[Fuzzing] move fuzz test in main repo add more fuzz test

Signed-off-by: Arjun Singh <[email protected]>
apache · Oct 27, 2023 · d75606c · d75606c
1 parent ba5271a
commit d75606c
Show file tree

Hide file tree

Showing 32 changed files with 577 additions and 1 deletion.
diff --git a/.licenserc.yaml b/.licenserc.yaml
@@ -214,4 +214,7 @@ header:
     # NGINX
     - 'src/brpc/details/http_parser.*'
 
+    # Fuzzing seed
+    - 'test/fuzzing/fuzz_*_seed_corpus/*'
+
   comment: on-failure
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -26,6 +26,7 @@ option(WITH_THRIFT "With thrift framed protocol supported" OFF)
 option(WITH_SNAPPY "With snappy" OFF)
 option(WITH_RDMA "With RDMA" OFF)
 option(BUILD_UNIT_TESTS "Whether to build unit tests" OFF)
+option(BUILD_FUZZ_TESTS "Whether to build fuzz tests" OFF)
 option(BUILD_BRPC_TOOLS "Whether to build brpc tools" ON)
 option(DOWNLOAD_GTEST "Download and build a fresh copy of googletest. Requires Internet access." ON)
 
@@ -478,6 +479,15 @@ if(BUILD_UNIT_TESTS)
     add_subdirectory(test)
 endif()
 
+if(BUILD_FUZZ_TESTS)
+    if(NOT CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+        message(FATAL_ERROR "Fuzzing is only supported with clang")
+    endif()
+    if(NOT BUILD_UNIT_TESTS)
+        message(FATAL_ERROR "BUILD_UNIT_TESTS must be enabled to build fuzz tests")
+    endif()
+endif()
+
 if(BUILD_BRPC_TOOLS)
     add_subdirectory(tools)
 endif()

diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
@@ -51,7 +51,7 @@ else()
     message(FATAL_ERROR "Googletest is not available")
 endif()
 
