poco: XML parsers fuzzing (#12214)

tyler92 · web-flow · commit 0175f1aa58e8 · 2024-08-05T23:04:50.000+01:00
New fuzzing target for Poco::XML library: DOMParser, SAXParser and
XMLStreamParser.
diff --git a/projects/poco/Dockerfile b/projects/poco/Dockerfile
@@ -21,4 +21,6 @@ RUN git clone --depth 1 https://github.com/pocoproject/poco
 WORKDIR $SRC/poco
 COPY build.sh \
      json_parse_fuzzer.cc \
+     xml_parse_fuzzer.cc \
+     xml.dict \
      $SRC/
diff --git a/projects/poco/build.sh b/projects/poco/build.sh
@@ -35,3 +35,18 @@ $CXX $CXXFLAGS $LIB_FUZZING_ENGINE json_fuzzer.o \
     ./lib/libPocoJSON.a \
     ./lib/libPocoFoundation.a \
     -o $OUT/json_parser_fuzzer -lpthread -ldl -lrt
+
+$CXX $CXXFLAGS -DPOCO_HAVE_FD_EPOLL -DPOCO_OS_FAMILY_UNIX \
+    -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE \
+    -D_REENTRANT -D_THREAD_SAFE -D_XOPEN_SOURCE=500 \
+    -I/src/poco/XML/include \
+    -I/src/poco/Foundation/include \
+    -O2 -g -DNDEBUG -std=c++17 \
+    -o xml_fuzzer.o -c $SRC/xml_parse_fuzzer.cc
+
+$CXX $CXXFLAGS $LIB_FUZZING_ENGINE xml_fuzzer.o \
+    ./lib/libPocoXML.a \
+    ./lib/libPocoFoundation.a \
+    -o $OUT/xml_parser_fuzzer -lpthread -ldl -lrt
+
+cp $SRC/xml.dict $OUT/xml_parser_fuzzer.dict
diff --git a/projects/poco/xml.dict b/projects/poco/xml.dict
@@ -0,0 +1,116 @@
+attr_encoding=" encoding=\"1\""
+attr_generic=" a=\"1\""
+attr_href=" href=\"1\""
+attr_standalone=" standalone=\"no\""
+attr_version=" version=\"1\""
+attr_xml_base=" xml:base=\"1\""
+attr_xml_id=" xml:id=\"1\""
+attr_xml_lang=" xml:lang=\"1\""
+attr_xml_space=" xml:space=\"1\""
+attr_xmlns=" xmlns=\"1\""
+
+entity_builtin="&lt;"
+entity_decimal="&#1;"
+entity_external="&a;"
+entity_hex="&#x1;"
+
+# keywords
+"ANY"
+"ATTLIST"
+"CDATA"
+"DOCTYPE"
+"ELEMENT"
+"EMPTY"
+"ENTITIES"
+"ENTITY"
+"FIXED"
+"ID"
+"IDREF"
+"IDREFS"
+"IGNORE"
+"IMPLIED"
+"INCLUDE"
+"NDATA"
+"NMTOKEN"
+"NMTOKENS"
+"NOTATION"
+"PCDATA"
+"PUBLIC"
+"REQUIRED"
+"SYSTEM"
+
+# Various tag parts
+"<"
+">"
+"/>"
+"</"
+"<?"
+"?>"
+"<!"
