LCOV - code coverage report
Current view: top level - src/test/fuzz - http_request.cpp (source / functions) Hit Total Coverage
Test: fuzz_coverage.info Lines: 3 33 9.1 %
Date: 2023-09-26 12:08:55 Functions: 3 4 75.0 % 

          Line data    Source code
       1             : // Copyright (c) 2020-2022 The Bitcoin Core developers
       2             : // Distributed under the MIT software license, see the accompanying
       3             : // file COPYING or http://www.opensource.org/licenses/mit-license.php.
       4             : 
       5             : #include <httpserver.h>
       6             : #include <netaddress.h>
       7             : #include <test/fuzz/FuzzedDataProvider.h>
       8             : #include <test/fuzz/fuzz.h>
       9             : #include <test/fuzz/util.h>
      10             : #include <util/strencodings.h>
      11             : 
      12             : #include <event2/buffer.h>
      13             : #include <event2/event.h>
      14             : #include <event2/http.h>
      15             : #include <event2/http_struct.h>
      16             : 
      17             : #include <cassert>
      18             : #include <cstdint>
      19             : #include <string>
      20             : #include <vector>
      21             : 
      22             : extern "C" int evhttp_parse_firstline_(struct evhttp_request*, struct evbuffer*);
      23             : extern "C" int evhttp_parse_headers_(struct evhttp_request*, struct evbuffer*);
      24             : 
      25           2 : std::string RequestMethodString(HTTPRequest::RequestMethod m);
      26             : 
      27           4 : FUZZ_TARGET(http_request)
      28             : {
      29           0 :     FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
      30           0 :     evhttp_request* evreq = evhttp_request_new(nullptr, nullptr);
      31           0 :     assert(evreq != nullptr);
      32           0 :     evreq->kind = EVHTTP_REQUEST;
      33           0 :     evbuffer* evbuf = evbuffer_new();
      34           0 :     assert(evbuf != nullptr);
      35           0 :     const std::vector<uint8_t> http_buffer = ConsumeRandomLengthByteVector(fuzzed_data_provider, 4096);
      36           0 :     evbuffer_add(evbuf, http_buffer.data(), http_buffer.size());
      37             :     // Avoid constructing requests that will be interpreted by libevent as PROXY requests to avoid triggering
      38             :     // a nullptr dereference. The dereference (req->evcon->http_server) takes place in evhttp_parse_request_line
      39             :     // and is a consequence of our hacky but necessary use of the internal function evhttp_parse_firstline_ in
      40             :     // this fuzzing harness. The workaround is not aesthetically pleasing, but it successfully avoids the troublesome
      41             :     // code path. " http:// HTTP/1.1\n" was a crashing input prior to this workaround.
      42           0 :     const std::string http_buffer_str = ToLower(std::string{http_buffer.begin(), http_buffer.end()});
      43           0 :     if (http_buffer_str.find(" http://") != std::string::npos || http_buffer_str.find(" https://") != std::string::npos ||
      44           0 :         evhttp_parse_firstline_(evreq, evbuf) != 1 || evhttp_parse_headers_(evreq, evbuf) != 1) {
      45           0 :         evbuffer_free(evbuf);
      46           0 :         evhttp_request_free(evreq);
      47           0 :         return;
      48             :     }
      49             : 
      50           0 :     HTTPRequest http_request{evreq, true};
      51           0 :     const HTTPRequest::RequestMethod request_method = http_request.GetRequestMethod();
      52           0 :     (void)RequestMethodString(request_method);
      53           0 :     (void)http_request.GetURI();
      54           0 :     (void)http_request.GetHeader("Host");
      55           0 :     const std::string header = fuzzed_data_provider.ConsumeRandomLengthString(16);
      56           0 :     (void)http_request.GetHeader(header);
      57           0 :     (void)http_request.WriteHeader(header, fuzzed_data_provider.ConsumeRandomLengthString(16));
      58           0 :     (void)http_request.GetHeader(header);
      59           0 :     const std::string body = http_request.ReadBody();
      60           0 :     assert(body.empty());
      61           0 :     const CService service = http_request.GetPeer();
      62           0 :     assert(service.ToStringAddrPort() == "[::]:0");
      63             : 
      64           0 :     evbuffer_free(evbuf);
      65           0 :     evhttp_request_free(evreq);
      66           0 : }

Generated by: LCOV version 1.14