-set(CMAKE_CPP_FLAGS "${DEFINE_CLOCK_GETTIME} -DBRPC_WITH_GLOG=${WITH_GLOG_VAL} -DBRPC_WITH_RDMA=${WITH_RDMA_VAL} -DGFLAGS_NS=${GFLAGS_NS}")
+set(CMAKE_CPP_FLAGS "${CMAKE_CPP_FLAGS} ${DEFINE_CLOCK_GETTIME} -DBRPC_WITH_GLOG=${WITH_GLOG_VAL} -DBRPC_WITH_RDMA=${WITH_RDMA_VAL} -DGFLAGS_NS=${GFLAGS_NS}")
 set(CMAKE_CPP_FLAGS "${CMAKE_CPP_FLAGS} -DBTHREAD_USE_FAST_PTHREAD_MUTEX -D__const__=__unused__ -D_GNU_SOURCE -DUSE_SYMBOLIZE -DNO_TCMALLOC -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS -D__STDC_CONSTANT_MACROS -DUNIT_TEST -Dprivate=public -Dprotected=public -DBVAR_NOT_LINK_DEFAULT_VARIABLES -D__STRICT_ANSI__ -include ${PROJECT_SOURCE_DIR}/test/sstream_workaround.h")
 set(CMAKE_CXX_FLAGS "${CMAKE_CPP_FLAGS} -g -O2 -pipe -Wall -W -fPIC -fstrict-aliasing -Wno-invalid-offsetof -Wno-unused-parameter -fno-omit-frame-pointer")
 use_cxx11()
@@ -253,3 +253,28 @@ foreach(BRPC_UT ${BRPC_UNITTESTS})
                                         ${GPERFTOOLS_LIBRARIES})
     add_test(NAME ${BRPC_UT_WE} COMMAND ${BRPC_UT_WE})
 endforeach()
+
+if(BUILD_FUZZ_TESTS)
+    add_library(brpc-static-debug STATIC $<TARGET_OBJECTS:BUTIL_DEBUG_LIB>
+                                        $<TARGET_OBJECTS:SOURCES_DEBUG_LIB>
+                                        $<TARGET_OBJECTS:PROTO_LIB>)
+    # change the debug lib output dir to be different from the release output
+    set_target_properties(brpc-static-debug PROPERTIES
+            LIBRARY_OUTPUT_DIRECTORY ${PROJECT_BINARY_DIR}/test)
+
+    target_link_libraries(brpc-static-debug ${DYNAMIC_LIB})
+    if(BRPC_WITH_GLOG)
+        target_link_libraries(brpc-static-debug ${GLOG_LIB})
+    endif()
+
+    set(FUZZ_TARGETS fuzz_butil fuzz_esp fuzz_hpack fuzz_http
+        fuzz_hulu fuzz_json fuzz_redis fuzz_shead fuzz_sofa fuzz_uri)
+
+    foreach(target ${FUZZ_TARGETS})
+        add_executable(${target} fuzzing/${target}.cpp $<TARGET_OBJECTS:TEST_PROTO_LIB>)
+        target_link_libraries(${target} brpc-static-debug ${LIB_FUZZING_ENGINE})
+        set_target_properties(${target} PROPERTIES
+            BUILD_WITH_INSTALL_RPATH TRUE
+            INSTALL_RPATH "$ORIGIN/lib")
+    endforeach()
+endif()
diff --git a/test/fuzzing/fuzz_butil.cpp b/test/fuzzing/fuzz_butil.cpp
@@ -0,0 +1,52 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include "butil/base64.h"
+#include "butil/crc32c.h"
+#include "butil/hash.h"
+#include "butil/sha1.h"
+
+#define kMinInputLength 5
+#define kMaxInputLength 1024
+
+extern "C" int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    if (size < kMinInputLength || size > kMaxInputLength){
+        return 1;
+    }
+
+    std::string input(reinterpret_cast<const char*>(data), size);
+
+    {
+        std::string encoded;
+        std::string decoded;
+        butil::Base64Encode(input, &encoded);
+        butil::Base64Decode(input, &decoded);
+    }
+    {
+        butil::crc32c::Value(reinterpret_cast<const char*>(data), size);
+    }
+    {
+        butil::Hash(input);
+    }
+    {
+        butil::SHA1HashString(input);
+    }
+
+    return 0;
+}
diff --git a/test/fuzzing/fuzz_butil_seed_corpus/base64_decoded.txt b/test/fuzzing/fuzz_butil_seed_corpus/base64_decoded.txt
@@ -0,0 +1 @@
+aGVsbG8gd29ybGQ=
diff --git a/test/fuzzing/fuzz_butil_seed_corpus/base64_encoded.txt b/test/fuzzing/fuzz_butil_seed_corpus/base64_encoded.txt
@@ -0,0 +1 @@
+hello world
diff --git a/test/fuzzing/fuzz_butil_seed_corpus/crc32c.data b/test/fuzzing/fuzz_butil_seed_corpus/crc32c.data
diff --git a/test/fuzzing/fuzz_esp.cpp b/test/fuzzing/fuzz_esp.cpp
@@ -0,0 +1,38 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include "brpc/policy/esp_protocol.h"
+
+#define kMinInputLength 5
+#define kMaxInputLength 1024
+
+extern "C" int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    if (size < kMinInputLength || size > kMaxInputLength){
+        return 1;
+    }
+
+    std::string input(reinterpret_cast<const char*>(data), size);
+
+    butil::IOBuf buf;
+    buf.append(input);
+
+    brpc::policy::ParseEspMessage(&buf, NULL, false, NULL);
+
+    return 0;
+}
diff --git a/test/fuzzing/fuzz_hpack.cpp b/test/fuzzing/fuzz_hpack.cpp
@@ -0,0 +1,43 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include "brpc/details/hpack.h"
+#include "butil/logging.h"
+
+#define kMinInputLength 5
+#define kMaxInputLength 1024
+
+extern "C" int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    if (size < kMinInputLength || size > kMaxInputLength){
+        return 1;
+    }
+
+    std::string input(reinterpret_cast<const char*>(data), size);
+
+    butil::IOBuf buf;
+    brpc::HPacker p2;
+    brpc::HPacker::Header h2;
+
+    p2.Init(4096);
+    buf.append(input);
+
+    p2.Decode(&buf, &h2);
+
+    return 0;
+}
diff --git a/test/fuzzing/fuzz_hpack_seed_corpus/header_never_indexed.hpack b/test/fuzzing/fuzz_hpack_seed_corpus/header_never_indexed.hpack
@@ -0,0 +1 @@
+passwordsecret
diff --git a/test/fuzzing/fuzz_hpack_seed_corpus/header_with_indexing.hpack b/test/fuzzing/fuzz_hpack_seed_corpus/header_with_indexing.hpack
@@ -0,0 +1,2 @@
+@
+custom-keycustom-header

