pyodbc: initial integration (#8347)

* pyodbc: initial integration

* set up correct types in odbc driver

projects/pyodbc/Dockerfile

@@ -0,0 +1,21 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder-python
+RUN apt-get update && apt-get install -y make autoconf automake libtool unixodbc-dev
+RUN git clone --depth 1 https://github.com/mkleehammer/pyodbc
+WORKDIR pyodbc
+COPY build.sh *.py *.c $SRC/

projects/pyodbc/build.sh

@@ -0,0 +1,28 @@
+#!/bin/bash -eu
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+# Compile the fake odbc driver
+clang -Wno-unused-result -Wsign-compare -Wunreachable-code \
+      -fwrapv  -Wno-write-strings -fPIC \
+      -shared -I/usr/local/include/python3.8 -I$PWD/src  \
+      -o $OUT/fuzzodbc.so $SRC/fake_odbc_driver.c
+
+python3 setup.py install
+pip3 install .
+for fuzzer in $(find $SRC -name 'fuzz_*.py'); do
+  LD_PRELOAD=$OUT/sanitizer_with_fuzzer.so ASAN_OPTIONS=detect_leaks=0 compile_python_fuzzer $fuzzer --add-data $OUT/fuzzodbc.so:.
+done

projects/pyodbc/fake_odbc_driver.c

@@ -0,0 +1,46 @@
+/* Copyright 2022 Google LLC
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+      http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+/* Fake odbc driver that simply returns 0 on every call and has no side effects */
+
+#include <sql.h>
+#include <sqlext.h>
+
+SQLRETURN SQLAllocHandle(SQLSMALLINT a1, SQLHANDLE a2, SQLHANDLE *a3) {
+  return 0;
+}
+
+SQLRETURN
+SQLDriverConnect(SQLHDBC ConnectionHandle, SQLHWND WindowHandle,
+                 SQLCHAR *InConnectionString, SQLSMALLINT StringLength1,
+                 SQLCHAR *OutConnectionString, SQLSMALLINT BufferLength,
+                 SQLSMALLINT *StringLength2Ptr, SQLUSMALLINT DriverCompletion) {
+  return 0;
+}
+
+SQLRETURN SQLSetConnectAttr(SQLHDBC ConnectionHandle, SQLINTEGER Attribute,
+                            SQLPOINTER ValuePtr, SQLINTEGER StringLength) {
+  return 0;
+}
+
+SQLRETURN SQL_API SQLExecDirectW(SQLHSTMT hstmt, SQLWCHAR *szSqlStr,
+                                 SQLINTEGER cbSqlStr) {
+  return 0;
+}
+
+SQLRETURN SQL_API SQLRowCount(SQLHSTMT StatementHandle, SQLLEN *RowCount) {
+  return 0;
+}
+
+SQLRETURN SQL_API SQLNumResultCols(SQLHSTMT StatementHandle,
+                                   SQLSMALLINT *ColumnCount) {
+  return 0;
+}

projects/pyodbc/fuzz_curs_exec.py

@@ -0,0 +1,61 @@
+#!/usr/bin/python3
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Fuzzer that targets native code of pyodbc with a fake odbc driver"""
+import os
+import sys
+import atheris
+import pyodbc
+
+@atheris.instrument_func
+def fuzz_exec(data):
+    fdp = atheris.FuzzedDataProvider(data)
+    connstr = "DRIVER=FUZZ;"
+    s1 = fdp.ConsumeUnicodeNoSurrogates(50)
+    if "DRIVER" in s1:
+        return
+    cstr = connstr + s1
+    connection_obj = pyodbc.connect(cstr)
+    csr = connection_obj.cursor()
+    try:
+        csr.execute(fdp.ConsumeUnicodeNoSurrogates(20))
+    except Exception as e:
+        if "Invalid string or buffer length" in str(e):
+            pass
+        else:
+            raise e
+    return 0
+
+@atheris.instrument_func
+def TestOneInput(data):
+    try:
+        return fuzz_exec(data)
+    except SystemError:
+        return 0
+
+
+def main():
+    # Write the odbcinst.ini file
+    dir_path = os.path.dirname(os.path.realpath(__file__))
+    with open("/etc/odbcinst.ini", "w") as f:
+        f.write("[FUZZ]\n")
+        f.write("Driver=%s/fuzzodbc.so\n"%(dir_path))
+    
+    atheris.instrument_all()
+    atheris.Setup(sys.argv, TestOneInput, enable_python_coverage=True)
+    atheris.Fuzz()
+
+
+if __name__ == "__main__":
+    main()

projects/pyodbc/project.yaml

@@ -0,0 +1,11 @@
+homepage: "https://github.com/mkleehammer/pyodbc"
+language: python
+main_repo: "https://github.com/mkleehammer/pyodbc"
+fuzzing_engines:
+- libfuzzer
+sanitizers:
+- address
+- undefined
+vendor_ccs:
+- david@adalogics.com
+- adam@adalogics.com