├── LICENSE ├── README.md ├── bytesource └── bytesource.go ├── consumer.go ├── consumer_test.go ├── funcs.go ├── funcs_test.go ├── go.mod ├── go.sum ├── sql.go └── sql_test.go /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # go-fuzz-headers 2 | This repository contains various helper functions for go fuzzing. It is mostly used in combination with [go-fuzz](https://github.com/dvyukov/go-fuzz), but compatibility with fuzzing in the standard library will also be supported. Any coverage guided fuzzing engine that provides an array or slice of bytes can be used with go-fuzz-headers. 3 | 4 | 5 | ## Usage 6 | Using go-fuzz-headers is easy. First create a new consumer with the bytes provided by the fuzzing engine: 7 | 8 | ```go 9 | import ( 10 | fuzz "github.com/AdaLogics/go-fuzz-headers" 11 | ) 12 | data := []byte{'R', 'a', 'n', 'd', 'o', 'm'} 13 | f := fuzz.NewConsumer(data) 14 | 15 | ``` 16 | 17 | This creates a `Consumer` that consumes the bytes of the input as it uses them to fuzz different types. 18 | 19 | After that, `f` can be used to easily create fuzzed instances of different types. Below are some examples: 20 | 21 | ### Structs 22 | One of the most useful features of go-fuzz-headers is its ability to fill structs with the data provided by the fuzzing engine. This is done with a single line: 23 | ```go 24 | type Person struct { 25 | Name string 26 | Age int 27 | } 28 | p := Person{} 29 | // Fill p with values based on the data provided by the fuzzing engine: 30 | err := f.GenerateStruct(&p) 31 | ``` 32 | 33 | This includes nested structs too. In this example, the fuzz Consumer will also insert values in `p.BestFriend`: 34 | ```go 35 | type PersonI struct { 36 | Name string 37 | Age int 38 | BestFriend PersonII 39 | } 40 | type PersonII struct { 41 | Name string 42 | Age int 43 | } 44 | p := PersonI{} 45 | err := f.GenerateStruct(&p) 46 | ``` 47 | 48 | If the consumer should insert values for unexported fields as well as exported, this can be enabled with: 49 | 50 | ```go 51 | f.AllowUnexportedFields() 52 | ``` 53 | 54 | ...and disabled with: 55 | 56 | ```go 57 | f.DisallowUnexportedFields() 58 | ``` 59 | 60 | ### Other types: 61 | 62 | Other useful APIs: 63 | 64 | ```go 65 | createdString, err := f.GetString() // Gets a string 66 | createdInt, err := f.GetInt() // Gets an integer 67 | createdByte, err := f.GetByte() // Gets a byte 68 | createdBytes, err := f.GetBytes() // Gets a byte slice 69 | createdBool, err := f.GetBool() // Gets a boolean 70 | err := f.FuzzMap(target_map) // Fills a map 71 | createdTarBytes, err := f.TarBytes() // Gets bytes of a valid tar archive 72 | err := f.CreateFiles(inThisDir) // Fills inThisDir with files 73 | createdString, err := f.GetStringFrom("anyCharInThisString", ofThisLength) // Gets a string that consists of chars from "anyCharInThisString" and has the exact length "ofThisLength" 74 | ``` 75 | 76 | Most APIs are added as they are needed. 77 | 78 | ## Projects that use go-fuzz-headers 79 | - [runC](https://github.com/opencontainers/runc) 80 | - [Istio](https://github.com/istio/istio) 81 | - [Vitess](https://github.com/vitessio/vitess) 82 | - [Containerd](https://github.com/containerd/containerd) 83 | 84 | Feel free to add your own project to the list, if you use go-fuzz-headers to fuzz it. 85 | 86 | 87 | 88 | 89 | ## Status 90 | The project is under development and will be updated regularly. 91 | 92 | ## References 93 | go-fuzz-headers' approach to fuzzing structs is strongly inspired by [gofuzz](https://github.com/google/gofuzz). -------------------------------------------------------------------------------- /bytesource/bytesource.go: -------------------------------------------------------------------------------- 1 | // Copyright 2023 The go-fuzz-headers Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package bytesource 16 | 17 | import ( 18 | "bytes" 19 | "encoding/binary" 20 | "io" 21 | "math/rand" 22 | ) 23 | 24 | type ByteSource struct { 25 | *bytes.Reader 26 | fallback rand.Source 27 | } 28 | 29 | // New returns a new ByteSource from a given slice of bytes. 30 | func New(input []byte) *ByteSource { 31 | s := &ByteSource{ 32 | Reader: bytes.NewReader(input), 33 | fallback: rand.NewSource(0), 34 | } 35 | if len(input) > 0 { 36 | s.fallback = rand.NewSource(int64(s.consumeUint64())) 37 | } 38 | return s 39 | } 40 | 41 | func (s *ByteSource) Uint64() uint64 { 42 | // Return from input if it was not exhausted. 43 | if s.Len() > 0 { 44 | return s.consumeUint64() 45 | } 46 | 47 | // Input was exhausted, return random number from fallback (in this case fallback should not be 48 | // nil). Try first having a Uint64 output (Should work in current rand implementation), 49 | // otherwise return a conversion of Int63. 50 | if s64, ok := s.fallback.(rand.Source64); ok { 51 | return s64.Uint64() 52 | } 53 | return uint64(s.fallback.Int63()) 54 | } 55 | 56 | func (s *ByteSource) Int63() int64 { 57 | return int64(s.Uint64() >> 1) 58 | } 59 | 60 | func (s *ByteSource) Seed(seed int64) { 61 | s.fallback = rand.NewSource(seed) 62 | s.Reader = bytes.NewReader(nil) 63 | } 64 | 65 | // consumeUint64 reads 8 bytes from the input and convert them to a uint64. It assumes that the the 66 | // bytes reader is not empty. 