Rooba
/
oss-fuzz
mirror of https://github.com/google/oss-fuzz.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity
oss-fuzz/projects/urllib3/fuzz_requests.py

146 lines
4.2 KiB
Python
Raw Normal View History

Adding urllib3 requests coverage (#9793) This change added a new fuzzer `fuzz_requests`. This fuzzes the `.request` method in urllib3, which opens a lot more coverage. <img width="653" alt="image" src="https://user-images.githubusercontent.com/5122866/221026547-8097ef14-bc21-4e4e-a5ab-573048259576.png"> I have created a python `HTTPServer` that provides fuzzed responses to all the different request types. And I try and drive different combinations of requests including mixes of headers, bodies and request types. This gives a nice improvement on current coverage levels [urllib3 fuzz inspector report 2023-02-23](https://storage.googleapis.com/oss-fuzz-introspector/urllib3/inspector-report/20230223/fuzz_report.html).
2023-02-28 10:49:16 +00:00
#!/usr/bin/python3
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import atheris
from http.server import BaseHTTPRequestHandler, HTTPServer
Fixing urllib3 port binding crash (#9958) I've managed to recreate the issue that was stopping the `fuzz_requests` coverage on `urllib3` ( see #9863 ) The issues not visible running introspector locally but can be see in clusterfuzzlite which is a port binding error. This change randomises the port that's used and ensures that it can bind to it before fuzzing starts. Change is tested and demonstrated as working here [sg3-141-592/urllib3 - ClusterFuzzLite PR fuzzing](https://github.com/sg3-141-592/urllib3/actions/runs/4466205991/jobs/7844093473?pr=1). Also I've changed the style of the main block and atheris to be consistent with the other fuzzers added lately.
2023-03-20 15:09:52 +00:00
import random
Adding urllib3 requests coverage (#9793) This change added a new fuzzer `fuzz_requests`. This fuzzes the `.request` method in urllib3, which opens a lot more coverage. <img width="653" alt="image" src="https://user-images.githubusercontent.com/5122866/221026547-8097ef14-bc21-4e4e-a5ab-573048259576.png"> I have created a python `HTTPServer` that provides fuzzed responses to all the different request types. And I try and drive different combinations of requests including mixes of headers, bodies and request types. This gives a nice improvement on current coverage levels [urllib3 fuzz inspector report 2023-02-23](https://storage.googleapis.com/oss-fuzz-introspector/urllib3/inspector-report/20230223/fuzz_report.html).
2023-02-28 10:49:16 +00:00
import sys
import threading
Fixing urllib3 port binding crash (#9958) I've managed to recreate the issue that was stopping the `fuzz_requests` coverage on `urllib3` ( see #9863 ) The issues not visible running introspector locally but can be see in clusterfuzzlite which is a port binding error. This change randomises the port that's used and ensures that it can bind to it before fuzzing starts. Change is tested and demonstrated as working here [sg3-141-592/urllib3 - ClusterFuzzLite PR fuzzing](https://github.com/sg3-141-592/urllib3/actions/runs/4466205991/jobs/7844093473?pr=1). Also I've changed the style of the main block and atheris to be consistent with the other fuzzers added lately.
2023-03-20 15:09:52 +00:00
import urllib3
Adding urllib3 requests coverage (#9793) This change added a new fuzzer `fuzz_requests`. This fuzzes the `.request` method in urllib3, which opens a lot more coverage. <img width="653" alt="image" src="https://user-images.githubusercontent.com/5122866/221026547-8097ef14-bc21-4e4e-a5ab-573048259576.png"> I have created a python `HTTPServer` that provides fuzzed responses to all the different request types. And I try and drive different combinations of requests including mixes of headers, bodies and request types. This gives a nice improvement on current coverage levels [urllib3 fuzz inspector report 2023-02-23](https://storage.googleapis.com/oss-fuzz-introspector/urllib3/inspector-report/20230223/fuzz_report.html).
2023-02-28 10:49:16 +00:00
urllib3 performance improvements (#10115) While investigating the urllib3 performance with the `fuzz_requests` I saw that a lot of tests had been failing with timeouts. I had some misunderstandings about how oss-fuzz works and that you need light and quick implementations for the fuzzer to work effectively. Doing some local testing a single iteration of the fuzzer was taking as long as 90 seconds. This change updates the `urllib3` timeouts to be far shorter and reduces the number of requests the fuzzer tries to do in a single iteration. This should bring us under the 25 second timeout and hopefully get this fuzzer closer to working.
