Skip to content

Commit

Permalink
Add fuzzer for parse of Permissions-Policy header
Browse files Browse the repository at this point in the history 
Bug: 1095641
Change-Id: I7558008667c0c3a83dbb19c9211bad78db1dd3fc
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2272611
Reviewed-by: Ian Clelland <iclelland@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Charlie Hu <chenleihu@google.com>
Cr-Commit-Position: refs/heads/master@{#785803}
  • Loading branch information
Charlie Hu authored and Commit Bot committed Jul 7, 2020
1 parent 80cb822 commit 10a116f
Show file tree
Hide file tree
Showing 19 changed files with 106 additions and 0 deletions.
11 changes: 11 additions & 0 deletions third_party/blink/renderer/core/BUILD.gn
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1661,3 +1661,14 @@ fuzzer_test("document_policy_fuzzer") {
seed_corpus =
"//third_party/blink/renderer/core/feature_policy/document_policy_corpus"
}

fuzzer_test("permissions_policy_fuzzer") {
sources = [ "feature_policy/permissions_policy_fuzzer.cc" ]
deps = [
"//third_party/blink/renderer/platform:blink_fuzzer_test_support",
"//third_party/icu",
]
dict =
"//third_party/blink/renderer/core/feature_policy/permissions_policy.dict"
seed_corpus = "//third_party/blink/renderer/core/feature_policy/permissions_policy_corpus"
}
53 changes: 53 additions & 0 deletions third_party/blink/renderer/core/feature_policy/permissions_policy.dict
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# Copyright 2020 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

"accelerometer"
"ambient-light-sensor"
"autoplay"
"camera"
"document-domain"
"document-write"
"encrypted-media"
"forms"
"fullscreen"
"geolocation"
"gyroscope"
"hid"
"idle-detection"
"layout-animations"
"lazyload"
"magnetometer"
"microphone"
"midi"
"modals"
"orientation-lock"
"payment"
"picture-in-picture"
"pointer-lock"
"popups"
"presentation"
"screen-wake-lock"
"scripts"
"serial"
"speaker"
"sync-script"
"sync-xkr"
"top-navigation"
"unsized-media"
"usb"
"vertical-scroll"
"vr"
"\"https://example.com/\""
"*"
"self"
"("
")"
"="
"0"
"1"
".0"
"?0"
"?1"
"\""
" "
1 change: 1 addition & 0 deletions third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
badfeaturename
1 change: 1 addition & 0 deletions third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/10
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
camera=(self "https://example.com/"), camera=(self "https://example.net/")
1 change: 1 addition & 0 deletions third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/11
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
vibrate=(self "https://example.org/")
1 change: 1 addition & 0 deletions third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/12
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
document-write=(self "https://example.org/")
1 change: 1 addition & 0 deletions third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/13
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
vibrate=(self https://example.net/), docwrite=self
1 change: 1 addition & 0 deletions third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/14
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
vibrate=*, docwrite=*
1 change: 1 addition & 0 deletions third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/15
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
vibrate, fullscreen, payment
1 change: 1 addition & 0 deletions third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/16
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
vibrate=src
1 change: 1 addition & 0 deletions third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/2
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
badfeaturename=self
1 change: 1 addition & 0 deletions third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/3
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
vibrate="data://badorigin"
1 change: 1 addition & 0 deletions third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/4
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
1.0
1 change: 1 addition & 0 deletions third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/5
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
vibrate=(self)
1 change: 1 addition & 0 deletions third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/6
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
vibrate=("https://example.com/")
1 change: 1 addition & 0 deletions third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/7
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
docwrite=()
1 change: 1 addition & 0 deletions third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/8
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
docwrite=self
1 change: 1 addition & 0 deletions third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/9
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
vibrate=*
26 changes: 26 additions & 0 deletions third_party/blink/renderer/core/feature_policy/permissions_policy_fuzzer.cc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
// Copyright 2020 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "third_party/blink/renderer/core/feature_policy/feature_policy_parser.h"

#include <stddef.h>
#include <stdint.h>
#include <memory>

#include "third_party/blink/renderer/platform/heap/handle.h"
#include "third_party/blink/renderer/platform/testing/blink_fuzzer_test_support.h"
#include "third_party/blink/renderer/platform/weborigin/security_origin.h"
#include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"
#include "third_party/blink/renderer/platform/wtf/vector.h"

extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
static blink::BlinkFuzzerTestSupport test_support =
blink::BlinkFuzzerTestSupport();
blink::PolicyParserMessageBuffer logger;
scoped_refptr<const blink::SecurityOrigin> origin =
blink::SecurityOrigin::CreateFromString("https://example.com/");
blink::FeaturePolicyParser::ParseHeader(
g_empty_string, WTF::String(data, size), origin.get(), logger);
return 0;
}

0 comments on commit 10a116f

Please sign in to comment.