Skip to content

Commit

Permalink
first set of fuzz tests and some fixes already
Browse files Browse the repository at this point in the history
  • Loading branch information
rbri committed Jan 5, 2023
1 parent 2c514de commit d5dc774
Show file tree
Hide file tree
Showing 12 changed files with 178 additions and 13 deletions.
10 changes: 10 additions & 0 deletions src/changes/changes.xml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,16 @@
<action type="add" dev="rbri" issue="531">"
HtmlUnit is now regulary tested by Google OSS-Fuzz.
</action>
<action type="fix" dev="rbri">"
neko: Fix ArrayIndexOutOfBoundsException when parsing a incomplete
entity reference at the end (oss-fuzz).
</action>
<action type="fix" dev="rbri">"
Fix ClassCastException when parsing svg body tag (oss-fuzz).
</action>
<action type="fix" dev="rbri">"
Fix ClassCastException when parsing base element with namespace (oss-fuzz).
</action>
<action type="fix" dev="rbri" issue="522">
core-js: fix scope for bound functions called inside Promise.then().
</action>
Expand Down
22 changes: 10 additions & 12 deletions src/main/java/com/gargoylesoftware/htmlunit/html/HtmlPage.java
Original file line number Diff line number Diff line change
Expand Up @@ -1922,18 +1922,16 @@ static boolean isMappedElement(final Document document, final String attributeNa

private void calculateBase() {
final List<HtmlElement> baseElements = getDocumentElement().getElementsByTagName("base");
switch (baseElements.size()) {
case 0:
base_ = null;
break;

case 1:
base_ = (HtmlBase) baseElements.get(0);
break;

default:
base_ = (HtmlBase) baseElements.get(0);
notifyIncorrectness("Multiple 'base' detected, only the first is used.");

base_ = null;
for (final HtmlElement baseElement : baseElements) {
if (baseElement instanceof HtmlBase) {
if (base_ != null) {
notifyIncorrectness("Multiple 'base' detected, only the first is used.");
break;
}
base_ = (HtmlBase) baseElement;
}
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -368,7 +368,7 @@ else if (headParsed_ == HeadParsed.NO && ("body".equals(tagLower) || "frameset".
oldBody.quietlyRemoveAndMoveChildrenTo(newElement);
}

if ("body".equals(tagLower)) {
if (!insideSvg_ && "body".equals(tagLower)) {
body_ = (HtmlElement) newElement;
}
else if ("meta".equals(tagLower) && page_.hasFeature(META_X_UA_COMPATIBLE)) {
Expand Down
138 changes: 138 additions & 0 deletions src/test/java/com/gargoylesoftware/htmlunit/fuzzer/FuzzerTest.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
/*
* Copyright (c) 2002-2023 Gargoyle Software Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.gargoylesoftware.htmlunit.fuzzer;

import java.io.InputStream;
import java.nio.charset.StandardCharsets;

import org.apache.commons.io.IOUtils;
import org.junit.Test;
import org.junit.runner.RunWith;

import com.gargoylesoftware.htmlunit.WebClient;
import com.gargoylesoftware.htmlunit.WebTestCase;
import com.gargoylesoftware.htmlunit.junit.BrowserRunner;

/**
* Tests for issues reported by Google OSS-Fuzz
* (https://github.com/google/oss-fuzz).
*
* @author Ronald Brill
*/
@RunWith(BrowserRunner.class)
public class FuzzerTest extends WebTestCase {

/**
* https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54522.
*
* @throws Exception if the test fails
*/
@Test
public void case54522() throws Exception {
test("test-54522.html");
}

/**
* https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54523.
*
* @throws Exception if the test fails
*/
@Test
public void case54523() throws Exception {
test("test-54523.html");
}

/**
* https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54524.
*
* @throws Exception if the test fails
*/
@Test
public void case54524() throws Exception {
test("test-54524.html");
}

/**
* https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54526.
*
* @throws Exception if the test fails
*/
@Test
public void case54526() throws Exception {
test("test-54526.html");
}

/**
* https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54527.
*
* @throws Exception if the test fails
*/
@Test
public void case54527() throws Exception {
test("test-54527.html");
}

/**
* https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54528.
*
* @throws Exception if the test fails
*/
@Test
public void case54528() throws Exception {
test("test-54528.html");
}

/**
* https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54535.
*
* @throws Exception if the test fails
*/
@Test
public void case54535() throws Exception {
test("test-54535.html");
}

/**
* https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54613.
*
* @throws Exception if the test fails
*/
@Test
public void case54613() throws Exception {
test("test-54613.html");
}

private void test(final String inputFileName) throws Exception {
final InputStream file = getClass().getClassLoader()
.getResourceAsStream("com/gargoylesoftware/htmlunit/fuzzer/" + inputFileName);
final String input = IOUtils.toString(file, StandardCharsets.UTF_8);

try (WebClient webClient = new WebClient(getBrowserVersion())) {
webClient.loadHtmlCodeIntoCurrentWindow(input);

// final WebResponse webResponse = new StringWebResponse(input, new URL("http://localhost.edu/index.html"));
// final HtmlPage page = new HtmlPage(webResponse, webClient.getCurrentWindow());
//
// /*
// * net.sourceforge.htmlunit.corejs.javascript.EvaluatorException
// * seems to be fatal
// */
// webClient.getOptions().setThrowExceptionOnScriptError(false);
//
// webClient.getCurrentWindow().setEnclosedPage(page);
// webClient.getPageCreator().getHtmlParser().parse(webResponse, page, false, false);
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
Ce
m<
<svg
<
:<
<td<t
:<
<td<t:body<tr<,hrome<
ÿÿÿ<html<html
<<<g<g<
sj<B<J<J<J<,<but
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<U,XML:SXML:&/
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<b:bAse<bAse
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
.ÄÑ<J4:head
<J4:head
<.s.ÄÑ<J4:head

<.
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<template
Binary file not shown.

0 comments on commit d5dc774

Please sign in to comment.