2023-04-20 08:43:42 +00:00
PORT = -1
Adding urllib3 requests coverage (#9793) This change added a new fuzzer `fuzz_requests`. This fuzzes the `.request` method in urllib3, which opens a lot more coverage. <img width="653" alt="image" src="https://user-images.githubusercontent.com/5122866/221026547-8097ef14-bc21-4e4e-a5ab-573048259576.png"> I have created a python `HTTPServer` that provides fuzzed responses to all the different request types. And I try and drive different combinations of requests including mixes of headers, bodies and request types. This gives a nice improvement on current coverage levels [urllib3 fuzz inspector report 2023-02-23](https://storage.googleapis.com/oss-fuzz-introspector/urllib3/inspector-report/20230223/fuzz_report.html).
2023-02-28 10:49:16 +00:00
GLOBAL_RESPONSE_MESSAGE = ""
GLOBAL_RESPONSE_CODE = 0
GLOBAL_CONTENT_ENCODING = None
class handler(BaseHTTPRequestHandler):
def send_fuzzed_response(self):
self.send_response(GLOBAL_RESPONSE_CODE)
self.send_header("content-type", "text/html")
if GLOBAL_CONTENT_ENCODING:
self.send_header("content-encoding", GLOBAL_CONTENT_ENCODING)
self.end_headers()
self.wfile.write(bytes(GLOBAL_RESPONSE_MESSAGE, "utf-8"))
def do_GET(self):
self.send_fuzzed_response()
def do_POST(self):
self.send_fuzzed_response()
def do_PUT(self):
self.send_fuzzed_response()
def do_PATCH(self):
self.send_fuzzed_response()
def do_OPTIONS(self):
self.send_fuzzed_response()
def do_DELETE(self):
self.send_fuzzed_response()
def do_HEAD(self):
self.send_fuzzed_response()
# Supress HTTP log output
def log_request(self, code="-", size="-"):
return
Attempted fix for urllib3 crashes (#10022) We've still got an issue with crashes on the urllib3 requests test that uses the mock HTTP server. Fix #9958 to handle port mapping errors didn't resolve it. I got a feeling there's an ordering issue. Looking at the error logs [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56500#c2](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56500#c2) there appears to be an issue where we're throwing exceptions before the coverage completes. ``` === Uncaught Python exception: === --   | MaxRetryError: HTTPConnectionPool(host='localhost', port=8011): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f4cdf33d1f0>: Failed to establish a new connection: [Errno 101] Network is unreachable'))   | Traceback (most recent call last):   | File "fuzz_requests.py", line 109, in TestOneInput   | File "urllib3/_request_methods.py", line 118, in request   | File "urllib3/_request_methods.py", line 217, in request_encode_body   | File "urllib3/poolmanager.py", line 433, in urlopen   | File "urllib3/connectionpool.py", line 874, in urlopen   | File "urllib3/connectionpool.py", line 874, in urlopen   | File "urllib3/connectionpool.py", line 874, in urlopen   | File "urllib3/connectionpool.py", line 844, in urlopen   | File "urllib3/util/retry.py", line 505, in increment   | MaxRetryError: HTTPConnectionPool(host='localhost', port=8011): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f4cdf33d1f0>: Failed to establish a new connection: [Errno 101] Network is unreachable'))   |     | INFO: Instrumenting 3854 functions...   | INFO: Instrumentation complete.   | ==10674== ERROR: libFuzzer: fuzz target exited   | #0 0x7f4ce0bac694 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/ubsan/ubsan_diag_standalone.cpp:31:3   | #1 0x7f4ce0b2df48 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5   | #2 0x7f4ce0b12cdc in fuzzer::Fuzzer::ExitCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:250:3   | #3 0x7f4ce09068a6 in __run_exit_handlers /build/glibc-SzIz7B/glibc-2.31/stdlib/exit.c:108:8   | #4 0x7f4ce0906a5f in exit /build/glibc-SzIz7B/glibc-2.31/stdlib/exit.c:139:3   | #5 0x7f4ce03b2c78 in libpython3.8.so.1.0   | #6 0x7f4ce03b76cf in libpython3.8.so.1.0   | #7 0x403ad2 in fuzz_requests.pkg   | #8 0x403e67 in fuzz_requests.pkg   | #9 0x7f4ce08e4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16   | #10 0x40249d in fuzz_requests.pkg   |     | SUMMARY: libFuzzer: fuzz target exited ``` This is an attempted fix inspired by the requests [fuzz_server.py](https://github.com/google/oss-fuzz/blob/master/projects/requests/fuzz_server.py) where the lifecycle of the test thread is managed within the server. Since the web server is created at the start of `TestOneInput` I don't expect there to be any timing issues or thread initialisation issues.
