blob: b8b7b192b4ebf97e95f4ff13b3e8bc9939c88bcb [file] [log] [blame]
// Copyright 2016 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "third_party/blink/renderer/core/frame/csp/content_security_policy.h"
#include "third_party/blink/renderer/core/frame/csp/conversion_util.h"
#include "third_party/blink/renderer/platform/heap/thread_state.h"
#include "third_party/blink/renderer/platform/testing/blink_fuzzer_test_support.h"
#include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"
namespace blink {
int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
static BlinkFuzzerTestSupport test_support = BlinkFuzzerTestSupport();
// We need two pieces of input: a URL and a CSP string. Split |data| in two at
// the first whitespace.
const uint8_t* it = data;
for (; it < data + size; it++) {
if (base::IsAsciiWhitespace(*reinterpret_cast<const char*>(it))) {
it++;
break;
}
}
if (it == data + size) {
// Not much point in going on with an empty CSP string.
return EXIT_SUCCESS;
}
String url = String(data, it - 1 - data);
String header = String(it, size - (it - data));
unsigned hash = header.IsNull() ? 0 : header.Impl()->GetHash();
// Use the 'hash' value to pick header_type and header_source input.
// 1st bit: header type.
// 2nd bit: header source: HTTP (or other)
// 3rd bit: header source: Meta or OriginPolicy (if not HTTP)
network::mojom::ContentSecurityPolicyType header_type =
hash & 0x01 ? network::mojom::ContentSecurityPolicyType::kEnforce
: network::mojom::ContentSecurityPolicyType::kReport;
network::mojom::ContentSecurityPolicySource header_source =
network::mojom::ContentSecurityPolicySource::kHTTP;
if (hash & 0x02) {
header_source =
(hash & 0x04)
? network::mojom::ContentSecurityPolicySource::kMeta
: network::mojom::ContentSecurityPolicySource::kOriginPolicy;
}
scoped_refptr<SecurityOrigin> self_origin = SecurityOrigin::Create(KURL(url));
// Construct a policy from the string.
auto* csp = MakeGarbageCollected<ContentSecurityPolicy>();
csp->DidReceiveHeader(header, *self_origin, header_type, header_source);
const Vector<network::mojom::blink::ContentSecurityPolicyPtr>&
parsed_policies = csp->GetParsedPolicies();
if (parsed_policies.size() > 0) {
network::mojom::blink::ContentSecurityPolicyPtr converted_csp =
ConvertToMojoBlink(ConvertToPublic(parsed_policies[0]->Clone()));
CHECK(converted_csp->Equals(*parsed_policies[0]));
}
// Force a garbage collection.
// Specify namespace explicitly. Otherwise it conflicts on Mac OS X with:
// CoreServices.framework/Frameworks/CarbonCore.framework/Headers/Threads.h.
ThreadState::Current()->CollectAllGarbageForTesting(
BlinkGC::kNoHeapPointersOnStack);
return 0;
}
} // namespace blink
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
return blink::LLVMFuzzerTestOneInput(data, size);
}