Add fuzzer for parse of Permissions-Policy header

Bug: 1095641 Change-Id: I7558008667c0c3a83dbb19c9211bad78db1dd3fc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2272611Reviewed-by: Ian Clelland <iclelland@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Commit-Queue: Charlie Hu <chenleihu@google.com> Cr-Commit-Position: refs/heads/master@{#785803}

Add fuzzer for parse of Permissions-Policy header
Bug: 1095641 Change-Id: I7558008667c0c3a83dbb19c9211bad78db1dd3fc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2272611Reviewed-by: Ian Clelland <iclelland@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Commit-Queue: Charlie Hu <chenleihu@google.com> Cr-Commit-Position: refs/heads/master@{#785803}
10a116f2 · Charlie Hu · Commit Bot · 80cb8228 · 10a116f2 · 10a116f2
Commit 10a116f2 authored Jul 07, 2020 by Charlie Hu Committed by Commit Bot Jul 07, 2020
19 changed files
--- a/third_party/blink/renderer/core/BUILD.gn
+++ b/third_party/blink/renderer/core/BUILD.gn
@@ -1661,3 +1661,14 @@ fuzzer_test("document_policy_fuzzer") {
  seed_corpus =
      "//third_party/blink/renderer/core/feature_policy/document_policy_corpus"
 }
+fuzzer_test("permissions_policy_fuzzer") {
+  sources = [ "feature_policy/permissions_policy_fuzzer.cc" ]
+  deps = [
+    "//third_party/blink/renderer/platform:blink_fuzzer_test_support",
+    "//third_party/icu",
+  ]
+  dict =
+      "//third_party/blink/renderer/core/feature_policy/permissions_policy.dict"
+  seed_corpus = "//third_party/blink/renderer/core/feature_policy/permissions_policy_corpus"
+}
--- a/third_party/blink/renderer/core/feature_policy/permissions_policy.dict
+++ b/third_party/blink/renderer/core/feature_policy/permissions_policy.dict
+# Copyright 2020 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+"accelerometer"
+"ambient-light-sensor"
+"autoplay"
+"camera"
+"document-domain"
+"document-write"
+"encrypted-media"
+"forms"
+"fullscreen"
+"geolocation"
+"gyroscope"
+"hid"
+"idle-detection"
+"layout-animations"
+"lazyload"
+"magnetometer"
+"microphone"
+"midi"
+"modals"
+"orientation-lock"
+"payment"
+"picture-in-picture"
+"pointer-lock"
+"popups"
+"presentation"
+"screen-wake-lock"
+"scripts"
+"serial"
+"speaker"
+"sync-script"
+"sync-xkr"
+"top-navigation"
+"unsized-media"
+"usb"
+"vertical-scroll"
+"vr"
+"\"https://example.com/\""
+"*"
+"self"
+"("
+")"
+"="
+"0"
+"1"
+".0"
+"?0"
+"?1"
+"\""
+" "
--- a/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/1
+++ b/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/1
+badfeaturename
--- a/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/10
+++ b/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/10
+camera=(self "https://example.com/"), camera=(self "https://example.net/")
--- a/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/11
+++ b/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/11
+vibrate=(self "https://example.org/")
--- a/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/12
+++ b/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/12
+document-write=(self "https://example.org/")
--- a/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/13
+++ b/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/13
+vibrate=(self https://example.net/), docwrite=self
--- a/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/14
+++ b/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/14
+vibrate=*, docwrite=*
--- a/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/15
+++ b/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/15
+vibrate, fullscreen, payment
--- a/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/16
+++ b/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/16
+vibrate=src
--- a/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/2
+++ b/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/2
+badfeaturename=self
--- a/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/3
+++ b/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/3
+vibrate="data://badorigin"
--- a/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/4
+++ b/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/4
+1.0
--- a/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/5
+++ b/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/5
+vibrate=(self)
--- a/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/6
+++ b/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/6
+vibrate=("https://example.com/")
--- a/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/7
+++ b/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/7
+docwrite=()
--- a/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/8
+++ b/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/8
+docwrite=self
--- a/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/9
+++ b/third_party/blink/renderer/core/feature_policy/permissions_policy_corpus/9
+vibrate=*
--- a/third_party/blink/renderer/core/feature_policy/permissions_policy_fuzzer.cc
+++ b/third_party/blink/renderer/core/feature_policy/permissions_policy_fuzzer.cc
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include "third_party/blink/renderer/core/feature_policy/feature_policy_parser.h"
+#include <stddef.h>
+#include <stdint.h>
+#include <memory>
+#include "third_party/blink/renderer/platform/heap/handle.h"
+#include "third_party/blink/renderer/platform/testing/blink_fuzzer_test_support.h"
+#include "third_party/blink/renderer/platform/weborigin/security_origin.h"
+#include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"
+#include "third_party/blink/renderer/platform/wtf/vector.h"
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  static blink::BlinkFuzzerTestSupport test_support =
+      blink::BlinkFuzzerTestSupport();
+  blink::PolicyParserMessageBuffer logger;
+  scoped_refptr<const blink::SecurityOrigin> origin =
+      blink::SecurityOrigin::CreateFromString("https://example.com/");
+  blink::FeaturePolicyParser::ParseHeader(
+      g_empty_string, WTF::String(data, size), origin.get(), logger);
+  return 0;
+}