From 6754771becb02669a6f4f3c3437986e7164c42b6 Mon Sep 17 00:00:00 2001
From: DavidKorczynski <david@adalogics.com>
Date: Fri, 19 Aug 2022 14:36:46 +0100
Subject: [PATCH] websocket-client: initial integration (#8243)

* websocket-client: initial integration

* nit
---
 projects/websocket-client/Dockerfile   | 21 ++++++++
 projects/websocket-client/build.sh     | 22 ++++++++
 projects/websocket-client/fuzz_http.py | 74 ++++++++++++++++++++++++++
 projects/websocket-client/fuzz_url.py  | 39 ++++++++++++++
 projects/websocket-client/project.yaml | 10 ++++
 5 files changed, 166 insertions(+)
 create mode 100644 projects/websocket-client/Dockerfile
 create mode 100755 projects/websocket-client/build.sh
 create mode 100644 projects/websocket-client/fuzz_http.py
 create mode 100644 projects/websocket-client/fuzz_url.py
 create mode 100644 projects/websocket-client/project.yaml

diff --git a/projects/websocket-client/Dockerfile b/projects/websocket-client/Dockerfile
new file mode 100644
index 000000000..007984fbf
--- /dev/null
+++ b/projects/websocket-client/Dockerfile
@@ -0,0 +1,21 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder-python
+RUN apt-get update && apt-get install -y make autoconf automake libtool
+RUN git clone --depth 1 https://github.com/websocket-client/websocket-client websocket-client
+WORKDIR websocket-client
+COPY build.sh *.py $SRC/
diff --git a/projects/websocket-client/build.sh b/projects/websocket-client/build.sh
new file mode 100755
index 000000000..b8fc19949
--- /dev/null
+++ b/projects/websocket-client/build.sh
@@ -0,0 +1,22 @@
+#!/bin/bash -eu
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+pip3 install .
+
+for fuzzer in $(find $SRC -name 'fuzz_*.py'); do
+  compile_python_fuzzer $fuzzer
+done
diff --git a/projects/websocket-client/fuzz_http.py b/projects/websocket-client/fuzz_http.py
new file mode 100644
index 000000000..2a0441df2
--- /dev/null
+++ b/projects/websocket-client/fuzz_http.py
@@ -0,0 +1,74 @@
+#!/usr/bin/python3
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+import sys
+import atheris
+
+from websocket._exceptions import WebSocketException
+from websocket._http import read_headers, _tunnel
+
+
+class FuzzMock:
+    """FuzzMock class inspired by SockMock"""
+    def __init__(self, packet):
+        self.data = [packet]
+        self.sent = []
+
+    def gettimeout(self):
+        return None
+
+    def recv(self, bufsize):
+        if self.data:
+            e = self.data.pop(0)
+            if isinstance(e, Exception):
+                raise e
+            if len(e) > bufsize:
+                self.data.insert(0, e[bufsize:])
+            return e[:bufsize]
+
+    def send(self, data):
+        self.sent.append(data)
+        return len(data)
+
+
+def TestOneInput(data):
+    try:
+        fdp = atheris.FuzzedDataProvider(data)
+        # Create mock socket with fuzzer-derived data.
+        mock_sock = FuzzMock(fdp.ConsumeBytes(512))
+        _tunnel(
+            mock_sock,
+            fdp.ConsumeUnicodeNoSurrogates(200),
+            fdp.ConsumeIntInRange(1, 1000),
+            (
+                fdp.ConsumeUnicodeNoSurrogates(100),
+                fdp.ConsumeUnicodeNoSurrogates(100)
+            )
+        )
+    except WebSocketException:
+        pass
+    except UnicodeDecodeError:
+        pass
+        
+    
+def main():
+    atheris.instrument_all()
+    atheris.Setup(sys.argv, TestOneInput, enable_python_coverage=True)
+    atheris.Fuzz()
+
+
+if __name__ == "__main__":
+    main()
diff --git a/projects/websocket-client/fuzz_url.py b/projects/websocket-client/fuzz_url.py
new file mode 100644
index 000000000..4c11020b9
--- /dev/null
+++ b/projects/websocket-client/fuzz_url.py
@@ -0,0 +1,39 @@
+#!/usr/bin/python3
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+import sys
+import atheris
+
+from websocket._url import parse_url
+
+def TestOneInput(data):
+    fdp = atheris.FuzzedDataProvider(data)
+    try:
+        parse_url(fdp.ConsumeUnicodeNoSurrogates(20))
+    except ValueError as e:
+        # Catch all ValueError exceptions. This is also
+        # because urllib will throw a set of them which
+        # is not visible from the websocket-client code.
+        return
+    
+def main():
+    atheris.instrument_all()
+    atheris.Setup(sys.argv, TestOneInput, enable_python_coverage=True)
+    atheris.Fuzz()
+
+
+if __name__ == "__main__":
+    main()
diff --git a/projects/websocket-client/project.yaml b/projects/websocket-client/project.yaml
new file mode 100644
index 000000000..9afb82472
--- /dev/null
+++ b/projects/websocket-client/project.yaml
@@ -0,0 +1,10 @@
+homepage: "https://github.com/websocket-client/websocket-client"
+language: python
+main_repo: "https://github.com/websocket-client/websocket-client"
+fuzzing_engines:
+  - libfuzzer
+sanitizers:
+  - address
+  - undefined
+vendor_ccs:
+  - david@adalogics.com