+"!>"
+"[]"
+"]]"
+"<![CDATA["
+"<![CDATA[]]>"
+"\"\""
+"''"
+"=\"\""
+"=''"
+
+# DTD
+"<!ATTLIST"
+"<!DOCTYPE"
+"<!ELEMENT"
+"<!ENTITY"
+"<![IGNORE["
+"<![INCLUDE["
+"<!NOTATION"
+"#CDATA"
+"#FIXED"
+"#IMPLIED"
+"#PCDATA"
+"#REQUIRED"
+
+# Encodings
+"ISO-8859-1"
+"US-ASCII"
+"UTF-8"
+"UTF-16"
+"UTF-16BE"
+"UTF-16LE"
+
+# Namespaces and schemas
+"xmlns"
+"xmlns:"
+"xmlns:xhtml=\"http://www.w3.org/1999/xhtml\""
+"xmlns:xml=\"http://www.w3.org/XML/1998/namespace\""
+"xmlns:xmlns=\"http://www.w3.org/2000/xmlns\""
+
+string_col_fallback=":fallback"
+string_col_generic=":a"
+string_col_include=":include"
+string_dashes="--"
+string_parentheses="()"
+string_percent="%a"
+string_schema=":schema"
+string_ucs4="UCS-4"
+tag_close="</a>"
+tag_open="<a>"
+tag_open_close="<a />"
+
+
+"<?xml?>"
+"http://docboo"
+"http://www.w"
+"he30"
+"he2"
+"IET"
+"FDF-10"
+"aDUCS-4OPveb:"
+"a>"
+"UT"
+"xMl"
+"/usr/share/sg"
+"ha07"
+"http://www.oa"
+"cle"
diff --git a/projects/poco/xml_parse_fuzzer.cc b/projects/poco/xml_parse_fuzzer.cc
@@ -0,0 +1,88 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "Poco/AutoPtr.h"
+#include "Poco/DOM/DOMParser.h"
+#include "Poco/DOM/Document.h"
+#include "Poco/SAX/DefaultHandler.h"
+#include "Poco/SAX/SAXParser.h"
+#include "Poco/XML/XMLStreamParser.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  using namespace Poco::XML;
+
+  std::string xml(reinterpret_cast<const char *>(data), size);
+
+  // SAX Parser
+
+  SAXParser saxParser;
+  std::uint8_t saxFeatures = size > 0 ? data[size - 1] : 0;
+
+  DefaultHandler defHandler;
+  saxParser.setContentHandler(&defHandler);
+  saxParser.setDTDHandler(&defHandler);
+  saxParser.setErrorHandler(&defHandler);
+  saxParser.setEntityResolver(&defHandler);
+
+  for (const auto feature : {
+           XMLReader::FEATURE_EXTERNAL_GENERAL_ENTITIES,
+           XMLReader::FEATURE_EXTERNAL_PARAMETER_ENTITIES,
+           XMLReader::FEATURE_NAMESPACES,
+           XMLReader::FEATURE_NAMESPACE_PREFIXES,
+           SAXParser::FEATURE_PARTIAL_READS,
+       }) {
+    saxParser.setFeature(feature, saxFeatures & 0x01);
+    saxFeatures >>= 1;
+  }
+
+  try {
+    saxParser.parseString(xml);
+  } catch (const std::exception &) {
+  }
+
+  // DOM Parser
+
+  DOMParser domParser;
+  std::uint8_t domFeatures = size > 0 ? data[size - 1] : 0;
+
+  for (const auto feature : {
+           XMLReader::FEATURE_EXTERNAL_GENERAL_ENTITIES,
+           XMLReader::FEATURE_EXTERNAL_PARAMETER_ENTITIES,
+           XMLReader::FEATURE_NAMESPACES,
+           XMLReader::FEATURE_NAMESPACE_PREFIXES,
+           DOMParser::FEATURE_FILTER_WHITESPACE,
+       }) {
+    domParser.setFeature(feature, domFeatures & 0x01);
+    domFeatures >>= 1;
+  }
+
+  try {
+    Poco::AutoPtr<Document> doc = domParser.parseString(xml);
+  } catch (const std::exception &) {
+  }
+
+  // Stream Parser
+
+  std::istringstream stream(xml);
+
+  try {
+    XMLStreamParser streamParser(stream, "fuzz");
+    for (XMLStreamParser::EventType e : streamParser) {
+      streamParser.getQName().toString();
+    }
+  } catch (const std::exception &) {
+  }
+
+  return 0;
+}
