adrfil) {
|
|||||||
if (*p == '/' || *p == '\\') { /* adrfil->file:///.. */
|
if (*p == '/' || *p == '\\') { /* adrfil->file:///.. */
|
||||||
strcatbuff(adrfil->fil, p); // fichier local ; adrfil->adr="#"
|
strcatbuff(adrfil->fil, p); // fichier local ; adrfil->adr="#"
|
||||||
} else {
|
} else {
|
||||||
if (p[1] != ':') {
|
if (*p == '\0' || p[1] != ':') { /* empty path: not a DOS drive letter */
|
||||||
strcatbuff(adrfil->fil, "//"); /* adrfil->file://server/foo */
|
strcatbuff(adrfil->fil, "//"); /* adrfil->file://server/foo */
|
||||||
strcatbuff(adrfil->fil, p);
|
strcatbuff(adrfil->fil, p);
|
||||||
} else {
|
} else {
|
||||||
|
|||||||
@@ -579,15 +579,16 @@ static int st_filter(httrackp *opt, int argc, char **argv) {
|
|||||||
int matched;
|
int matched;
|
||||||
|
|
||||||
(void) opt;
|
(void) opt;
|
||||||
if (argc < 2) {
|
if (argc < 1) {
|
||||||
fprintf(stderr, "filter: needs a filter pattern and a string\n");
|
fprintf(stderr, "filter: needs a filter pattern and a string\n");
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
/* exact-size heap copies so a sanitizer traps any over-read of the pattern */
|
/* exact-size heap copies so a sanitizer traps an over-read; a missing
|
||||||
str = strdupt(argv[1]);
|
subject means "" (not reachable as a CLI arg) */
|
||||||
|
str = strdupt(argc >= 2 ? argv[1] : "");
|
||||||
pat = strdupt(argv[0]);
|
pat = strdupt(argv[0]);
|
||||||
matched = strjoker(str, pat, NULL, NULL) != NULL;
|
matched = strjoker(str, pat, NULL, NULL) != NULL;
|
||||||
printf("%s does %s %s\n", argv[1], matched ? "match" : "NOT match", argv[0]);
|
printf("%s does %s %s\n", str, matched ? "match" : "NOT match", argv[0]);
|
||||||
freet(str);
|
freet(str);
|
||||||
freet(pat);
|
freet(pat);
|
||||||
return 0;
|
return 0;
|
||||||
@@ -1094,6 +1095,33 @@ static int st_resolve(httrackp *opt, int argc, char **argv) {
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Split a URL into (adr, fil), or print "error" if rejected. A second arg pads
|
||||||
|
the URL with that many 'a's to reach lengths a CLI arg can't. */
|
||||||
|
static int st_identurl(httrackp *opt, int argc, char **argv) {
|
||||||
|
lien_adrfil af;
|
||||||
|
char *url;
|
||||||
|
size_t len, pad = 0;
|
||||||
|
|
||||||
|
(void) opt;
|
||||||
|
if (argc < 1) {
|
||||||
|
fprintf(stderr, "identurl: needs a URL\n");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
if (argc >= 2)
|
||||||
|
pad = (size_t) atoi(argv[1]);
|
||||||
|
len = strlen(argv[0]);
|
||||||
|
url = malloct(len + pad + 1);
|
||||||
|
memcpy(url, argv[0], len);
|
||||||
|
memset(url + len, 'a', pad);
|
||||||
|
url[len + pad] = '\0';
|
||||||
|
if (ident_url_absolute(url, &af) >= 0)
|
||||||
|
printf("adr=%s fil=%s\n", af.adr, af.fil);
|
||||||
|
else
|
||||||
|
printf("error\n");
|
||||||
|
freet(url);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
/* Extra args are key=value: adr= cdispo= statuscode= status= strip= urlhack=
|
/* Extra args are key=value: adr= cdispo= statuscode= status= strip= urlhack=
|
||||||
no-www= no-slash= no-query= n83= type=, plus repeatable prior=adr|fil|sav
|
no-www= no-slash= no-query= n83= type=, plus repeatable prior=adr|fil|sav
|
||||||
registering an already-crawled link (dedup/collision paths). */
|
registering an already-crawled link (dedup/collision paths). */
|
||||||
@@ -2132,6 +2160,7 @@ static const struct selftest_entry {
|
|||||||
st_relative},
|
st_relative},
|
||||||
{"resolve", "<link> <adr> <fil>", "resolve a link against an origin",
|
{"resolve", "<link> <adr> <fil>", "resolve a link against an origin",
|
||||||
st_resolve},
|
st_resolve},
|
||||||
|
{"identurl", "<url>", "split an absolute URL into (adr, fil)", st_identurl},
|
||||||
{"header", "<raw-header-line> ...", "response header-line parsing",
|
{"header", "<raw-header-line> ...", "response header-line parsing",
|
||||||
st_header},
|
st_header},
|
||||||
{"savename", "<fil> <content-type> [key=value ...]",
|
{"savename", "<fil> <content-type> [key=value ...]",
|
||||||
|
|||||||
@@ -12,6 +12,11 @@ match() {
|
|||||||
nomatch() {
|
nomatch() {
|
||||||
test "$(httrack -O /dev/null -#test=filter "$1" "$2")" == "$2 does NOT match $1" || exit 1
|
test "$(httrack -O /dev/null -#test=filter "$1" "$2")" == "$2 does NOT match $1" || exit 1