67 | func (s *ByteSource) consumeUint64() uint64 { 68 | var bytes [8]byte 69 | _, err := s.Read(bytes[:]) 70 | if err != nil && err != io.EOF { 71 | panic("failed reading source") // Should not happen. 72 | } 73 | return binary.BigEndian.Uint64(bytes[:]) 74 | } 75 | -------------------------------------------------------------------------------- /consumer.go: -------------------------------------------------------------------------------- 1 | // Copyright 2023 The go-fuzz-headers Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package gofuzzheaders 16 | 17 | import ( 18 | "archive/tar" 19 | "bytes" 20 | "encoding/binary" 21 | "errors" 22 | "fmt" 23 | "io" 24 | "math" 25 | "os" 26 | "path/filepath" 27 | "reflect" 28 | "strconv" 29 | "strings" 30 | "time" 31 | "unsafe" 32 | ) 33 | 34 | var ( 35 | MaxTotalLen uint32 = 2000000 36 | maxDepth = 100 37 | ) 38 | 39 | func SetMaxTotalLen(newLen uint32) { 40 | MaxTotalLen = newLen 41 | } 42 | 43 | type ConsumeFuzzer struct { 44 | data []byte 45 | dataTotal uint32 46 | CommandPart []byte 47 | RestOfArray []byte 48 | NumberOfCalls int 49 | position uint32 50 | fuzzUnexportedFields bool 51 | forceUTF8Strings bool 52 | curDepth int 53 | Funcs map[reflect.Type]reflect.Value 54 | } 55 | 56 | func IsDivisibleBy(n int, divisibleby int) bool { 57 | return (n % divisibleby) == 0 58 | } 59 | 60 | func NewConsumer(fuzzData []byte) *ConsumeFuzzer { 61 | return &ConsumeFuzzer{ 62 | data: fuzzData, 63 | dataTotal: uint32(len(fuzzData)), 64 | Funcs: make(map[reflect.Type]reflect.Value), 65 | curDepth: 0, 66 | } 67 | } 68 | 69 | func (f *ConsumeFuzzer) Split(minCalls, maxCalls int) error { 70 | if f.dataTotal == 0 { 71 | return errors.New("could not split") 72 | } 73 | numberOfCalls := int(f.data[0]) 74 | if numberOfCalls < minCalls || numberOfCalls > maxCalls { 75 | return errors.New("bad number of calls") 76 | } 77 | if int(f.dataTotal) < numberOfCalls+numberOfCalls+1 { 78 | return errors.New("length of data does not match required parameters") 79 | } 80 | 81 | // Define part 2 and 3 of the data array 82 | commandPart := f.data[1 : numberOfCalls+1] 83 | restOfArray := f.data[numberOfCalls+1:] 84 | 85 | // Just a small check. It is necessary 86 | if len(commandPart) != numberOfCalls { 87 | return errors.New("length of commandPart does not match number of calls") 88 | } 89 | 90 | // Check if restOfArray is divisible by numberOfCalls 91 | if !IsDivisibleBy(len(restOfArray), numberOfCalls) { 92 | return errors.New("length of commandPart does not match number of calls") 93 | } 94 | f.CommandPart = commandPart 95 | f.RestOfArray = restOfArray 96 | f.NumberOfCalls = numberOfCalls 97 | return nil 98 | } 99 | 100 | func (f *ConsumeFuzzer) AllowUnexportedFields() { 101 | f.fuzzUnexportedFields = true 102 | } 103 | 104 | func (f *ConsumeFuzzer) DisallowUnexportedFields() { 105 | f.fuzzUnexportedFields = false 106 | } 107 | 108 | func (f *ConsumeFuzzer) AllowNonUTF8Strings() { 109 | f.forceUTF8Strings = false 110 | } 111 | 112 | func (f *ConsumeFuzzer) DisallowNonUTF8Strings() { 113 | f.forceUTF8Strings = true 114 | } 115 | 116 | func (f *ConsumeFuzzer) GenerateStruct(targetStruct interface{}) error { 117 | e := reflect.ValueOf(targetStruct).Elem() 118 | return f.fuzzStruct(e, false) 119 | } 120 | 121 | func (f *ConsumeFuzzer) setCustom(v reflect.Value) error { 122 | // First: see if we have a fuzz function for it. 123 | doCustom, ok := f.Funcs[v.Type()] 124 | if !ok { 125 | return fmt.Errorf("could not find a custom function") 126 | } 127 | 128 | switch v.Kind() { 129 | case reflect.Ptr: 130 | if v.IsNil() { 131 | if !v.CanSet() { 132 | return fmt.Errorf("could not use a custom function") 133 | } 134 | v.Set(reflect.New(v.Type().Elem())) 135 | } 136 | case reflect.Map: 137 | if v.IsNil() { 138 | if !v.CanSet() { 139 | return fmt.Errorf("could not use a custom function") 140 | } 141 | v.Set(reflect.MakeMap(v.Type())) 142 | } 143 | default: 144 | return fmt.Errorf("could not use a custom function") 145 | } 146 | 147 | verr := doCustom.Call([]reflect.Value{v, reflect.ValueOf(Continue{ 148 | F: f, 149 | })}) 150 | 151 | // check if we return an error 152 | if verr[0].IsNil() { 153 | return nil 154 | } 155 | return fmt.Errorf("could not use a custom function") 156 | } 157 | 158 | func (f *ConsumeFuzzer) fuzzStruct(e reflect.Value, customFunctions bool) error { 159 | if f.curDepth >= maxDepth { 160 | // return err or nil here? 161 | return nil 162 | } 163 | f.curDepth++ 164 | defer func() { f.curDepth-- }() 165 | 166 | // We check if we should check for custom functions 167 | if customFunctions && e.IsValid() && e.CanAddr() { 168 | err := f.setCustom(e.Addr()) 169 | if err != nil { 170 | return err 171 | } 172 | } 173 | 174 | switch e.Kind() { 175 | case reflect.Struct: 176 | for i := 0; i < e.NumField(); i++ { 177 | var v reflect.Value 178 | if !e.Field(i).CanSet() { 