diff --git a/tensorflow/security/fuzzing/BUILD b/tensorflow/security/fuzzing/BUILD index 93c03286b6c9fb..2f560bc3c6b711 100644 --- a/tensorflow/security/fuzzing/BUILD +++ b/tensorflow/security/fuzzing/BUILD @@ -26,3 +26,42 @@ tf_fuzz_target( "//tensorflow/core/platform:status", ], ) + +tf_fuzz_target( + name = "consume_non_whitespace_fuzz", + srcs = ["consume_non_whitespace_fuzz.cc"], + deps = [ + "//tensorflow/core/platform:str_util", + "//tensorflow/core/platform:stringpiece", + ], +) + +tf_fuzz_target( + name = "consume_leading_digits_fuzz", + srcs = ["consume_leading_digits_fuzz.cc"], + deps = [ + "//tensorflow/core/platform:str_util", + "//tensorflow/core/platform:stringpiece", + ], +) + +tf_fuzz_target( + name = "arg_def_case_fuzz", + srcs = ["arg_def_case_fuzz.cc"], + tags = [ + "notap", # TODO(b/160990158): ArgDefCase invariant is broken + ], + deps = [ + "//tensorflow/core/platform:str_util", + "//tensorflow/core/platform:stringpiece", + ], +) + +tf_fuzz_target( + name = "string_replace_fuzz", + srcs = ["string_replace_fuzz.cc"], + deps = [ + "//tensorflow/core/platform:str_util", + "//tensorflow/core/platform:stringpiece", + ], +) diff --git a/tensorflow/security/fuzzing/arg_def_case_fuzz.cc b/tensorflow/security/fuzzing/arg_def_case_fuzz.cc new file mode 100644 index 00000000000000..975a1efa164002 --- /dev/null +++ b/tensorflow/security/fuzzing/arg_def_case_fuzz.cc @@ -0,0 +1,44 @@ +/* Copyright 2020 The TensorFlow Authors. All Rights Reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +==============================================================================*/ +#include +#include + +#include "tensorflow/core/platform/str_util.h" +#include "tensorflow/core/platform/stringpiece.h" + +// This is a fuzzer for tensorflow::str_util::ArgDefCase + +namespace { + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + uint8_t *byte_data = const_cast(data); + char *char_data = reinterpret_cast(byte_data); + + tensorflow::StringPiece sp(char_data, size); + + tensorflow::str_util::ArgDefCase(sp); + for (const auto &c : sp) { + const bool is_letter = 'a' <= c && c <= 'z'; + const bool is_digit = '0' <= c && c <= '9'; + if (!is_letter && !is_digit) { + printf("Got '%c'\n", c); + assert(c == '_'); + } + } + + return 0; +} + +} // namespace diff --git a/tensorflow/security/fuzzing/consume_leading_digits_fuzz.cc b/tensorflow/security/fuzzing/consume_leading_digits_fuzz.cc new file mode 100644 index 00000000000000..d49bc1f21106e8 --- /dev/null +++ b/tensorflow/security/fuzzing/consume_leading_digits_fuzz.cc @@ -0,0 +1,41 @@ +/* Copyright 2020 The TensorFlow Authors. All Rights Reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +==============================================================================*/ +#include +#include + +#include "tensorflow/core/platform/str_util.h" +#include "tensorflow/core/platform/stringpiece.h" + +// This is a fuzzer for tensorflow::str_util::ConsumeLeadingDigits + +namespace { + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + uint8_t *byte_data = const_cast(data); + char *char_data = reinterpret_cast(byte_data); + + tensorflow::StringPiece sp(char_data, size); + tensorflow::uint64 val; + + const bool leading_digits = + tensorflow::str_util::ConsumeLeadingDigits(&sp, &val); + if (leading_digits) { + assert(val >= 0); + } + + return 0; +} + +} // namespace diff --git a/tensorflow/security/fuzzing/consume_non_whitespace_fuzz.cc b/tensorflow/security/fuzzing/consume_non_whitespace_fuzz.cc new file mode 100644 index 00000000000000..6d2b5b929b8a68 --- /dev/null +++ b/tensorflow/security/fuzzing/consume_non_whitespace_fuzz.cc @@ -0,0 +1,51 @@ +/* Copyright 2020 The TensorFlow Authors. All Rights Reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +==============================================================================*/ +#include +#include + +#include "tensorflow/core/platform/str_util.h" +#include "tensorflow/core/platform/stringpiece.h" + +// This is a fuzzer for tensorflow::str_util::ConsumeNonWhitespace + +namespace { + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + uint8_t *byte_data = const_cast(data); + char *char_data = reinterpret_cast(byte_data); + + tensorflow::StringPiece sp(char_data, size); + tensorflow::StringPiece spe; + + while (!sp.empty()) { + const size_t initial_size = sp.size(); + (void)initial_size; // "use" initial_size even if assert is disabled + + const bool leading_whitespace = + tensorflow::str_util::ConsumeNonWhitespace(&sp, &spe); + + if (leading_whitespace) { + assert(!spe.empty()); + } + assert(initial_size == (sp.size() + spe.size())); + + tensorflow::str_util::RemoveLeadingWhitespace(&sp); + assert(initial_size > sp.size()); + } + + return 0; +} + +} // namespace diff --git a/tensorflow/security/fuzzing/string_replace_fuzz.cc b/tensorflow/security/fuzzing/string_replace_fuzz.cc new file mode 100644 index 00000000000000..fe43b9b78aa3d8 --- /dev/null +++ b/tensorflow/security/fuzzing/string_replace_fuzz.cc @@ -0,0 +1,48 @@ +/* Copyright 2020 The TensorFlow Authors. All Rights Reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +==============================================================================*/ +#include + +#include +#include + +#include "tensorflow/core/platform/str_util.h" +#include "tensorflow/core/platform/stringpiece.h" + +// This is a fuzzer for tensorflow::str_util::StringReplace + +namespace { + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + FuzzedDataProvider fuzzed_data(data, size); + + if (size < 1) return 0; + + bool all_flag = fuzzed_data.ConsumeBool(); + + std::string s = fuzzed_data.ConsumeRandomLengthString(10); + std::string oldsub = fuzzed_data.ConsumeRandomLengthString(5); + std::string newsub = fuzzed_data.ConsumeRemainingBytesAsString(); + + tensorflow::StringPiece sp(s); + tensorflow::StringPiece oldsubp(oldsub); + tensorflow::StringPiece newsubp(newsub); + + std::string subbed = + tensorflow::str_util::StringReplace(sp, oldsubp, newsubp, all_flag); + + return 0; +} + +} // namespace