|
||||||
}
|
}
|
||||||
|
# single-arg call means an empty subject (unreachable as a CLI arg); '*(' used
|
||||||
|
# to force max=1 and over-read past it.
|
||||||
|
nomatch_empty() {
|
||||||
|
test "$(httrack -O /dev/null -#test=filter "$1")" == " does NOT match $1" || exit 1
|
||||||
|
}
|
||||||
|
|
||||||
# bare star matches everything
|
# bare star matches everything
|
||||||
match '*' 'anything/at/all'
|
match '*' 'anything/at/all'
|
||||||
@@ -122,3 +127,7 @@ nomatch '*[file]end' 'foo?xend'
|
|||||||
nomatch '*[name]X' 'abc?X'
|
nomatch '*[name]X' 'abc?X'
|
||||||
match '*[file]' 'foo?x=1' # trailing query: tolerated, as for *.aspx
|
match '*[file]' 'foo?x=1' # trailing query: tolerated, as for *.aspx
|
||||||
match '*.aspx' 'page.aspx?y=2'
|
match '*.aspx' 'page.aspx?y=2'
|
||||||
|
|
||||||
|
# empty subject against a unique-match allow-all pattern (heap over-read regress)
|
||||||
|
nomatch_empty '*(('
|
||||||
|
nomatch_empty '**(('
|
||||||
|
|||||||
27
tests/01_engine-identurl.test
Executable file
27
tests/01_engine-identurl.test
Executable file
@@ -0,0 +1,27 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
# ident_url_absolute splits a raw URL into (adr, fil), the first parser to touch
|
||||||
|
# it. -#test=identurl <url> [pad] prints "adr=.. fil=.." or "error"; pad appends
|
||||||
|
# N 'a's, reaching lengths a CLI arg can't.
|
||||||
|
|
||||||
|
split() {
|
||||||
|
test "$(httrack -O /dev/null -#test=identurl "$1")" == "$2" || exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
split 'http://www.example.com/a/b/../c.html' 'adr=www.example.com fil=/a/c.html'
|
||||||
|
split 'ftp://ftp.example.com/pub/file.txt' 'adr=ftp://ftp.example.com fil=/pub/file.txt'
|
||||||
|
split 'file:///etc/hostname' 'adr=file:// fil=/etc/hostname'
|
||||||
|
|
||||||
|
# empty-path file:// used to read one byte past the URL (p[1] with *p=0)
|
||||||
|
split 'file://' 'adr=file:// fil=//'
|
||||||
|
|
||||||
|
# a root-relative path is copied whole into fil[HTS_URLMAXSIZE*2], so a URL at
|
||||||
|
# the buffer size is the tightest overflow; it must be rejected, not abort.
|
||||||
|
split_pad() {
|
||||||
|
test "$(httrack -O /dev/null -#test=identurl "$1" "$2")" == "$3" || exit 1
|
||||||
|
}
|
||||||
|
split_pad '/' 2047 'error' # 1 + 2047 = 2048 = HTS_URLMAXSIZE*2
|
||||||
|
split_pad 'http://h/' 3000 'error'
|
||||||
@@ -8,8 +8,8 @@ set -euo pipefail
|
|||||||
|
|
||||||
enc() { test "$(httrack -O /dev/null -#test=idna-encode "$1")" == "$2" || exit 1; }
|
enc() { test "$(httrack -O /dev/null -#test=idna-encode "$1")" == "$2" || exit 1; }
|
||||||
dec() { test "$(httrack -O /dev/null -#test=idna-decode "$1")" == "$2" || exit 1; }
|
dec() { test "$(httrack -O /dev/null -#test=idna-decode "$1")" == "$2" || exit 1; }
|
||||||
# crash probe: malformed ACE input must exit cleanly, not abort.
|
# a malformed encode input must be rejected (empty output), not encoded or leaked.
|
||||||
runs() { httrack -O /dev/null -#test=idna-decode "$1" >/dev/null 2>&1 || exit 1; }
|
enc_bad() { test -z "$(httrack -O /dev/null -#test=idna-encode "$1" 2>/dev/null)" || exit 1; }
|
||||||
|
|
||||||
# encode
|
# encode
|
||||||
enc 'www.café.com' 'www.xn--caf-dma.com'
|
enc 'www.café.com' 'www.xn--caf-dma.com'
|
||||||
@@ -33,6 +33,9 @@ enc 'xn--already-encoded.com' 'xn--already-encoded.com'
|
|||||||
# an empty punycode payload decodes back to the bare xn-- label
|
# an empty punycode payload decodes back to the bare xn-- label
|
||||||
dec 'xn--' 'xn--'
|
dec 'xn--' 'xn--'
|
||||||
|
|
||||||
# malformed ACE payloads (invalid base-36, garbage) must not crash
|
# malformed ACE payloads decode to a stable (garbage) string, not a crash
|
||||||
runs 'xn--!!!'
|
dec 'xn--!!!' '㚯'
|
||||||
runs 'xn--already-encoded.com'
|
dec 'xn--already-encoded.com' 'ǮalǭǮreaǭǫdy.com'
|
||||||
|
|
||||||
|
# second label has a truncated UTF-8 sequence: used to leak the segment buffer.
|
||||||
|
enc_bad "$(printf 'b\xc3\xbcchev.\xe4\xbe\x8b\xe5\xad\x62\xc3\xbccheple')"
|
||||||
|
|||||||
@@ -40,6 +40,7 @@ TESTS = \
|
|||||||
01_engine-hashtable.test \
|
01_engine-hashtable.test \
|
||||||
01_engine-header.test \
|
01_engine-header.test \
|
||||||
01_engine-idna.test \
|
01_engine-idna.test \
|
||||||
|
01_engine-identurl.test \
|
||||||
01_engine-escape-room.test \
|
01_engine-escape-room.test \
|
||||||
01_engine-inplace-escape.test \
|
01_engine-inplace-escape.test \
|
||||||
01_engine-java.test \
|
01_engine-java.test \
|
||||||
|
|||||||
Reference in New Issue
Block a user