179 | if f.fuzzUnexportedFields { 180 | v = reflect.NewAt(e.Field(i).Type(), unsafe.Pointer(e.Field(i).UnsafeAddr())).Elem() 181 | } 182 | if err := f.fuzzStruct(v, customFunctions); err != nil { 183 | return err 184 | } 185 | } else { 186 | v = e.Field(i) 187 | if err := f.fuzzStruct(v, customFunctions); err != nil { 188 | return err 189 | } 190 | } 191 | } 192 | case reflect.String: 193 | str, err := f.GetString() 194 | if err != nil { 195 | return err 196 | } 197 | if e.CanSet() { 198 | e.SetString(str) 199 | } 200 | case reflect.Slice: 201 | var maxElements uint32 202 | // Byte slices should not be restricted 203 | if e.Type().String() == "[]uint8" { 204 | maxElements = 10000000 205 | } else { 206 | maxElements = 50 207 | } 208 | 209 | randQty, err := f.GetUint32() 210 | if err != nil { 211 | return err 212 | } 213 | numOfElements := randQty % maxElements 214 | if (f.dataTotal - f.position) < numOfElements { 215 | numOfElements = f.dataTotal - f.position 216 | } 217 | 218 | uu := reflect.MakeSlice(e.Type(), int(numOfElements), int(numOfElements)) 219 | 220 | for i := 0; i < int(numOfElements); i++ { 221 | // If we have more than 10, then we can proceed with that. 222 | if err := f.fuzzStruct(uu.Index(i), customFunctions); err != nil { 223 | if i >= 10 { 224 | if e.CanSet() { 225 | e.Set(uu) 226 | } 227 | return nil 228 | } else { 229 | return err 230 | } 231 | } 232 | } 233 | if e.CanSet() { 234 | e.Set(uu) 235 | } 236 | case reflect.Uint: 237 | newInt, err := f.GetUint() 238 | if err != nil { 239 | return err 240 | } 241 | if e.CanSet() { 242 | e.SetUint(uint64(newInt)) 243 | } 244 | case reflect.Uint16: 245 | newInt, err := f.GetUint16() 246 | if err != nil { 247 | return err 248 | } 249 | if e.CanSet() { 250 | e.SetUint(uint64(newInt)) 251 | } 252 | case reflect.Uint32: 253 | newInt, err := f.GetUint32() 254 | if err != nil { 255 | return err 256 | } 257 | if e.CanSet() { 258 | e.SetUint(uint64(newInt)) 259 | } 260 | case reflect.Uint64: 261 | newInt, err := f.GetInt() 262 | if err != nil { 263 | return err 264 | } 265 | if e.CanSet() { 266 | e.SetUint(uint64(newInt)) 267 | } 268 | case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64: 269 | newInt, err := f.GetInt() 270 | if err != nil { 271 | return err 272 | } 273 | if e.CanSet() { 274 | e.SetInt(int64(newInt)) 275 | } 276 | case reflect.Float32: 277 | newFloat, err := f.GetFloat32() 278 | if err != nil { 279 | return err 280 | } 281 | if e.CanSet() { 282 | e.SetFloat(float64(newFloat)) 283 | } 284 | case reflect.Float64: 285 | newFloat, err := f.GetFloat64() 286 | if err != nil { 287 | return err 288 | } 289 | if e.CanSet() { 290 | e.SetFloat(float64(newFloat)) 291 | } 292 | case reflect.Map: 293 | if e.CanSet() { 294 | e.Set(reflect.MakeMap(e.Type())) 295 | const maxElements = 50 296 | randQty, err := f.GetInt() 297 | if err != nil { 298 | return err 299 | } 300 | numOfElements := randQty % maxElements 301 | for i := 0; i < numOfElements; i++ { 302 | key := reflect.New(e.Type().Key()).Elem() 303 | if err := f.fuzzStruct(key, customFunctions); err != nil { 304 | return err 305 | } 306 | val := reflect.New(e.Type().Elem()).Elem() 307 | if err = f.fuzzStruct(val, customFunctions); err != nil { 308 | return err 309 | } 310 | e.SetMapIndex(key, val) 311 | } 312 | } 313 | case reflect.Ptr: 314 | if e.CanSet() { 315 | e.Set(reflect.New(e.Type().Elem())) 316 | if err := f.fuzzStruct(e.Elem(), customFunctions); err != nil { 317 | return err 318 | } 319 | return nil 320 | } 321 | case reflect.Uint8: 322 | b, err := f.GetByte() 323 | if err != nil { 324 | return err 325 | } 326 | if e.CanSet() { 327 | e.SetUint(uint64(b)) 328 | } 329 | case reflect.Bool: 330 | b, err := f.GetBool() 331 | if err != nil { 332 | return err 333 | } 334 | if e.CanSet() { 335 | e.SetBool(b) 336 | } 337 | } 338 | return nil 339 | } 340 | 341 | func (f *ConsumeFuzzer) GetStringArray() (reflect.Value, error) { 342 | // The max size of the array: 343 | const max uint32 = 20 344 | 345 | arraySize := f.position 346 | if arraySize > max { 347 | arraySize = max 348 | } 349 | stringArray := reflect.MakeSlice(reflect.SliceOf(reflect.TypeOf("string")), int(arraySize), int(arraySize)) 350 | if f.position+arraySize >= f.dataTotal { 351 | return stringArray, errors.New("could not make string array") 352 | } 353 | 354 | for i := 0; i < int(arraySize); i++ { 355 | stringSize := uint32(f.data[f.position]) 356 | if f.position+stringSize >= f.dataTotal { 357 | return stringArray, nil 358 | } 359 | stringToAppend := string(f.data[f.position : f.position+stringSize]) 360 | strVal := reflect.ValueOf(stringToAppend) 361 | stringArray = reflect.Append(stringArray, strVal) 362 | f.position += stringSize 363 | } 364 | return stringArray, nil 365 | } 366 | 367 | func (f *ConsumeFuzzer) GetInt() (int, error) { 368 | if f.position >= f.dataTotal { 369 | return 0, errors.New("not enough bytes to create int") 370 | } 371 | returnInt := int(f.data[f.position]) 372 | f.position++ 373 | return returnInt, nil 374 | } 375 | 376 | func (f *ConsumeFuzzer) GetByte() (byte, error) { 377 | if f.position >= f.dataTotal { 378 | return 0x00, errors.New("not enough bytes to get byte") 379 | } 380 | returnByte := f.data[f.position] 381 | f.position++ 382 | return returnByte, nil 383 | } 384 | 385 | func (f *ConsumeFuzzer) GetNBytes(numberOfBytes int) ([]byte, error) { 386 | if f.position >= f.dataTotal { 387 | return nil, errors.New("not enough bytes to get byte") 388 | } 389 | returnBytes := make([]byte, 0, numberOfBytes) 390 | for i := 0; i < numberOfBytes; i++ { 391 | newByte, err := f.GetByte() 392 | if err != nil { 393 | return nil, err 394 | } 395 | returnBytes = append(returnBytes, newByte) 396 | } 397 | return returnBytes, nil 398 | } 399 | 400 | func (f *ConsumeFuzzer) GetUint16() (uint16, error) { 401 | u16, err := f.GetNBytes(2) 402 | if err != nil { 403 | return 0, err 404 | } 405 | littleEndian, err := f.GetBool() 406 | if err != nil { 407 | return 0, err 408 | } 409 | if littleEndian { 410 | return binary.LittleEndian.Uint16(u16), nil 411 | } 412 | return binary.BigEndian.Uint16(u16), nil 413 | } 414 | 415 | func (f *ConsumeFuzzer) GetUint32() (uint32, error) { 416 | u32, err := f.GetNBytes(4) 417 | if err != nil { 418 | return 0, err 419 | } 420 | return binary.BigEndian.Uint32(u32), nil 421 | } 422 | 423 | func (f *ConsumeFuzzer) GetUint64() (uint64, error) { 424 | u64, err := f.GetNBytes(8) 425 | if err != nil { 426 | return 0, err 427 | } 428 | littleEndian, err := f.GetBool() 429 | if err != nil { 430 | return 0, err 431 | } 432 | if littleEndian { 433 | return binary.LittleEndian.Uint64(u64), nil 434 | } 435 | return binary.BigEndian.Uint64(u64), nil 436 | } 437 | 438 | func (f *ConsumeFuzzer) GetUint() (uint, error) { 439 | var zero uint 440 | size := int(unsafe.Sizeof(zero)) 441 | if size == 8 { 442 | u64, err := f.GetUint64() 443 | if err != nil { 444 | return 0, err 445 | } 446 | return uint(u64), nil 447 | } 448 | u32, err := f.GetUint32() 449 | if err != nil { 450 | return 0, err 451 | } 452 | return uint(u32), nil 453 | } 454 | 455 | func (f *ConsumeFuzzer) GetBytes() ([]byte, error) { 456 | var length uint32 457 | var err error 458 | length, err = f.GetUint32() 459 | if err != nil { 460 | return nil, errors.New("not enough bytes to create byte array") 461 | } 462 | 463 | if length == 0 { 464 | length = 30 465 | } 466 | bytesLeft := f.dataTotal - f.position 467 | if bytesLeft <= 0 { 468 | return nil, errors.New("not enough bytes to create byte array") 469 | } 470 | 471 | // If the length is the same as bytes left, we will not overflow 472 | // the remaining bytes. 473 | if length != bytesLeft { 474 | length = length % bytesLeft 475 | } 476 | byteBegin := f.position 477 | if byteBegin+length < byteBegin { 478 | return nil, errors.New("numbers overflow") 479 | } 480 | f.position = byteBegin + length 481 | return f.data[byteBegin:f.position], nil 482 | } 483 | 484 | func (f *ConsumeFuzzer) GetString() (string, error) { 485 | if f.position >= f.dataTotal { 486 | return "nil", errors.New("not enough bytes to create string") 487 | } 488 | length, err := f.GetUint32() 489 | if err != nil { 490 | return "nil", errors.New("not enough bytes to create string") 491 | } 492 | if f.position > MaxTotalLen { 493 | return "nil", errors.New("created too large a string") 494 | } 495 | byteBegin := f.position 496 | if byteBegin >= f.dataTotal { 497 | return "nil", errors.New("not enough bytes to create string") 498 | } 499 | if byteBegin+length > f.dataTotal { 500 | return "nil", errors.New("not enough bytes to create string") 501 | } 502 | if byteBegin > byteBegin+length { 503 | return "nil", errors.New("numbers overflow") 504 | } 505 | f.position = byteBegin + length 506 | s := string(f.data[byteBegin:f.position]) 507 | if f.forceUTF8Strings { 508 | s = strings.ToValidUTF8(s, "") 509 | } 510 | return s, nil 511 | } 512 | 513 | func (f *ConsumeFuzzer) GetBool() (bool, error) { 514 | if f.position >= f.dataTotal { 515 | return false, errors.New("not enough bytes to create bool") 516 | } 517 | if IsDivisibleBy(int(f.data[f.position]), 2) { 518 | f.position++ 519 | return true, nil 520 | } else { 521 | f.position++ 522 | return false, nil 523 | } 524 | } 525 | 526 | func (f *ConsumeFuzzer) FuzzMap(m interface{}) error { 527 | return f.GenerateStruct(m) 528 | } 529 | 530 | func returnTarBytes(buf []byte) ([]byte, error) { 531 | return buf, nil 532 | // Count files 533 | var fileCounter int 534 | tr := tar.NewReader(bytes.NewReader(buf)) 535 | for { 536 | _, err := tr.Next() 537 | if err == io.EOF { 538 | break 539 | } 540 | if err != nil { 541 | return nil, err 542 | } 543 | fileCounter++ 544 | } 545 | if fileCounter >= 1 { 546 | return buf, nil 547 | } 548 | return nil, fmt.Errorf("not enough files were created\n") 549 | } 550 | 551 | func setTarHeaderFormat(hdr *tar.Header, f *ConsumeFuzzer) error { 552 | ind, err := f.GetInt() 553 | if err != nil { 554 | hdr.Format = tar.FormatGNU 555 | //return nil 556 | } 557 | switch ind % 4 { 558 | case 0: 559 | hdr.Format = tar.FormatUnknown 560 | case 1: 561 | hdr.Format = tar.FormatUSTAR 562 | case 2: 563 | hdr.Format = tar.FormatPAX 564 | case 3: 565 | hdr.Format = tar.FormatGNU 566 | } 567 | return nil 568 | } 569 | 570 | func setTarHeaderTypeflag(hdr *tar.Header, f *ConsumeFuzzer) error { 571 | ind, err := f.GetInt() 572 | if err != nil { 573 | return err 574 | } 575 | switch ind % 13 { 576 | case 0: 577 | hdr.Typeflag = tar.TypeReg 578 | case 1: 579 | hdr.Typeflag = tar.TypeLink 580 | linkname, err := f.GetString() 581 | if err != nil { 582 | return err 583 | } 584 | hdr.Linkname = linkname 585 | case 2: 586 | hdr.Typeflag = tar.TypeSymlink 587 | linkname, err := f.GetString() 588 | if err != nil { 589 | return err 590 | } 591 | hdr.Linkname = linkname 592 | case 3: 593 | hdr.Typeflag = tar.TypeChar 594 | case 4: 595 | hdr.Typeflag = tar.TypeBlock 596 | case 5: 597 | hdr.Typeflag = tar.TypeDir 598 | case 6: 599 | hdr.Typeflag = tar.TypeFifo 600 | case 7: 601 | hdr.Typeflag = tar.TypeCont 602 | case 8: 603 | hdr.Typeflag = tar.TypeXHeader 604 | case 9: 605 | hdr.Typeflag = tar.TypeXGlobalHeader 606 | case 10: 607 | hdr.Typeflag = tar.TypeGNUSparse 608 | case 11: 609 | hdr.Typeflag = tar.TypeGNULongName 610 | case 12: 611 | hdr.Typeflag = tar.TypeGNULongLink 612 | } 613 | return nil 614 | } 615 | 616 | func (f *ConsumeFuzzer) createTarFileBody() ([]byte, error) { 617 | return f.GetBytes() 618 | /*length, err := f.GetUint32() 619 | if err != nil { 620 | return nil, errors.New("not enough bytes to create byte array") 621 | } 622 | 623 | // A bit of optimization to attempt to create a file body 624 | // when we don't have as many bytes left as "length" 625 | remainingBytes := f.dataTotal - f.position 626 | if remainingBytes <= 0 { 627 | return nil, errors.New("created too large a string") 628 | } 629 | if f.position+length > MaxTotalLen { 630 | return nil, errors.New("created too large a string") 631 | } 632 | byteBegin := f.position 633 | if byteBegin >= f.dataTotal { 634 | return nil, errors.New("not enough bytes to create byte array") 635 | } 636 | if length == 0 { 637 | return nil, errors.New("zero-length is not supported") 638 | } 639 | if byteBegin+length >= f.dataTotal { 640 | return nil, errors.New("not enough bytes to create byte array") 641 | } 642 | if byteBegin+length < byteBegin { 643 | return nil, errors.New("numbers overflow") 644 | } 645 | f.position = byteBegin + length 646 | return f.data[byteBegin:f.position], nil*/ 647 | } 648 | 649 | // getTarFileName is similar to GetString(), but creates string based 650 | // on the length of f.data to reduce the likelihood of overflowing 651 | // f.data. 652 | func (f *ConsumeFuzzer) getTarFilename() (string, error) { 653 | return f.GetString() 654 | /*length, err := f.GetUint32() 655 | if err != nil { 656 | return "nil", errors.New("not enough bytes to create string") 657 | } 658 | 659 | // A bit of optimization to attempt to create a file name 660 | // when we don't have as many bytes left as "length" 661 | remainingBytes := f.dataTotal - f.position 662 | if remainingBytes <= 0 { 663 | return "nil", errors.New("created too large a string") 664 | } 665 | if f.position > MaxTotalLen { 666 | return "nil", errors.New("created too large a string") 667 | } 668 | byteBegin := f.position 669 | if byteBegin >= f.dataTotal { 670 | return "nil", errors.New("not enough bytes to create string") 671 | } 672 | if byteBegin+length > f.dataTotal { 673 | return "nil", errors.New("not enough bytes to create string") 674 | } 675 | if byteBegin > byteBegin+length { 676 | return "nil", errors.New("numbers overflow") 677 | } 678 | f.position = byteBegin + length 679 | return string(f.data[byteBegin:f.position]), nil*/ 680 | } 681 | 682 | type TarFile struct { 683 | Hdr *tar.Header 684 | Body []byte 685 | } 686 | 687 | // TarBytes returns valid bytes for a tar archive 688 | func (f *ConsumeFuzzer) TarBytes() ([]byte, error) { 689 | numberOfFiles, err := f.GetInt() 690 | if err != nil { 691 | return nil, err 692 | } 693 | var tarFiles []*TarFile 694 | tarFiles = make([]*TarFile, 0) 695 | 696 | const maxNoOfFiles = 100 697 | for i := 0; i < numberOfFiles%maxNoOfFiles; i++ { 698 | var filename string 699 | var filebody []byte 700 | var sec, nsec int 701 | var err error 702 | 703 | filename, err = f.getTarFilename() 704 | if err != nil { 705 | var sb strings.Builder 706 | sb.WriteString("file-") 707 | sb.WriteString(strconv.Itoa(i)) 708 | filename = sb.String() 709 | } 710 | filebody, err = f.createTarFileBody() 711 | if err != nil { 712 | var sb strings.Builder 713 | sb.WriteString("filebody-") 714 | sb.WriteString(strconv.Itoa(i)) 715 | filebody = []byte(sb.String()) 716 | } 717 | 718 | sec, err = f.GetInt() 719 | if err != nil { 720 | sec = 1672531200 // beginning of 2023 721 | } 722 | nsec, err = f.GetInt() 723 | if err != nil { 724 | nsec = 1703980800 // end of 2023 725 | } 726 | 727 | hdr := &tar.Header{ 728 | Name: filename, 729 | Size: int64(len(filebody)), 730 | Mode: 0o600, 731 | ModTime: time.Unix(int64(sec), int64(nsec)), 732 | } 733 | if err := setTarHeaderTypeflag(hdr, f); err != nil { 734 | return []byte(""), err 735 | } 736 | if err := setTarHeaderFormat(hdr, f); err != nil { 737 | return []byte(""), err 738 | } 739 | tf := &TarFile{ 740 | Hdr: hdr, 741 | Body: filebody, 742 | } 743 | tarFiles = append(tarFiles, tf) 744 | } 745 | 746 | var buf bytes.Buffer 747 | tw := tar.NewWriter(&buf) 748 | defer tw.Close() 749 | 750 | for _, tf := range tarFiles { 751 | tw.WriteHeader(tf.Hdr) 752 | tw.Write(tf.Body) 753 | } 754 | return buf.Bytes(), nil 755 | } 756 | 757 | // This is similar to TarBytes, but it returns a series of 758 | // files instead of raw tar bytes. The advantage of this 759 | // api is that it is cheaper in terms of cpu power to 760 | // modify or check the files in the fuzzer with TarFiles() 761 | // because it avoids creating a tar reader. 762 | func (f *ConsumeFuzzer) TarFiles() ([]*TarFile, error) { 763 | numberOfFiles, err := f.GetInt() 764 | if err != nil { 765 | return nil, err 766 | } 767 | var tarFiles []*TarFile 768 | tarFiles = make([]*TarFile, 0) 769 | 770 | const maxNoOfFiles = 100 771 | for i := 0; i < numberOfFiles%maxNoOfFiles; i++ { 772 | filename, err := f.getTarFilename() 773 | if err != nil { 774 | return tarFiles, err 775 | } 776 | filebody, err := f.createTarFileBody() 777 | if err != nil { 778 | return tarFiles, err 779 | } 780 | 781 | sec, err := f.GetInt() 782 | if err != nil { 783 | return tarFiles, err 784 | } 785 | nsec, err := f.GetInt() 786 | if err != nil { 787 | return tarFiles, err 788 | } 789 | 790 | hdr := &tar.Header{ 791 | Name: filename, 792 | Size: int64(len(filebody)), 793 | Mode: 0o600, 794 | ModTime: time.Unix(int64(sec), int64(nsec)), 795 | } 796 | if err := setTarHeaderTypeflag(hdr, f); err != nil { 797 | hdr.Typeflag = tar.TypeReg 798 | } 799 | if err := setTarHeaderFormat(hdr, f); err != nil { 800 | return tarFiles, err // should not happend 801 | } 802 | tf := &TarFile{ 803 | Hdr: hdr, 804 | Body: filebody, 805 | } 806 | tarFiles = append(tarFiles, tf) 807 | } 808 | return tarFiles, nil 809 | } 810 | 811 | // CreateFiles creates pseudo-random files in rootDir. 812 | // It creates subdirs and places the files there. 813 | // It is the callers responsibility to ensure that 814 | // rootDir exists. 815 | func (f *ConsumeFuzzer) CreateFiles(rootDir string) error { 816 | numberOfFiles, err := f.GetInt() 817 | if err != nil { 818 | return err 819 | } 820 | maxNumberOfFiles := numberOfFiles % 4000 // This is completely arbitrary 821 | if maxNumberOfFiles == 0 { 822 | return errors.New("maxNumberOfFiles is nil") 823 | } 824 | 825 | var noOfCreatedFiles int 826 | for i := 0; i < maxNumberOfFiles; i++ { 827 | // The file to create: 828 | fileName, err := f.GetString() 829 | if err != nil { 830 | if noOfCreatedFiles > 0 { 831 | // If files have been created, we don't return an error. 832 | break 833 | } else { 834 | return errors.New("could not get fileName") 835 | } 836 | } 837 | if strings.Contains(fileName, "..") || (len(fileName) > 0 && fileName[0] == 47) || strings.Contains(fileName, "\\") { 838 | continue 839 | } 840 | fullFilePath := filepath.Join(rootDir, fileName) 841 | 842 | // Find the subdirectory of the file 843 | if subDir := filepath.Dir(fileName); subDir != "" && subDir != "." { 844 | // create the dir first; avoid going outside the root dir 845 | if strings.Contains(subDir, "../") || (len(subDir) > 0 && subDir[0] == 47) || strings.Contains(subDir, "\\") { 846 | continue 847 | } 848 | dirPath := filepath.Join(rootDir, subDir) 849 | if _, err := os.Stat(dirPath); os.IsNotExist(err) { 850 | err2 := os.MkdirAll(dirPath, 0o777) 851 | if err2 != nil { 852 | continue 853 | } 854 | } 855 | fullFilePath = filepath.Join(dirPath, fileName) 856 | } else { 857 | // Create symlink 858 | createSymlink, err := f.GetBool() 859 | if err != nil { 860 | if noOfCreatedFiles > 0 { 861 | break 862 | } else { 863 | return errors.New("could not create the symlink") 864 | } 865 | } 866 | if createSymlink { 867 | symlinkTarget, err := f.GetString() 868 | if err != nil { 869 | return err 870 | } 871 | err = os.Symlink(symlinkTarget, fullFilePath) 872 | if err != nil { 873 | return err 874 | } 875 | // stop loop here, since a symlink needs no further action 876 | noOfCreatedFiles++ 877 | continue 878 | } 879 | // We create a normal file 880 | fileContents, err := f.GetBytes() 881 | if err != nil { 882 | if noOfCreatedFiles > 0 { 883 | break 884 | } else { 885 | return errors.New("could not create the file") 886 | } 887 | } 888 | err = os.WriteFile(fullFilePath, fileContents, 0o666) 889 | if err != nil { 890 | continue 891 | } 892 | noOfCreatedFiles++ 893 | } 894 | } 895 | return nil 896 | } 897 | 898 | // GetStringFrom returns a string that can only consist of characters 899 | // included in possibleChars. It returns an error if the created string 900 | // does not have the specified length. 