Call mutators and check serialization in net_parse_cookie_line_fuzzer

This CL improves the fuzzer coverage of ParsedCookie's mutator methods (SetName, SetValue, etc.). It also adds a check for the property that serializing, deserializing, and then reserializing a valid cookie produces the same cookie line both times. Change-Id: If2db605195daf2a7e77a8dded4b391281eb83c21 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1643754Reviewed-by: Maks Orlovich <morlovich@chromium.org> Commit-Queue: Dan McArdle <dmcardle@chromium.org> Cr-Commit-Position: refs/heads/master@{#666287}

Call mutators and check serialization in net_parse_cookie_line_fuzzer
This CL improves the fuzzer coverage of ParsedCookie's mutator methods (SetName, SetValue, etc.). It also adds a check for the property that serializing, deserializing, and then reserializing a valid cookie produces the same cookie line both times. Change-Id: If2db605195daf2a7e77a8dded4b391281eb83c21 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1643754Reviewed-by: Maks Orlovich <morlovich@chromium.org> Commit-Queue: Dan McArdle <dmcardle@chromium.org> Cr-Commit-Position: refs/heads/master@{#666287}
c8101e8d · Daniel McArdle · Commit Bot · 283cf37a · c8101e8d
Commit c8101e8d authored Jun 05, 2019 by Daniel McArdle Committed by Commit Bot Jun 05, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 58 additions and 2 deletions

net/cookies/parse_cookie_line_fuzzer.cc net/cookies/parse_cookie_line_fuzzer.cc +58 -2

No files found.
--- a/net/cookies/parse_cookie_line_fuzzer.cc
+++ b/net/cookies/parse_cookie_line_fuzzer.cc
@@ -5,11 +5,67 @@
 #include <stddef.h>
 #include <stdint.h>

+#include "base/logging.h"
+#include "base/test/fuzzed_data_provider.h"
 #include "net/cookies/parsed_cookie.h"

+const std::string GetArbitraryString(base::FuzzedDataProvider* data_provider) {
+  // Adding a fudge factor to kMaxCookieSize so that both branches of the bounds
+  // detection code will be tested.
+  return data_provider->ConsumeRandomLengthString(
+      net::ParsedCookie::kMaxCookieSize + 10);
+}
+
 // Entry point for LibFuzzer.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  std::string input(data, data + size);
-  net::ParsedCookie parsed_cookie(input);
+  base::FuzzedDataProvider data_provider(data, size);
+  const std::string cookie_line = GetArbitraryString(&data_provider);
+  net::ParsedCookie parsed_cookie(cookie_line);
+
+  // Call zero or one of ParsedCookie's mutator methods.
+  switch (data_provider.ConsumeIntegralInRange(0, 10)) {
+    case 0:
+      break;
+    case 1:
+      parsed_cookie.SetName(GetArbitraryString(&data_provider));
+      break;
+    case 2:
+      parsed_cookie.SetValue(GetArbitraryString(&data_provider));
+      break;
+    case 3:
+      parsed_cookie.SetPath(GetArbitraryString(&data_provider));
+      break;
+    case 4:
+      parsed_cookie.SetDomain(GetArbitraryString(&data_provider));
+      break;
+    case 5:
+      parsed_cookie.SetExpires(GetArbitraryString(&data_provider));
+      break;
+    case 6:
+      parsed_cookie.SetMaxAge(GetArbitraryString(&data_provider));
+      break;
+    case 7:
+      parsed_cookie.SetIsSecure(data_provider.ConsumeBool());
+      break;
+    case 8:
+      parsed_cookie.SetIsHttpOnly(data_provider.ConsumeBool());
+      break;
+    case 9:
+      parsed_cookie.SetSameSite(GetArbitraryString(&data_provider));
+      break;
+    case 10:
+      parsed_cookie.SetPriority(GetArbitraryString(&data_provider));
+      break;
+  }
+
+  // Check that serialize/deserialize inverse property holds for valid cookies.
+  if (parsed_cookie.IsValid()) {
+    const std::string serialized = parsed_cookie.ToCookieLine();
+    net::ParsedCookie reparsed_cookie(serialized);
+    const std::string reserialized = reparsed_cookie.ToCookieLine();
+    CHECK(reparsed_cookie.IsValid());
+    CHECK_EQ(serialized, reserialized);
+  }
+
  return 0;
 }