2023-04-05 10:32:38 +00:00
class StoppableHTTPServer(HTTPServer):
def run(self):
try:
self.serve_forever()
finally:
self.server_close()
Adding urllib3 requests coverage (#9793) This change added a new fuzzer `fuzz_requests`. This fuzzes the `.request` method in urllib3, which opens a lot more coverage. <img width="653" alt="image" src="https://user-images.githubusercontent.com/5122866/221026547-8097ef14-bc21-4e4e-a5ab-573048259576.png"> I have created a python `HTTPServer` that provides fuzzed responses to all the different request types. And I try and drive different combinations of requests including mixes of headers, bodies and request types. This gives a nice improvement on current coverage levels [urllib3 fuzz inspector report 2023-02-23](https://storage.googleapis.com/oss-fuzz-introspector/urllib3/inspector-report/20230223/fuzz_report.html).
2023-02-28 10:49:16 +00:00
REQUEST_METHODS = ["POST", "GET", "HEAD", "PUT", "DELETE", "OPTIONS", "PATCH"]
CONTENT_ENCODING_TYPES = [None, "gzip", "deflate"]
def TestOneInput(input_bytes):
Attempted fix for urllib3 crashes (#10022) We've still got an issue with crashes on the urllib3 requests test that uses the mock HTTP server. Fix #9958 to handle port mapping errors didn't resolve it. I got a feeling there's an ordering issue. Looking at the error logs [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56500#c2](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56500#c2) there appears to be an issue where we're throwing exceptions before the coverage completes. ``` === Uncaught Python exception: === --   | MaxRetryError: HTTPConnectionPool(host='localhost', port=8011): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f4cdf33d1f0>: Failed to establish a new connection: [Errno 101] Network is unreachable'))   | Traceback (most recent call last):   | File "fuzz_requests.py", line 109, in TestOneInput   | File "urllib3/_request_methods.py", line 118, in request   | File "urllib3/_request_methods.py", line 217, in request_encode_body   | File "urllib3/poolmanager.py", line 433, in urlopen   | File "urllib3/connectionpool.py", line 874, in urlopen   | File "urllib3/connectionpool.py", line 874, in urlopen   | File "urllib3/connectionpool.py", line 874, in urlopen   | File "urllib3/connectionpool.py", line 844, in urlopen   | File "urllib3/util/retry.py", line 505, in increment   | MaxRetryError: HTTPConnectionPool(host='localhost', port=8011): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f4cdf33d1f0>: Failed to establish a new connection: [Errno 101] Network is unreachable'))   |     | INFO: Instrumenting 3854 functions...   | INFO: Instrumentation complete.   | ==10674== ERROR: libFuzzer: fuzz target exited   | #0 0x7f4ce0bac694 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/ubsan/ubsan_diag_standalone.cpp:31:3   | #1 0x7f4ce0b2df48 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5   | #2 0x7f4ce0b12cdc in fuzzer::Fuzzer::ExitCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:250:3   | #3 0x7f4ce09068a6 in __run_exit_handlers /build/glibc-SzIz7B/glibc-2.31/stdlib/exit.c:108:8   | #4 0x7f4ce0906a5f in exit /build/glibc-SzIz7B/glibc-2.31/stdlib/exit.c:139:3   | #5 0x7f4ce03b2c78 in libpython3.8.so.1.0   | #6 0x7f4ce03b76cf in libpython3.8.so.1.0   | #7 0x403ad2 in fuzz_requests.pkg   | #8 0x403e67 in fuzz_requests.pkg   | #9 0x7f4ce08e4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16   | #10 0x40249d in fuzz_requests.pkg   |     | SUMMARY: libFuzzer: fuzz target exited ``` This is an attempted fix inspired by the requests [fuzz_server.py](https://github.com/google/oss-fuzz/blob/master/projects/requests/fuzz_server.py) where the lifecycle of the test thread is managed within the server. Since the web server is created at the start of `TestOneInput` I don't expect there to be any timing issues or thread initialisation issues.
