Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fuzzing move fuzz test in main repo add more fuzz test #2420

Merged
merged 1 commit into from
Jan 23, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .licenserc.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -214,4 +214,7 @@ header:
# NGINX
- 'src/brpc/details/http_parser.*'

# Fuzzing seed
- 'test/fuzzing/fuzz_*_seed_corpus/*'

comment: on-failure
10 changes: 10 additions & 0 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ option(WITH_THRIFT "With thrift framed protocol supported" OFF)
option(WITH_SNAPPY "With snappy" OFF)
option(WITH_RDMA "With RDMA" OFF)
option(BUILD_UNIT_TESTS "Whether to build unit tests" OFF)
option(BUILD_FUZZ_TESTS "Whether to build fuzz tests" OFF)
option(BUILD_BRPC_TOOLS "Whether to build brpc tools" ON)
option(DOWNLOAD_GTEST "Download and build a fresh copy of googletest. Requires Internet access." ON)

Expand Down Expand Up @@ -478,6 +479,15 @@ if(BUILD_UNIT_TESTS)
add_subdirectory(test)
endif()

if(BUILD_FUZZ_TESTS)
if(NOT CMAKE_CXX_COMPILER_ID MATCHES "Clang")
message(FATAL_ERROR "Fuzzing is only supported with clang")
endif()
if(NOT BUILD_UNIT_TESTS)
message(FATAL_ERROR "BUILD_UNIT_TESTS must be enabled to build fuzz tests")
endif()
endif()

if(BUILD_BRPC_TOOLS)
add_subdirectory(tools)
endif()
Expand Down
27 changes: 26 additions & 1 deletion test/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ else()
message(FATAL_ERROR "Googletest is not available")
endif()

set(CMAKE_CPP_FLAGS "${DEFINE_CLOCK_GETTIME} -DBRPC_WITH_GLOG=${WITH_GLOG_VAL} -DBRPC_WITH_RDMA=${WITH_RDMA_VAL} -DGFLAGS_NS=${GFLAGS_NS}")
set(CMAKE_CPP_FLAGS "${CMAKE_CPP_FLAGS} ${DEFINE_CLOCK_GETTIME} -DBRPC_WITH_GLOG=${WITH_GLOG_VAL} -DBRPC_WITH_RDMA=${WITH_RDMA_VAL} -DGFLAGS_NS=${GFLAGS_NS}")
set(CMAKE_CPP_FLAGS "${CMAKE_CPP_FLAGS} -DBTHREAD_USE_FAST_PTHREAD_MUTEX -D__const__=__unused__ -D_GNU_SOURCE -DUSE_SYMBOLIZE -DNO_TCMALLOC -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS -D__STDC_CONSTANT_MACROS -DUNIT_TEST -Dprivate=public -Dprotected=public -DBVAR_NOT_LINK_DEFAULT_VARIABLES -D__STRICT_ANSI__ -include ${PROJECT_SOURCE_DIR}/test/sstream_workaround.h")
set(CMAKE_CXX_FLAGS "${CMAKE_CPP_FLAGS} -g -O2 -pipe -Wall -W -fPIC -fstrict-aliasing -Wno-invalid-offsetof -Wno-unused-parameter -fno-omit-frame-pointer")
use_cxx11()
Expand Down Expand Up @@ -253,3 +253,28 @@ foreach(BRPC_UT ${BRPC_UNITTESTS})
${GPERFTOOLS_LIBRARIES})
add_test(NAME ${BRPC_UT_WE} COMMAND ${BRPC_UT_WE})
endforeach()

if(BUILD_FUZZ_TESTS)
add_library(brpc-static-debug STATIC $<TARGET_OBJECTS:BUTIL_DEBUG_LIB>
$<TARGET_OBJECTS:SOURCES_DEBUG_LIB>
$<TARGET_OBJECTS:PROTO_LIB>)
# change the debug lib output dir to be different from the release output
set_target_properties(brpc-static-debug PROPERTIES
LIBRARY_OUTPUT_DIRECTORY ${PROJECT_BINARY_DIR}/test)