diff --git a/test/fuzzing/fuzz_hpack_seed_corpus/header_without_indexing.hpack b/test/fuzzing/fuzz_hpack_seed_corpus/header_without_indexing.hpack
@@ -0,0 +1 @@
+/sample/path
diff --git a/test/fuzzing/fuzz_hpack_seed_corpus/requests_without_huffman.hpack b/test/fuzzing/fuzz_hpack_seed_corpus/requests_without_huffman.hpack
@@ -0,0 +1,2 @@
+����@
+custom-keycustom-value
diff --git a/test/fuzzing/fuzz_hpack_seed_corpus/responses_without_huffman.hpack b/test/fuzzing/fuzz_hpack_seed_corpus/responses_without_huffman.hpack
@@ -0,0 +1 @@
+H302XprivateaMon, 21 Oct 2013 20:13:21 GMTnhttps://www.example.com
diff --git a/test/fuzzing/fuzz_http.cpp b/test/fuzzing/fuzz_http.cpp
@@ -0,0 +1,45 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include "brpc/details/http_message.h"
+#include "brpc/policy/http_rpc_protocol.h"
+
+#define kMinInputLength 5
+#define kMaxInputLength 1024
+
+extern "C" int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    if (size < kMinInputLength || size > kMaxInputLength){
+        return 1;
+    }
+
+    std::string input(reinterpret_cast<const char*>(data), size);
+
+    {
+        butil::IOBuf buf;
+        buf.append(input);
+        brpc::HttpMessage http_message;
+        http_message.ParseFromIOBuf(buf);
+    }
+    {
+        brpc::HttpMessage http_message;
+        http_message.ParseFromArray((char *)data, size);
+    }
+
+    return 0;
+}
diff --git a/test/fuzzing/fuzz_http_seed_corpus/http_request.http b/test/fuzzing/fuzz_http_seed_corpus/http_request.http
@@ -0,0 +1,9 @@
+GET /path/file.html?sdfsdf=sdfs HTTP/1.0
+From: [email protected]
+User-Agent: HTTPTool/1.0
+Content-Type: json
+Content-Length: 19
+Host: sdlfjslfd
+Accept: */*
+
+Message Body sdfsdf
diff --git a/test/fuzzing/fuzz_http_seed_corpus/http_request_v2.http b/test/fuzzing/fuzz_http_seed_corpus/http_request_v2.http
@@ -0,0 +1,23 @@
+GET /CloudApiControl/HttpServer/telematics/v3/weather?location=%E6%B5%B7%E5%8D%97%E7%9C%81%E7%9B%B4%E8%BE%96%E5%8E%BF%E7%BA%A7%E8%A1%8C%E6%94%BF%E5%8D%95%E4%BD%8D&output=json&ak=0l3FSP6qA0WbOzGRaafbmczS HTTP/1.1
+X-Host: api.map.baidu.com
+X-Forwarded-Proto: http
+Host: api.map.baidu.com
+User-Agent: IME/Android/4.4.2/N80.QHD.LT.X10.V3/N80.QHD.LT.X10.V3.20150812.031915
+Accept: application/json
+Accept-Charset: UTF-8,*;q=0.5
+Accept-Encoding: deflate,sdch
+Accept-Language: zh-CN,en-US;q=0.8,zh;q=0.6
+Bfe-Atk: NORMAL_BROWSER
+Bfe_logid: 8767802212038413243
+Bfeip: 10.26.124.40
+CLIENTIP: 119.29.102.26
+CLIENTPORT: 59863
+Cache-Control: max-age=0
+Content-Type: application/json;charset=utf8
+X-Forwarded-For: 119.29.102.26
+X-Forwarded-Port: 59863
+X-Ime-Imei: 35629601890905
+X_BD_LOGID: 3959476981
+X_BD_LOGID64: 16815814797661447369
+X_BD_PRODUCT: map
+X_BD_SUBSYS: apimap
diff --git a/test/fuzzing/fuzz_hulu.cpp b/test/fuzzing/fuzz_hulu.cpp
@@ -0,0 +1,38 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include "brpc/policy/hulu_pbrpc_protocol.h"
+
+#define kMinInputLength 5
+#define kMaxInputLength 1024
+
+extern "C" int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    if (size < kMinInputLength || size > kMaxInputLength){
+        return 1;
+    }
+
+    std::string input(reinterpret_cast<const char*>(data), size);
+
+    butil::IOBuf buf;
+    buf.append(input);
+
+    brpc::policy::ParseHuluMessage(&buf, NULL, false, NULL);
+
+    return 0;
+}
diff --git a/test/fuzzing/fuzz_json.cpp b/test/fuzzing/fuzz_json.cpp
@@ -0,0 +1,37 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include "json2pb/json_to_pb.h"
+#include "addressbook1.pb.h"
+
+#define kMinInputLength 5
+#define kMaxInputLength 1024
+
+extern "C" int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    if (size < kMinInputLength || size > kMaxInputLength){
+        return 1;
+    }
+
+    std::string error;
+    JsonContextBody jsondata;
+    std::string input_data((char *)data,size);
+    json2pb::JsonToProtoMessage(input_data, &jsondata, &error);
+
+    return 0;
+}
diff --git a/test/fuzzing/fuzz_json_seed_corpus/info1.json b/test/fuzzing/fuzz_json_seed_corpus/info1.json
@@ -0,0 +1 @@
+{"judge":false, "spur":-2, "data":[], "info":[],"content":[]}
diff --git a/test/fuzzing/fuzz_json_seed_corpus/info2.json b/test/fuzzing/fuzz_json_seed_corpus/info2.json
@@ -0,0 +1 @@
+[{"container": 1000, "host": 1000, "size": 2}]
diff --git a/test/fuzzing/fuzz_json_seed_corpus/info3.json b/test/fuzzing/fuzz_json_seed_corpus/info3.json
@@ -0,0 +1 @@
+{"content":[{"distance":1,"unknown_member":2,"ext":{"age":1666666666, "databyte":"d2VsY29tZQ==", "enumtype":1},"uid":"someone"},{"distance":10,"unknown_member":20,"ext":{"age":1666666660, "databyte":"d2VsY29tZQ==","enumtype":2},"uid":"someone0"}], "judge":false,"spur":2, "data":[1,2,3,4,5,6,7,8,9,10]}