python-oauthlib: initial integration (#8233)

projects/g-api-py-oauthlib/Dockerfile

@@ -0,0 +1,22 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder-python
+RUN apt-get update && apt-get install -y make autoconf automake libtool
+RUN pip3 install --upgrade pip && pip3 install mock
+RUN git clone --depth 1 https://github.com/googleapis/google-auth-library-python-oauthlib
+WORKDIR google-auth-library-python-oauthlib
+COPY build.sh *.py $SRC/

projects/g-api-py-oauthlib/build.sh

@@ -0,0 +1,21 @@
+#!/bin/bash -eu
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+pip3 install .
+for fuzzer in $(find $SRC -name 'fuzz_*.py'); do
+  compile_python_fuzzer $fuzzer
+done

projects/g-api-py-oauthlib/fuzz_config.py

@@ -0,0 +1,68 @@
+#!/usr/bin/python3
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+import sys
+import mock
+import atheris
+
+import json
+import mock
+from google_auth_oauthlib import helpers
+
+
+def TestOneInput(data):
+    fdp = atheris.FuzzedDataProvider(data)
+    config_file = "conf.txt"
+    try:
+        payload = json.loads(fdp.ConsumeUnicodeNoSurrogates(1024))
+    except:
+        return
+
+    if type(payload) is not dict:
+        return
+
+    with open(config_file, "w") as f:
+        f.write(json.dumps(payload))
+
+    if not os.path.isfile(config_file):
+        return
+
+    try:
+        helpers.session_from_client_secrets_file(
+            config_file, scopes=mock.sentinel.scopes
+        )
+    except ValueError as ve:
+        legit_exceptions = [
+            "Client secrets must be for a web or installed app.",
+            "Client secrets is not in the correct format."
+        ]
+        legit = False
+        for msg in legit_exceptions:
+            if msg in str(ve):
+                legit = True
+        if not legit:
+            raise ve
+    os.remove(config_file)
+
+
+def main():
+    atheris.instrument_all()
+    atheris.Setup(sys.argv, TestOneInput, enable_python_coverage=True)
+    atheris.Fuzz()
+
+
+if __name__ == "__main__":
+    main()

projects/g-api-py-oauthlib/project.yaml

@@ -0,0 +1,10 @@
+homepage: "https://github.com/googleapis/google-auth-library-python-oauthlib"
+language: python
+main_repo: "https://github.com/googleapis/google-auth-library-python-oauthlib"
+fuzzing_engines:
+  - libfuzzer
+sanitizers:
+  - address
+  - undefined
+vendor_ccs:
+  - david@adalogics.com