Fuzz target for net::ReportingHeaderParser using libprotobuf-mutator.

R=vitalybuka@chromium.org

Bug: 676024
Cq-Include-Trybots: master.tryserver.chromium.android:android_cronet_tester;master.tryserver.chromium.mac:ios-simulator-cronet
Change-Id: I2c1d8f28ffcce5e657e383ab70ad1dbb4ec9668e
Reviewed-on: https://chromium-review.googlesource.com/736669
Commit-Queue: Max Moroz <mmoroz@chromium.org>
Reviewed-by: Vitaly Buka <vitalybuka@chromium.org>
Reviewed-by: Julia Tuttle <juliatuttle@chromium.org>
Reviewed-by: Jonathan Metzman <metzman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#513036}

net/BUILD.gn

@@ -6233,3 +6233,32 @@ fuzzer_test("net_hpack_decoder_fuzzer") {
     "//net",
   ]
 }
+
+proto_library("reporting_policy_proto") {
+  import_dirs = [ "//testing/libfuzzer/proto/" ]
+  sources = [
+    "reporting/reporting_policy.proto",
+  ]
+  deps = [
+    "//testing/libfuzzer/proto:json_proto",
+  ]
+}
+
+fuzzer_test("net_reporting_header_parser_fuzzer") {
+  sources = [
+    "reporting/reporting_header_parser_fuzzer.cc",
+    "reporting/reporting_test_util.h",
+    "reporting/reporting_test_util.cc",
+  ]
+
+  deps = [
+    ":net_fuzzer_test_support",
+    ":reporting_policy_proto",
+    ":test_support",
+    "//base",
+    "//net",
+    "//testing/libfuzzer/proto:json_proto",
+    "//testing/libfuzzer/proto:json_proto_converter",
+    "//third_party/libprotobuf-mutator",
+  ]
+}

net/DEPS

@@ -64,6 +64,11 @@ specific_include_rules = {
   "fuzzer_test_support.cc": [
     "+base/i18n",
   ],
+
+  # Needed for fuzz targets written using libprotobuf-mutator library.
+  ".*fuzz.*": [
+    "+third_party/libprotobuf-mutator",
+  ]
 }
 
 skip_child_includes = [

net/reporting/reporting_header_parser_fuzzer.cc

+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/time/time.h"
+#include "net/reporting/reporting_cache.h"
+#include "net/reporting/reporting_client.h"
+#include "net/reporting/reporting_header_parser.h"
+#include "net/reporting/reporting_policy.pb.h"
+#include "net/reporting/reporting_test_util.h"
+#include "url/gurl.h"
+
+#include "testing/libfuzzer/proto/json_proto_converter.h"
+#include "third_party/libprotobuf-mutator/src/src/libfuzzer/libfuzzer_macro.h"
+
+// Silence logging from the protobuf library.
+protobuf_mutator::protobuf::LogSilencer log_silencer;
+
+// TODO: consider including proto definition for URL after moving that to
+// testing/libfuzzer/proto and creating a separate converter.
+const GURL kUrl_ = GURL("https://origin/path");
+
+namespace net_reporting_header_parser_fuzzer {
+
+void FuzzReportingHeaderParser(const std::string& data,
+                              const net::ReportingPolicy& policy) {
+  net::TestReportingContext context(policy);
+  net::ReportingHeaderParser::ParseHeader(&context, kUrl_, data.c_str());
+  std::vector<const net::ReportingClient*> clients;
+  context.cache()->GetClients(&clients);
+  if (clients.empty()) {
+    return;
+  }
+}
+
+void InitializeReportingPolicy(
+    net::ReportingPolicy& policy,
+    const net_reporting_policy_proto::ReportingPolicy& policy_data) {
+  policy.max_report_count = policy_data.max_report_count();
+  policy.max_client_count = policy_data.max_client_count();
+  policy.delivery_interval =
+      base::TimeDelta::FromMicroseconds(policy_data.delivery_interval_us());
+  policy.persistence_interval =
+      base::TimeDelta::FromMicroseconds(policy_data.persistence_interval_us());
+  policy.persist_reports_across_restarts =
+      policy_data.persist_reports_across_restarts();
+  policy.persist_clients_across_restarts =
+      policy_data.persist_clients_across_restarts();
+  policy.garbage_collection_interval = base::TimeDelta::FromMicroseconds(
+      policy_data.garbage_collection_interval_us());
+  policy.max_report_age =
+      base::TimeDelta::FromMicroseconds(policy_data.max_report_age_us());
+  policy.max_report_attempts = policy_data.max_report_attempts();
+  policy.clear_reports_on_network_changes =
+      policy_data.clear_reports_on_network_changes();
+  policy.clear_clients_on_network_changes =
+      policy_data.clear_clients_on_network_changes();
+}
+
+DEFINE_BINARY_PROTO_FUZZER(
+    const net_reporting_policy_proto::ReportingHeaderParserFuzzInput& input) {
+  net::ReportingPolicy policy;
+  InitializeReportingPolicy(policy, input.policy());
+
+  json_proto::JsonProtoConverter converter;
+  auto data = converter.Convert(input.headers());
+
+  FuzzReportingHeaderParser(data, policy);
+}
+
+}  // namespace net_reporting_header_parser_fuzzer

net/reporting/reporting_policy.proto

+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Based on net::ReportingPolicy class declaration.
+
+syntax = "proto2";
+
+import "json.proto";
+
+package net_reporting_policy_proto;
+
+message ReportingPolicy {
+  // TODO: consider implementing proto for endpoint_backoff_policy.
+  required uint64 max_report_count = 1;
+  required uint64 max_client_count = 2;
+  required uint64 delivery_interval_us = 3;
+  required uint64 persistence_interval_us = 4;
+  required bool persist_reports_across_restarts = 5;
+  required bool persist_clients_across_restarts = 6;
+  required uint64 garbage_collection_interval_us = 7;
+  required uint64 max_report_age_us = 8;
+  required int32 max_report_attempts = 9;
+  required bool clear_reports_on_network_changes = 10;
+  required bool clear_clients_on_network_changes = 11;
+}
+
+message ReportingHeaderParserFuzzInput {
+  required ReportingPolicy policy = 1;
+  required json_proto.JsonObject headers = 2;
+}

testing/libfuzzer/proto/json_proto_converter.h

@@ -5,7 +5,7 @@
 #ifndef TESTING_LIBFUZZER_PROTO_JSON_PROTO_CONVERTER_H
 #define TESTING_LIBFUZZER_PROTO_JSON_PROTO_CONVERTER_H
 
-#include "testing/libfuzzer/proto/json.pb.h"
+#include "json.pb.h"
 
 #include <sstream>
 #include <string>

third_party/libprotobuf-mutator/OWNERS

 kcc@chromium.org
+metzman@chromium.org
+mmoroz@chromium.org
 vitalybuka@chromium.org