2023-04-05 10:32:38 +00:00
global GLOBAL_RESPONSE_MESSAGE, GLOBAL_RESPONSE_CODE, GLOBAL_CONTENT_ENCODING, PORT
Adding urllib3 requests coverage (#9793) This change added a new fuzzer `fuzz_requests`. This fuzzes the `.request` method in urllib3, which opens a lot more coverage. <img width="653" alt="image" src="https://user-images.githubusercontent.com/5122866/221026547-8097ef14-bc21-4e4e-a5ab-573048259576.png"> I have created a python `HTTPServer` that provides fuzzed responses to all the different request types. And I try and drive different combinations of requests including mixes of headers, bodies and request types. This gives a nice improvement on current coverage levels [urllib3 fuzz inspector report 2023-02-23](https://storage.googleapis.com/oss-fuzz-introspector/urllib3/inspector-report/20230223/fuzz_report.html).
2023-02-28 10:49:16 +00:00
urllib3 performance improvements (#10115) While investigating the urllib3 performance with the `fuzz_requests` I saw that a lot of tests had been failing with timeouts. I had some misunderstandings about how oss-fuzz works and that you need light and quick implementations for the fuzzer to work effectively. Doing some local testing a single iteration of the fuzzer was taking as long as 90 seconds. This change updates the `urllib3` timeouts to be far shorter and reduces the number of requests the fuzzer tries to do in a single iteration. This should bring us under the 25 second timeout and hopefully get this fuzzer closer to working.
2023-04-20 08:43:42 +00:00
timeout = urllib3.util.Timeout(connect=0.1, read=0.1)
Updating calling of urllib3 pool manager (#10051) We're having the issue where the introspector isn't able to see renamed imports (e.g. `from .poolmanager import PoolManager, ProxyManager, proxy_from_url`). I've called `urllib3.poolmanager.PoolManager` instead of `urllib3.PoolManager` which has included the `PoolManager` coverage in the analysis.
2023-04-10 10:20:01 +00:00
urllib_pool = urllib3.poolmanager.PoolManager(timeout=timeout)
Adding urllib3 requests coverage (#9793) This change added a new fuzzer `fuzz_requests`. This fuzzes the `.request` method in urllib3, which opens a lot more coverage. <img width="653" alt="image" src="https://user-images.githubusercontent.com/5122866/221026547-8097ef14-bc21-4e4e-a5ab-573048259576.png"> I have created a python `HTTPServer` that provides fuzzed responses to all the different request types. And I try and drive different combinations of requests including mixes of headers, bodies and request types. This gives a nice improvement on current coverage levels [urllib3 fuzz inspector report 2023-02-23](https://storage.googleapis.com/oss-fuzz-introspector/urllib3/inspector-report/20230223/fuzz_report.html).
2023-02-28 10:49:16 +00:00
Fixing urllib3 port binding crash (#9958) I've managed to recreate the issue that was stopping the `fuzz_requests` coverage on `urllib3` ( see #9863 ) The issues not visible running introspector locally but can be see in clusterfuzzlite which is a port binding error. This change randomises the port that's used and ensures that it can bind to it before fuzzing starts. Change is tested and demonstrated as working here [sg3-141-592/urllib3 - ClusterFuzzLite PR fuzzing](https://github.com/sg3-141-592/urllib3/actions/runs/4466205991/jobs/7844093473?pr=1). Also I've changed the style of the main block and atheris to be consistent with the other fuzzers added lately.
