From f96e0fc9d737e39bd1586c3bbc8421837e2879d3 Mon Sep 17 00:00:00 2001 From: arthursonzogni Date: Tue, 27 Oct 2020 11:44:00 +0000 Subject: [PATCH] Add fuzzer for blink::SecurityOrigin. Check an url::Origin always survives the conversion through a blink::SecurityOrigin. This is typically what is done during some browser process <-> renderer process IPC. For instance, in https://crbug.com/901489, the origin sent from the browser process didn't survived the conversion. The host in url::Origin is percent encoded, while in the blink::SecurityOrigin, it used not to. SecurityOrigin::CreateFromString(...) is called with untrusted input by several components. This patch is mostly added by curiosity, to make me comfortable with: https://chromium-review.googlesource.com/c/chromium/src/+/2464363 Fixed: 490074 Bug: None Change-Id: Icec738475e888569ad99520f45afa5bcc6a7bbd0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2491360 Reviewed-by: Mike West Commit-Queue: Arthur Sonzogni Cr-Commit-Position: refs/heads/master@{#821170} --- .../public/platform/web_security_origin.h | 3 - third_party/blink/renderer/platform/BUILD.gn | 11 ++++ .../weborigin/security_origin_fuzzer.cc | 64 +++++++++++++++++++ url/gurl_fuzzer.dict | 6 ++ 4 files changed, 81 insertions(+), 3 deletions(-) create mode 100644 third_party/blink/renderer/platform/weborigin/security_origin_fuzzer.cc diff --git a/third_party/blink/public/platform/web_security_origin.h b/third_party/blink/public/platform/web_security_origin.h index b671869dd62f95..d05027ff1f8c2b 100644 --- a/third_party/blink/public/platform/web_security_origin.h +++ b/third_party/blink/public/platform/web_security_origin.h @@ -116,9 +116,6 @@ class WebSecurityOrigin { BLINK_PLATFORM_EXPORT operator scoped_refptr() const; BLINK_PLATFORM_EXPORT const SecurityOrigin* Get() const; #endif - // TODO(mkwst): A number of properties don't survive a round-trip - // ('document.domain', for instance). We'll need to fix that for OOPI-enabled - // embedders, https://crbug.com/490074. BLINK_PLATFORM_EXPORT WebSecurityOrigin(const url::Origin&); BLINK_PLATFORM_EXPORT operator url::Origin() const; diff --git a/third_party/blink/renderer/platform/BUILD.gn b/third_party/blink/renderer/platform/BUILD.gn index 505a95e9d29c21..46d98d86cc6da6 100644 --- a/third_party/blink/renderer/platform/BUILD.gn +++ b/third_party/blink/renderer/platform/BUILD.gn @@ -2387,6 +2387,17 @@ fuzzer_test("blink_json_parser_fuzzer") { dict = "//testing/libfuzzer/fuzzers/dicts/json.dict" } +# Fuzzer for blink::SecurityOrigin +fuzzer_test("blink_security_origin_fuzzer") { + sources = [ "weborigin/security_origin_fuzzer.cc" ] + deps = [ + ":blink_fuzzer_test_support", + ":platform", + ] + dict = "//url/gurl_fuzzer.dict" + defines = [ "INSIDE_BLINK" ] +} + fuzzer_test("blink_harfbuzz_shaper_fuzzer") { sources = [ "fonts/shaping/harfbuzz_shaper_fuzzer.cc" ] deps = [ diff --git a/third_party/blink/renderer/platform/weborigin/security_origin_fuzzer.cc b/third_party/blink/renderer/platform/weborigin/security_origin_fuzzer.cc new file mode 100644 index 00000000000000..9a9275ddf2e972 --- /dev/null +++ b/third_party/blink/renderer/platform/weborigin/security_origin_fuzzer.cc @@ -0,0 +1,64 @@ +// Copyright 2020 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Configure: # gn args out/Fuzz +// with args: +// use_libfuzzer = true +// is_asan = true +// is_ubsan_security = true +// is_debug = false +// use_goma = true +// Build: # autoninja -C out/Fuzz blink_security_origin_fuzzer +// Run: # ./out/Fuzz/blink_security_origin_fuzzer +// +// For more details, see +// https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/README.md +#include "third_party/blink/public/platform/web_security_origin.h" +#include "third_party/blink/renderer/platform/testing/blink_fuzzer_test_support.h" +#include "third_party/blink/renderer/platform/weborigin/security_origin.h" +#include "third_party/blink/renderer/platform/wtf/text/wtf_string.h" +#include "url/gurl.h" +#include "url/origin.h" + +namespace blink { + +// Make sure an origin created from content (e.g. url::Origin) survives the +// conversion from/to blink. +void RoundTripFromContent(const GURL& input) { + url::Origin origin_1 = url::Origin::Create(input); + WebSecurityOrigin web_security_origin_1 = origin_1; + scoped_refptr security_origin = web_security_origin_1; + WebSecurityOrigin web_security_origin_2 = security_origin; + url::Origin origin_2 = web_security_origin_2; + + CHECK_EQ(origin_1, origin_2); +} + +// Make sure an origin created from blink (e.g. blink::SecurityOrigin) survives +// the conversion from/to content. +void RoundTripFromBlink(String input) { + scoped_refptr security_origin_1 = + SecurityOrigin::CreateFromString(input); + WebSecurityOrigin web_security_origin_1 = security_origin_1; + url::Origin origin = web_security_origin_1; + WebSecurityOrigin web_security_origin_2 = origin; + scoped_refptr security_origin_2 = web_security_origin_2; + + CHECK(security_origin_1->IsSameOriginWith(security_origin_2.get())); +} + +// Entry point for LibFuzzer. +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + static BlinkFuzzerTestSupport test_support = BlinkFuzzerTestSupport(); + std::string input(reinterpret_cast(data), size); + RoundTripFromContent(GURL(input)); + RoundTripFromBlink(String::FromUTF8(input)); + return EXIT_SUCCESS; +} + +} // namespace blink + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + return blink::LLVMFuzzerTestOneInput(data, size); +} diff --git a/url/gurl_fuzzer.dict b/url/gurl_fuzzer.dict index 3e87a03a922740..061161209226d9 100644 --- a/url/gurl_fuzzer.dict +++ b/url/gurl_fuzzer.dict @@ -407,3 +407,9 @@ # This comes from https://crbug.com/1128999. "file:///.//" "file:////" + +# Special scheme not mentionned above. +"blob" +"filesystem" +"javascript" +"about"