Add fuzzer for blink::SecurityOrigin.

Check an url::Origin always survives the conversion through a blink::SecurityOrigin. This is typically what is done during some browser process <-> renderer process IPC. For instance, in https://crbug.com/901489, the origin sent from the browser process didn't survived the conversion. The host in url::Origin is percent encoded, while in the blink::SecurityOrigin, it used not to. SecurityOrigin::CreateFromString(...) is called with untrusted input by several components. This patch is mostly added by curiosity, to make me comfortable with: https://chromium-review.googlesource.com/c/chromium/src/+/2464363 Fixed: 490074 Bug: None Change-Id: Icec738475e888569ad99520f45afa5bcc6a7bbd0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2491360 Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/master@{#821170}
FairyWorld · Oct 27, 2020 · f96e0fc · f96e0fc
1 parent 6dd566d
commit f96e0fc
Show file tree

Hide file tree

Showing 4 changed files with 81 additions and 3 deletions.
diff --git a/third_party/blink/public/platform/web_security_origin.h b/third_party/blink/public/platform/web_security_origin.h
@@ -116,9 +116,6 @@ class WebSecurityOrigin {
   BLINK_PLATFORM_EXPORT operator scoped_refptr<const SecurityOrigin>() const;
   BLINK_PLATFORM_EXPORT const SecurityOrigin* Get() const;
 #endif
-  // TODO(mkwst): A number of properties don't survive a round-trip
-  // ('document.domain', for instance).  We'll need to fix that for OOPI-enabled
-  // embedders, https://crbug.com/490074.
   BLINK_PLATFORM_EXPORT WebSecurityOrigin(const url::Origin&);
   BLINK_PLATFORM_EXPORT operator url::Origin() const;
 

diff --git a/third_party/blink/renderer/platform/BUILD.gn b/third_party/blink/renderer/platform/BUILD.gn
@@ -2387,6 +2387,17 @@ fuzzer_test("blink_json_parser_fuzzer") {
   dict = "//testing/libfuzzer/fuzzers/dicts/json.dict"
 }
 
+# Fuzzer for blink::SecurityOrigin
+fuzzer_test("blink_security_origin_fuzzer") {
+  sources = [ "weborigin/security_origin_fuzzer.cc" ]
+  deps = [
+    ":blink_fuzzer_test_support",
+    ":platform",
+  ]
+  dict = "//url/gurl_fuzzer.dict"
+  defines = [ "INSIDE_BLINK" ]
+}
+
 fuzzer_test("blink_harfbuzz_shaper_fuzzer") {
   sources = [ "fonts/shaping/harfbuzz_shaper_fuzzer.cc" ]
   deps = [

diff --git a/third_party/blink/renderer/platform/weborigin/security_origin_fuzzer.cc b/third_party/blink/renderer/platform/weborigin/security_origin_fuzzer.cc
@@ -0,0 +1,64 @@
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Configure: # gn args out/Fuzz
+// with args:
+//   use_libfuzzer = true
+//   is_asan = true
+//   is_ubsan_security = true
+//   is_debug = false
+//   use_goma = true
+// Build:     # autoninja -C out/Fuzz blink_security_origin_fuzzer
+// Run:       # ./out/Fuzz/blink_security_origin_fuzzer
+//
+// For more details, see
+// https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/README.md
+#include "third_party/blink/public/platform/web_security_origin.h"
+#include "third_party/blink/renderer/platform/testing/blink_fuzzer_test_support.h"
+#include "third_party/blink/renderer/platform/weborigin/security_origin.h"
+#include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"
+#include "url/gurl.h"
+#include "url/origin.h"
+
+namespace blink {
+
+// Make sure an origin created from content (e.g. url::Origin) survives the
+// conversion from/to blink.
+void RoundTripFromContent(const GURL& input) {
+  url::Origin origin_1 = url::Origin::Create(input);
+  WebSecurityOrigin web_security_origin_1 = origin_1;
+  scoped_refptr<const SecurityOrigin> security_origin = web_security_origin_1;
+  WebSecurityOrigin web_security_origin_2 = security_origin;
+  url::Origin origin_2 = web_security_origin_2;
+
+  CHECK_EQ(origin_1, origin_2);
+}
+
+// Make sure an origin created from blink (e.g. blink::SecurityOrigin) survives
+// the conversion from/to content.
+void RoundTripFromBlink(String input) {
+  scoped_refptr<const SecurityOrigin> security_origin_1 =
+      SecurityOrigin::CreateFromString(input);
+  WebSecurityOrigin web_security_origin_1 = security_origin_1;
+  url::Origin origin = web_security_origin_1;
+  WebSecurityOrigin web_security_origin_2 = origin;
+  scoped_refptr<const SecurityOrigin> security_origin_2 = web_security_origin_2;
+
+  CHECK(security_origin_1->IsSameOriginWith(security_origin_2.get()));
+}
+
+// Entry point for LibFuzzer.
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  static BlinkFuzzerTestSupport test_support = BlinkFuzzerTestSupport();
+  std::string input(reinterpret_cast<const char*>(data), size);
+  RoundTripFromContent(GURL(input));
+  RoundTripFromBlink(String::FromUTF8(input));
+  return EXIT_SUCCESS;
+}
+
+}  // namespace blink
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  return blink::LLVMFuzzerTestOneInput(data, size);
+}
diff --git a/url/gurl_fuzzer.dict b/url/gurl_fuzzer.dict
@@ -407,3 +407,9 @@
 # This comes from https://crbug.com/1128999.
 "file:///.//"
 "file:////"
+
+# Special scheme not mentionned above.
+"blob"
+"filesystem"
+"javascript"
+"about"