2023-03-20 15:09:52 +00:00
# Try and get an open port to run our test web server
for attempt in range(10):
try:
Attempted fix for urllib3 crashes (#10022) We've still got an issue with crashes on the urllib3 requests test that uses the mock HTTP server. Fix #9958 to handle port mapping errors didn't resolve it. I got a feeling there's an ordering issue. Looking at the error logs [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56500#c2](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56500#c2) there appears to be an issue where we're throwing exceptions before the coverage completes. ``` === Uncaught Python exception: === --   | MaxRetryError: HTTPConnectionPool(host='localhost', port=8011): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f4cdf33d1f0>: Failed to establish a new connection: [Errno 101] Network is unreachable'))   | Traceback (most recent call last):   | File "fuzz_requests.py", line 109, in TestOneInput   | File "urllib3/_request_methods.py", line 118, in request   | File "urllib3/_request_methods.py", line 217, in request_encode_body   | File "urllib3/poolmanager.py", line 433, in urlopen   | File "urllib3/connectionpool.py", line 874, in urlopen   | File "urllib3/connectionpool.py", line 874, in urlopen   | File "urllib3/connectionpool.py", line 874, in urlopen   | File "urllib3/connectionpool.py", line 844, in urlopen   | File "urllib3/util/retry.py", line 505, in increment   | MaxRetryError: HTTPConnectionPool(host='localhost', port=8011): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f4cdf33d1f0>: Failed to establish a new connection: [Errno 101] Network is unreachable'))   |     | INFO: Instrumenting 3854 functions...   | INFO: Instrumentation complete.   | ==10674== ERROR: libFuzzer: fuzz target exited   | #0 0x7f4ce0bac694 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/ubsan/ubsan_diag_standalone.cpp:31:3   | #1 0x7f4ce0b2df48 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5   | #2 0x7f4ce0b12cdc in fuzzer::Fuzzer::ExitCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:250:3   | #3 0x7f4ce09068a6 in __run_exit_handlers /build/glibc-SzIz7B/glibc-2.31/stdlib/exit.c:108:8   | #4 0x7f4ce0906a5f in exit /build/glibc-SzIz7B/glibc-2.31/stdlib/exit.c:139:3   | #5 0x7f4ce03b2c78 in libpython3.8.so.1.0   | #6 0x7f4ce03b76cf in libpython3.8.so.1.0   | #7 0x403ad2 in fuzz_requests.pkg   | #8 0x403e67 in fuzz_requests.pkg   | #9 0x7f4ce08e4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16   | #10 0x40249d in fuzz_requests.pkg   |     | SUMMARY: libFuzzer: fuzz target exited ``` This is an attempted fix inspired by the requests [fuzz_server.py](https://github.com/google/oss-fuzz/blob/master/projects/requests/fuzz_server.py) where the lifecycle of the test thread is managed within the server. Since the web server is created at the start of `TestOneInput` I don't expect there to be any timing issues or thread initialisation issues.
2023-04-05 10:32:38 +00:00
PORT = random.randint(8000, 9999)
server = StoppableHTTPServer(("127.0.0.1", PORT), handler)
t1 = threading.Thread(None, server.run)
t1.start()
Fixing urllib3 port binding crash (#9958) I've managed to recreate the issue that was stopping the `fuzz_requests` coverage on `urllib3` ( see #9863 ) The issues not visible running introspector locally but can be see in clusterfuzzlite which is a port binding error. This change randomises the port that's used and ensures that it can bind to it before fuzzing starts. Change is tested and demonstrated as working here [sg3-141-592/urllib3 - ClusterFuzzLite PR fuzzing](https://github.com/sg3-141-592/urllib3/actions/runs/4466205991/jobs/7844093473?pr=1). Also I've changed the style of the main block and atheris to be consistent with the other fuzzers added lately.
2023-03-20 15:09:52 +00:00
break
Attempted fix for urllib3 crashes (#10022) We've still got an issue with crashes on the urllib3 requests test that uses the mock HTTP server. Fix #9958 to handle port mapping errors didn't resolve it. I got a feeling there's an ordering issue. Looking at the error logs [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56500#c2](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56500#c2) there appears to be an issue where we're throwing exceptions before the coverage completes. ``` === Uncaught Python exception: === --   | MaxRetryError: HTTPConnectionPool(host='localhost', port=8011): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f4cdf33d1f0>: Failed to establish a new connection: [Errno 101] Network is unreachable'))   | Traceback (most recent call last):   | File "fuzz_requests.py", line 109, in TestOneInput   | File "urllib3/_request_methods.py", line 118, in request   | File "urllib3/_request_methods.py", line 217, in request_encode_body   | File "urllib3/poolmanager.py", line 433, in urlopen   | File "urllib3/connectionpool.py", line 874, in urlopen   | File "urllib3/connectionpool.py", line 874, in urlopen   | File "urllib3/connectionpool.py", line 874, in urlopen   | File "urllib3/connectionpool.py", line 844, in urlopen   | File "urllib3/util/retry.py", line 505, in increment   | MaxRetryError: HTTPConnectionPool(host='localhost', port=8011): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f4cdf33d1f0>: Failed to establish a new connection: [Errno 101] Network is unreachable'))   |     | INFO: Instrumenting 3854 functions...   | INFO: Instrumentation complete.   | ==10674== ERROR: libFuzzer: fuzz target exited   | #0 0x7f4ce0bac694 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/ubsan/ubsan_diag_standalone.cpp:31:3   | #1 0x7f4ce0b2df48 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5   | #2 0x7f4ce0b12cdc in fuzzer::Fuzzer::ExitCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:250:3   | #3 0x7f4ce09068a6 in __run_exit_handlers /build/glibc-SzIz7B/glibc-2.31/stdlib/exit.c:108:8   | #4 0x7f4ce0906a5f in exit /build/glibc-SzIz7B/glibc-2.31/stdlib/exit.c:139:3   | #5 0x7f4ce03b2c78 in libpython3.8.so.1.0   | #6 0x7f4ce03b76cf in libpython3.8.so.1.0   | #7 0x403ad2 in fuzz_requests.pkg   | #8 0x403e67 in fuzz_requests.pkg   | #9 0x7f4ce08e4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16   | #10 0x40249d in fuzz_requests.pkg   |     | SUMMARY: libFuzzer: fuzz target exited ``` This is an attempted fix inspired by the requests [fuzz_server.py](https://github.com/google/oss-fuzz/blob/master/projects/requests/fuzz_server.py) where the lifecycle of the test thread is managed within the server. Since the web server is created at the start of `TestOneInput` I don't expect there to be any timing issues or thread initialisation issues.
2023-04-05 10:32:38 +00:00
except OSError:
pass
Adding urllib3 requests coverage (#9793) This change added a new fuzzer `fuzz_requests`. This fuzzes the `.request` method in urllib3, which opens a lot more coverage. <img width="653" alt="image" src="https://user-images.githubusercontent.com/5122866/221026547-8097ef14-bc21-4e4e-a5ab-573048259576.png"> I have created a python `HTTPServer` that provides fuzzed responses to all the different request types. And I try and drive different combinations of requests including mixes of headers, bodies and request types. This gives a nice improvement on current coverage levels [urllib3 fuzz inspector report 2023-02-23](https://storage.googleapis.com/oss-fuzz-introspector/urllib3/inspector-report/20230223/fuzz_report.html).
2023-02-28 10:49:16 +00:00
Attempted fix for urllib3 crashes (#10022) We've still got an issue with crashes on the urllib3 requests test that uses the mock HTTP server. Fix #9958 to handle port mapping errors didn't resolve it. I got a feeling there's an ordering issue. Looking at the error logs [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56500#c2](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56500#c2) there appears to be an issue where we're throwing exceptions before the coverage completes. ``` === Uncaught Python exception: === --   | MaxRetryError: HTTPConnectionPool(host='localhost', port=8011): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f4cdf33d1f0>: Failed to establish a new connection: [Errno 101] Network is unreachable'))   | Traceback (most recent call last):   | File "fuzz_requests.py", line 109, in TestOneInput   | File "urllib3/_request_methods.py", line 118, in request   | File "urllib3/_request_methods.py", line 217, in request_encode_body   | File "urllib3/poolmanager.py", line 433, in urlopen   | File "urllib3/connectionpool.py", line 874, in urlopen   | File "urllib3/connectionpool.py", line 874, in urlopen   | File "urllib3/connectionpool.py", line 874, in urlopen   | File "urllib3/connectionpool.py", line 844, in urlopen   | File "urllib3/util/retry.py", line 505, in increment   | MaxRetryError: HTTPConnectionPool(host='localhost', port=8011): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f4cdf33d1f0>: Failed to establish a new connection: [Errno 101] Network is unreachable'))   |     | INFO: Instrumenting 3854 functions...   | INFO: Instrumentation complete.   | ==10674== ERROR: libFuzzer: fuzz target exited   | #0 0x7f4ce0bac694 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/ubsan/ubsan_diag_standalone.cpp:31:3   | #1 0x7f4ce0b2df48 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5   | #2 0x7f4ce0b12cdc in fuzzer::Fuzzer::ExitCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:250:3   | #3 0x7f4ce09068a6 in __run_exit_handlers /build/glibc-SzIz7B/glibc-2.31/stdlib/exit.c:108:8   | #4 0x7f4ce0906a5f in exit /build/glibc-SzIz7B/glibc-2.31/stdlib/exit.c:139:3   | #5 0x7f4ce03b2c78 in libpython3.8.so.1.0   | #6 0x7f4ce03b76cf in libpython3.8.so.1.0   | #7 0x403ad2 in fuzz_requests.pkg   | #8 0x403e67 in fuzz_requests.pkg   | #9 0x7f4ce08e4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16   | #10 0x40249d in fuzz_requests.pkg   |     | SUMMARY: libFuzzer: fuzz target exited ``` This is an attempted fix inspired by the requests [fuzz_server.py](https://github.com/google/oss-fuzz/blob/master/projects/requests/fuzz_server.py) where the lifecycle of the test thread is managed within the server. Since the web server is created at the start of `TestOneInput` I don't expect there to be any timing issues or thread initialisation issues.