target_link_libraries(brpc-static-debug ${DYNAMIC_LIB})
if(BRPC_WITH_GLOG)
target_link_libraries(brpc-static-debug ${GLOG_LIB})
endif()

set(FUZZ_TARGETS fuzz_butil fuzz_esp fuzz_hpack fuzz_http
fuzz_hulu fuzz_json fuzz_redis fuzz_shead fuzz_sofa fuzz_uri)

foreach(target ${FUZZ_TARGETS})
add_executable(${target} fuzzing/${target}.cpp $<TARGET_OBJECTS:TEST_PROTO_LIB>)
target_link_libraries(${target} brpc-static-debug ${LIB_FUZZING_ENGINE})
set_target_properties(${target} PROPERTIES
BUILD_WITH_INSTALL_RPATH TRUE
INSTALL_RPATH "$ORIGIN/lib")
endforeach()
endif()
52 changes: 52 additions & 0 deletions test/fuzzing/fuzz_butil.cpp
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.

#include "butil/base64.h"
#include "butil/crc32c.h"
#include "butil/hash.h"
#include "butil/sha1.h"

#define kMinInputLength 5
#define kMaxInputLength 1024

extern "C" int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
if (size < kMinInputLength || size > kMaxInputLength){
return 1;
}

std::string input(reinterpret_cast<const char*>(data), size);

{
std::string encoded;
std::string decoded;
butil::Base64Encode(input, &encoded);
butil::Base64Decode(input, &decoded);
}
{
butil::crc32c::Value(reinterpret_cast<const char*>(data), size);
}
{
butil::Hash(input);
}
{
butil::SHA1HashString(input);
}

return 0;
}
1 change: 1 addition & 0 deletions test/fuzzing/fuzz_butil_seed_corpus/base64_decoded.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
aGVsbG8gd29ybGQ=
1 change: 1 addition & 0 deletions test/fuzzing/fuzz_butil_seed_corpus/base64_encoded.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
hello world
Binary file added test/fuzzing/fuzz_butil_seed_corpus/crc32c.data
Binary file not shown.
38 changes: 38 additions & 0 deletions test/fuzzing/fuzz_esp.cpp
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.

#include "brpc/policy/esp_protocol.h"

#define kMinInputLength 5
#define kMaxInputLength 1024

extern "C" int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
if (size < kMinInputLength || size > kMaxInputLength){
return 1;
}

std::string input(reinterpret_cast<const char*>(data), size);

butil::IOBuf buf;
buf.append(input);

brpc::policy::ParseEspMessage(&buf, NULL, false, NULL);

return 0;
}
43 changes: 43 additions & 0 deletions test/fuzzing/fuzz_hpack.cpp
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.

#include "brpc/details/hpack.h"
#include "butil/logging.h"

#define kMinInputLength 5
#define kMaxInputLength 1024

extern "C" int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
if (size < kMinInputLength || size > kMaxInputLength){
return 1;
}

std::string input(reinterpret_cast<const char*>(data), size);

butil::IOBuf buf;
brpc::HPacker p2;
brpc::HPacker::Header h2;

p2.Init(4096);
buf.append(input);

p2.Decode(&buf, &h2);

return 0;
}
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
passwordsecret
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
@
custom-keycustom-header
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
 /sample/path
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
‚‡…¿@
custom-key custom-value
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
H302XprivateaMon, 21 Oct 2013 20:13:21 GMTnhttps://www.example.com
45 changes: 45 additions & 0 deletions test/fuzzing/fuzz_http.cpp
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.