2023-04-05 10:32:38 +00:00
fdp = atheris.FuzzedDataProvider(input_bytes)
Adding urllib3 requests coverage (#9793) This change added a new fuzzer `fuzz_requests`. This fuzzes the `.request` method in urllib3, which opens a lot more coverage. <img width="653" alt="image" src="https://user-images.githubusercontent.com/5122866/221026547-8097ef14-bc21-4e4e-a5ab-573048259576.png"> I have created a python `HTTPServer` that provides fuzzed responses to all the different request types. And I try and drive different combinations of requests including mixes of headers, bodies and request types. This gives a nice improvement on current coverage levels [urllib3 fuzz inspector report 2023-02-23](https://storage.googleapis.com/oss-fuzz-introspector/urllib3/inspector-report/20230223/fuzz_report.html).
2023-02-28 10:49:16 +00:00
urllib3 performance improvements (#10115) While investigating the urllib3 performance with the `fuzz_requests` I saw that a lot of tests had been failing with timeouts. I had some misunderstandings about how oss-fuzz works and that you need light and quick implementations for the fuzzer to work effectively. Doing some local testing a single iteration of the fuzzer was taking as long as 90 seconds. This change updates the `urllib3` timeouts to be far shorter and reduces the number of requests the fuzzer tries to do in a single iteration. This should bring us under the 25 second timeout and hopefully get this fuzzer closer to working.
2023-04-20 08:43:42 +00:00
BATCH_SIZE = 2
Attempted fix for urllib3 crashes (#10022) We've still got an issue with crashes on the urllib3 requests test that uses the mock HTTP server. Fix #9958 to handle port mapping errors didn't resolve it. I got a feeling there's an ordering issue. Looking at the error logs [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56500#c2](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56500#c2) there appears to be an issue where we're throwing exceptions before the coverage completes. ``` === Uncaught Python exception: === --   | MaxRetryError: HTTPConnectionPool(host='localhost', port=8011): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f4cdf33d1f0>: Failed to establish a new connection: [Errno 101] Network is unreachable'))   | Traceback (most recent call last):   | File "fuzz_requests.py", line 109, in TestOneInput   | File "urllib3/_request_methods.py", line 118, in request   | File "urllib3/_request_methods.py", line 217, in request_encode_body   | File "urllib3/poolmanager.py", line 433, in urlopen   | File "urllib3/connectionpool.py", line 874, in urlopen   | File "urllib3/connectionpool.py", line 874, in urlopen   | File "urllib3/connectionpool.py", line 874, in urlopen   | File "urllib3/connectionpool.py", line 844, in urlopen   | File "urllib3/util/retry.py", line 505, in increment   | MaxRetryError: HTTPConnectionPool(host='localhost', port=8011): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f4cdf33d1f0>: Failed to establish a new connection: [Errno 101] Network is unreachable'))   |     | INFO: Instrumenting 3854 functions...   | INFO: Instrumentation complete.   | ==10674== ERROR: libFuzzer: fuzz target exited   | #0 0x7f4ce0bac694 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/ubsan/ubsan_diag_standalone.cpp:31:3   | #1 0x7f4ce0b2df48 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5   | #2 0x7f4ce0b12cdc in fuzzer::Fuzzer::ExitCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:250:3   | #3 0x7f4ce09068a6 in __run_exit_handlers /build/glibc-SzIz7B/glibc-2.31/stdlib/exit.c:108:8   | #4 0x7f4ce0906a5f in exit /build/glibc-SzIz7B/glibc-2.31/stdlib/exit.c:139:3   | #5 0x7f4ce03b2c78 in libpython3.8.so.1.0   | #6 0x7f4ce03b76cf in libpython3.8.so.1.0   | #7 0x403ad2 in fuzz_requests.pkg   | #8 0x403e67 in fuzz_requests.pkg   | #9 0x7f4ce08e4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16   | #10 0x40249d in fuzz_requests.pkg   |     | SUMMARY: libFuzzer: fuzz target exited ``` This is an attempted fix inspired by the requests [fuzz_server.py](https://github.com/google/oss-fuzz/blob/master/projects/requests/fuzz_server.py) where the lifecycle of the test thread is managed within the server. Since the web server is created at the start of `TestOneInput` I don't expect there to be any timing issues or thread initialisation issues.
2023-04-05 10:32:38 +00:00
for iteration in range(BATCH_SIZE):
# Fuzz Http Response
GLOBAL_RESPONSE_MESSAGE = fdp.ConsumeUnicodeNoSurrogates(sys.maxsize)
GLOBAL_RESPONSE_CODE = fdp.ConsumeIntInRange(200, 599)
GLOBAL_CONTENT_ENCODING = fdp.PickValueInList(CONTENT_ENCODING_TYPES)
# Fuzz Http Request
requestType = fdp.PickValueInList(REQUEST_METHODS)
# Optionally provide request headers
requestHeaders = urllib3._collections.HTTPHeaderDict({})
for i in range(0, fdp.ConsumeIntInRange(0, 10)):
requestHeaders.add(
fdp.ConsumeString(sys.maxsize), fdp.ConsumeString(sys.maxsize)
)
requestHeaders = None if fdp.ConsumeBool() else requestHeaders
# Optionally generate form data for request
formData = {}
for i in range(0, fdp.ConsumeIntInRange(0, 100)):
formData[fdp.ConsumeString(sys.maxsize)] = fdp.ConsumeString(sys.maxsize)
formData = None if fdp.ConsumeBool() else formData
# Optionally generate request body
requestBody = None if fdp.ConsumeBool() else fdp.ConsumeString(sys.maxsize)
r = urllib_pool.request(
requestType,
f"http://localhost:{PORT}/",
headers=requestHeaders,
fields=formData,
body=requestBody,
)
r.status
r.data
r.headers
server.shutdown()
t1.join()
def main():
Fixing urllib3 port binding crash (#9958) I've managed to recreate the issue that was stopping the `fuzz_requests` coverage on `urllib3` ( see #9863 ) The issues not visible running introspector locally but can be see in clusterfuzzlite which is a port binding error. This change randomises the port that's used and ensures that it can bind to it before fuzzing starts. Change is tested and demonstrated as working here [sg3-141-592/urllib3 - ClusterFuzzLite PR fuzzing](https://github.com/sg3-141-592/urllib3/actions/runs/4466205991/jobs/7844093473?pr=1). Also I've changed the style of the main block and atheris to be consistent with the other fuzzers added lately.
2023-03-20 15:09:52 +00:00
atheris.instrument_all()
atheris.Setup(sys.argv, TestOneInput)
Adding urllib3 requests coverage (#9793) This change added a new fuzzer `fuzz_requests`. This fuzzes the `.request` method in urllib3, which opens a lot more coverage. <img width="653" alt="image" src="https://user-images.githubusercontent.com/5122866/221026547-8097ef14-bc21-4e4e-a5ab-573048259576.png"> I have created a python `HTTPServer` that provides fuzzed responses to all the different request types. And I try and drive different combinations of requests including mixes of headers, bodies and request types. This gives a nice improvement on current coverage levels [urllib3 fuzz inspector report 2023-02-23](https://storage.googleapis.com/oss-fuzz-introspector/urllib3/inspector-report/20230223/fuzz_report.html).
2023-02-28 10:49:16 +00:00
atheris.Fuzz()
Fixing urllib3 port binding crash (#9958) I've managed to recreate the issue that was stopping the `fuzz_requests` coverage on `urllib3` ( see #9863 ) The issues not visible running introspector locally but can be see in clusterfuzzlite which is a port binding error. This change randomises the port that's used and ensures that it can bind to it before fuzzing starts. Change is tested and demonstrated as working here [sg3-141-592/urllib3 - ClusterFuzzLite PR fuzzing](https://github.com/sg3-141-592/urllib3/actions/runs/4466205991/jobs/7844093473?pr=1). Also I've changed the style of the main block and atheris to be consistent with the other fuzzers added lately.
2023-03-20 15:09:52 +00:00
if __name__ == "__main__":
main()