#include "brpc/details/http_message.h"
#include "brpc/policy/http_rpc_protocol.h"

#define kMinInputLength 5
#define kMaxInputLength 1024

extern "C" int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
if (size < kMinInputLength || size > kMaxInputLength){
return 1;
}

std::string input(reinterpret_cast<const char*>(data), size);

{
butil::IOBuf buf;
buf.append(input);
brpc::HttpMessage http_message;
http_message.ParseFromIOBuf(buf);
}
{
brpc::HttpMessage http_message;
http_message.ParseFromArray((char *)data, size);
}

return 0;
}
9 changes: 9 additions & 0 deletions test/fuzzing/fuzz_http_seed_corpus/http_request.http
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
GET /path/file.html?sdfsdf=sdfs HTTP/1.0
From: someuser@jmarshall.com
User-Agent: HTTPTool/1.0
Content-Type: json
Content-Length: 19
Host: sdlfjslfd
Accept: */*

Message Body sdfsdf
23 changes: 23 additions & 0 deletions test/fuzzing/fuzz_http_seed_corpus/http_request_v2.http
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
GET /CloudApiControl/HttpServer/telematics/v3/weather?location=%E6%B5%B7%E5%8D%97%E7%9C%81%E7%9B%B4%E8%BE%96%E5%8E%BF%E7%BA%A7%E8%A1%8C%E6%94%BF%E5%8D%95%E4%BD%8D&output=json&ak=0l3FSP6qA0WbOzGRaafbmczS HTTP/1.1
X-Host: api.map.baidu.com
X-Forwarded-Proto: http
Host: api.map.baidu.com
User-Agent: IME/Android/4.4.2/N80.QHD.LT.X10.V3/N80.QHD.LT.X10.V3.20150812.031915
Accept: application/json
Accept-Charset: UTF-8,*;q=0.5
Accept-Encoding: deflate,sdch
Accept-Language: zh-CN,en-US;q=0.8,zh;q=0.6
Bfe-Atk: NORMAL_BROWSER
Bfe_logid: 8767802212038413243
Bfeip: 10.26.124.40
CLIENTIP: 119.29.102.26
CLIENTPORT: 59863
Cache-Control: max-age=0
Content-Type: application/json;charset=utf8
X-Forwarded-For: 119.29.102.26
X-Forwarded-Port: 59863
X-Ime-Imei: 35629601890905
X_BD_LOGID: 3959476981
X_BD_LOGID64: 16815814797661447369
X_BD_PRODUCT: map
X_BD_SUBSYS: apimap
38 changes: 38 additions & 0 deletions test/fuzzing/fuzz_hulu.cpp
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.

#include "brpc/policy/hulu_pbrpc_protocol.h"

#define kMinInputLength 5
#define kMaxInputLength 1024

extern "C" int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
if (size < kMinInputLength || size > kMaxInputLength){
return 1;
}

std::string input(reinterpret_cast<const char*>(data), size);

butil::IOBuf buf;
buf.append(input);

brpc::policy::ParseHuluMessage(&buf, NULL, false, NULL);

return 0;
}
37 changes: 37 additions & 0 deletions test/fuzzing/fuzz_json.cpp
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.

#include "json2pb/json_to_pb.h"
#include "addressbook1.pb.h"

#define kMinInputLength 5
#define kMaxInputLength 1024

extern "C" int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
if (size < kMinInputLength || size > kMaxInputLength){
return 1;
}

std::string error;
JsonContextBody jsondata;
std::string input_data((char *)data,size);
json2pb::JsonToProtoMessage(input_data, &jsondata, &error);

return 0;
}
1 change: 1 addition & 0 deletions test/fuzzing/fuzz_json_seed_corpus/info1.json
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{"judge":false, "spur":-2, "data":[], "info":[],"content":[]}
1 change: 1 addition & 0 deletions test/fuzzing/fuzz_json_seed_corpus/info2.json
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
[{"container": 1000, "host": 1000, "size": 2}]
1 change: 1 addition & 0 deletions test/fuzzing/fuzz_json_seed_corpus/info3.json
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{"content":[{"distance":1,"unknown_member":2,"ext":{"age":1666666666, "databyte":"d2VsY29tZQ==", "enumtype":1},"uid":"someone"},{"distance":10,"unknown_member":20,"ext":{"age":1666666660, "databyte":"d2VsY29tZQ==","enumtype":2},"uid":"someone0"}], "judge":false,"spur":2, "data":[1,2,3,4,5,6,7,8,9,10]}
Loading
Loading