901 | func (f *ConsumeFuzzer) GetStringFrom(possibleChars string, length int) (string, error) { 902 | if (f.dataTotal - f.position) < uint32(length) { 903 | return "", errors.New("not enough bytes to create a string") 904 | } 905 | output := make([]byte, 0, length) 906 | for i := 0; i < length; i++ { 907 | charIndex, err := f.GetInt() 908 | if err != nil { 909 | return string(output), err 910 | } 911 | output = append(output, possibleChars[charIndex%len(possibleChars)]) 912 | } 913 | return string(output), nil 914 | } 915 | 916 | func (f *ConsumeFuzzer) GetRune() ([]rune, error) { 917 | stringToConvert, err := f.GetString() 918 | if err != nil { 919 | return []rune("nil"), err 920 | } 921 | return []rune(stringToConvert), nil 922 | } 923 | 924 | func (f *ConsumeFuzzer) GetFloat32() (float32, error) { 925 | u32, err := f.GetNBytes(4) 926 | if err != nil { 927 | return 0, err 928 | } 929 | littleEndian, err := f.GetBool() 930 | if err != nil { 931 | return 0, err 932 | } 933 | if littleEndian { 934 | u32LE := binary.LittleEndian.Uint32(u32) 935 | return math.Float32frombits(u32LE), nil 936 | } 937 | u32BE := binary.BigEndian.Uint32(u32) 938 | return math.Float32frombits(u32BE), nil 939 | } 940 | 941 | func (f *ConsumeFuzzer) GetFloat64() (float64, error) { 942 | u64, err := f.GetNBytes(8) 943 | if err != nil { 944 | return 0, err 945 | } 946 | littleEndian, err := f.GetBool() 947 | if err != nil { 948 | return 0, err 949 | } 950 | if littleEndian { 951 | u64LE := binary.LittleEndian.Uint64(u64) 952 | return math.Float64frombits(u64LE), nil 953 | } 954 | u64BE := binary.BigEndian.Uint64(u64) 955 | return math.Float64frombits(u64BE), nil 956 | } 957 | 958 | func (f *ConsumeFuzzer) CreateSlice(targetSlice interface{}) error { 959 | return f.GenerateStruct(targetSlice) 960 | } 961 | -------------------------------------------------------------------------------- /consumer_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2023 The go-fuzz-headers Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package gofuzzheaders 16 | 17 | import ( 18 | //"archive/tar" 19 | //"bytes" 20 | //"io" 21 | "testing" 22 | ) 23 | 24 | type TestStruct1 struct { 25 | Field1 string 26 | Field2 string 27 | Field3 []byte 28 | } 29 | 30 | func TestStruct_fuzzing1(t *testing.T) { 31 | data := []byte{ 32 | 0x00, 0x00, 0x00, 0x03, // Length of field 1 33 | 0x41, 0x42, 0x43, // Data of field field 1 34 | 0x00, 0x00, 0x00, 0x03, // Length of field 2 35 | 0x41, 0x42, 0x43, // Data of field 2 36 | 0x00, 0x00, 0x00, 0x01, // Length of field 3 37 | 0x41, // Data of Field3 38 | } 39 | 40 | ts1 := TestStruct1{} 41 | fuzz1 := NewConsumer(data) 42 | err := fuzz1.GenerateStruct(&ts1) 43 | if err != nil { 44 | t.Errorf("%v", err) 45 | } 46 | if ts1.Field1 != "ABC" { 47 | t.Errorf("ts1.Field1 was %v but should be 'AB'", []byte(ts1.Field1)) 48 | } 49 | if ts1.Field2 != "ABC" { 50 | t.Errorf("ts1.Field2 was %v but should be 'ABC'", ts1.Field2) 51 | } 52 | if string(ts1.Field3) != "A" { 53 | t.Errorf("ts1.Field3 was %v but should be 'A'", ts1.Field3) 54 | } 55 | } 56 | 57 | // Tests that we can create long byte slices in structs 58 | func TestStruct_fuzzing2(t *testing.T) { 59 | data := []byte{ 60 | 0x00, 0x00, 0x00, 0x03, // Length field 1 61 | 0x41, 0x42, 0x43, // Data of field 1 62 | 0x00, 0x00, 0x00, 0x03, // Length of Field2 63 | 0x41, 0x42, 0x43, // Content of Field2 64 | 0x00, 0x00, 0x00, 0x50, // Length of field3 65 | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, // All of this 66 | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, // should go 67 | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, // into Field3 68 | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 69 | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 70 | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 71 | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 72 | 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 73 | } 74 | 75 | ts1 := TestStruct1{} 76 | fuzz1 := NewConsumer(data) 77 | err := fuzz1.GenerateStruct(&ts1) 78 | if err != nil { 79 | t.Errorf("%v", err) 80 | } 81 | if ts1.Field1 != "ABC" { 82 | t.Errorf("ts1.Field1 was %v but should be 'ABC'", ts1.Field1) 83 | } 84 | if ts1.Field2 != "ABC" { 85 | t.Errorf("ts1.Field2 was %v but should be 'ABC'", ts1.Field2) 86 | } 87 | if len(ts1.Field3) != 80 { 88 | t.Errorf("ts1.Field3 was %v but should be 'ABCD'", ts1.Field3) 89 | } 90 | } 91 | 92 | /*func TestTarBytes(t *testing.T) { 93 | data := []byte{ 94 | 0x01, // number of files 95 | 0x00, 0x00, 0x00, 0x08, // Length of first file name 96 | 0x6d, 0x61, 0x6e, 0x69, 0x66, 0x65, 0x73, 0x74, // "manifest" 97 | 0x00, 0x00, 0x00, 0x09, // Length of file body 98 | 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, // file contents 99 | 0x04, 0x02, 0x03, 100 | 0x00, // type flag 101 | 0x01, 0x01, 0x01, 0x01, 102 | } 103 | f := NewConsumer(data) 104 | tb, err := f.TarBytes() 105 | if err != nil { 106 | t.Fatalf("Fatal: %s", err) 107 | } 108 | 109 | tarReader := tar.NewReader(bytes.NewReader(tb)) 110 | 111 | for { 112 | header, err := tarReader.Next() 113 | 114 | if err == io.EOF { 115 | break 116 | } 117 | if err != nil { 118 | t.Fatal(err) 119 | } 120 | if header.Typeflag != 48 { 121 | t.Fatalf("typeflag should be 48 (which is a tar.TypeReg) but is %v", header.Typeflag) 122 | } 123 | switch header.Typeflag { 124 | case tar.TypeDir: 125 | t.Fatal("Should not be a directory") 126 | case tar.TypeReg: 127 | if header.Name != "manifest" { 128 | t.Fatalf("file name was %s but should be 'manifest'\n", header.Name) 129 | } 130 | } 131 | } 132 | }*/ 133 | 134 | func TestGetUint32(t *testing.T) { 135 | data := []byte{ 136 | 0x00, 137 | 0x00, 138 | 0x03, 139 | 0x01, 140 | } 141 | f := NewConsumer(data) 142 | i, err := f.GetUint32() 143 | if err != nil { 144 | t.Fatalf("%v\n", err) 145 | } 146 | if i != uint32(769) { 147 | t.Fatalf("i should be 636 but is %v\n", i) 148 | } 149 | } 150 | 151 | func TestGeBytes1(t *testing.T) { 152 | data := []byte{ 153 | 0x00, 154 | 0x00, 155 | 0x03, 156 | 0x01, 157 | } 158 | for i := 0; i < 769; i++ { 159 | data = append(data, 0x00) 160 | } 161 | f := NewConsumer(data) 162 | b, err := f.GetBytes() 163 | if err != nil { 164 | t.Fatalf("%v\n", err) 165 | } 166 | if len(b) != 769 { 167 | t.Fatalf("len(b) should be 769 but is %v\n", len(b)) 168 | } 169 | 170 | for i := 0; i < 769; i++ { 171 | if b[i] != 0 { 172 | t.Fatalf("b[%d] should be 0x00 but is %v\n", i, b[i]) 173 | } 174 | } 175 | } 176 | 177 | func TestGeBytes2(t *testing.T) { 178 | data := []byte{ 179 | 0x00, 180 | 0x00, 181 | 0x03, 182 | 0x01, 183 | } 184 | for i := 0; i < 767; i++ { 185 | data = append(data, 0x00) 186 | } 187 | f := NewConsumer(data) 188 | b, err := f.GetBytes() 189 | if err != nil { 190 | t.Fatalf("%v\n", err) 191 | } 192 | if len(b) != 2 { 193 | t.Fatalf("len(b) should be 2 but is %v\n", len(b)) 194 | } 195 | 196 | for i := 0; i < 2; i++ { 197 | if b[i] != 0 { 198 | t.Fatalf("b[%d] should be 0x00 but is %v\n", i, b[i]) 199 | } 200 | } 201 | } 202 | 203 | func TestGeBytes3(t *testing.T) { 204 | data := []byte{ 205 | 0x00, 206 | 0x00, 207 | 0x03, 208 | 0x01, 209 | } 210 | for i := 0; i < 500; i++ { 211 | data = append(data, 0x00) 212 | } 213 | f := NewConsumer(data) 214 | b, err := f.GetBytes() 215 | if err != nil { 216 | t.Fatalf("%v\n", err) 217 | } 218 | if len(b) != 269 { 219 | t.Fatalf("len(b) should be 269 but is %v\n", len(b)) 220 | } 221 | 222 | for i := 0; i < 269; i++ { 223 | if b[i] != 0 { 224 | t.Fatalf("b[%d] should be 0x00 but is %v\n", i, b[i]) 225 | } 226 | } 227 | } 228 | -------------------------------------------------------------------------------- /funcs.go: -------------------------------------------------------------------------------- 1 | // Copyright 2023 The go-fuzz-headers Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package gofuzzheaders 16 | 17 | import ( 18 | "fmt" 19 | "reflect" 20 | ) 21 | 22 | type Continue struct { 23 | F *ConsumeFuzzer 24 | } 25 | 26 | func (f *ConsumeFuzzer) AddFuncs(fuzzFuncs []interface{}) { 27 | for i := range fuzzFuncs { 28 | v := reflect.ValueOf(fuzzFuncs[i]) 29 | if v.Kind() != reflect.Func { 30 | panic("Need only funcs!") 31 | } 32 | t := v.Type() 33 | if t.NumIn() != 2 || t.NumOut() != 1 { 34 | fmt.Println(t.NumIn(), t.NumOut()) 35 | 36 | panic("Need 2 in and 1 out params. In must be the type. Out must be an error") 37 | } 38 | argT := t.In(0) 39 | switch argT.Kind() { 40 | case reflect.Ptr, reflect.Map: 41 | default: 42 | panic("fuzzFunc must take pointer or map type") 43 | } 44 | if t.In(1) != reflect.TypeOf(Continue{}) { 45 | panic("fuzzFunc's second parameter must be type Continue") 46 | } 47 | f.Funcs[argT] = v 48 | } 49 | } 50 | 51 | func (f *ConsumeFuzzer) GenerateWithCustom(targetStruct interface{}) error { 52 | e := reflect.ValueOf(targetStruct).Elem() 53 | return f.fuzzStruct(e, true) 54 | } 55 | 56 | func (c Continue) GenerateStruct(targetStruct interface{}) error { 57 | return c.F.GenerateStruct(targetStruct) 58 | } 59 | 60 | func (c Continue) GenerateStructWithCustom(targetStruct interface{}) error { 61 | return c.F.GenerateWithCustom(targetStruct) 62 | } 63 | -------------------------------------------------------------------------------- /funcs_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2023 The go-fuzz-headers Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package gofuzzheaders 16 | 17 | /* 18 | import ( 19 | "testing" 20 | ) 21 | 22 | type TestStructFuncs1 struct { 23 | Field1 string 24 | Field2 string 25 | Field3 []byte 26 | field4 string 27 | } 28 | 29 | type TestStructFuncs2 struct { 30 | Field1 []byte 31 | } 32 | 33 | type TestStructFuncs3 struct { 34 | Field1 *TestStructFuncs4 35 | Field2 string 36 | } 37 | 38 | type TestStructFuncs4 struct { 39 | Field1 string 40 | Field2 string 41 | } 42 | 43 | func TestStruct_fuzzing_CustomFuncs1(t *testing.T) { 44 | data := []byte{ 45 | 0x02, 0x41, 0x42, // Field1 46 | 0x03, 0x41, 0x42, 0x43, // Field2 47 | } 48 | 49 | ts1 := TestStructFuncs3{} 50 | fuzz1 := NewConsumer(data) 51 | testfuncss := testFuncs() 52 | fuzz1.AddFuncs(testfuncss) 53 | err := fuzz1.GenerateWithCustom(&ts1) 54 | if err != nil { 55 | t.Errorf("%v", err) 56 | } 57 | if ts1.Field1.Field1 != "AB" { 58 | t.Errorf("ts1.Field1.Field1 was %v but should be 'AB'", ts1.Field1) 59 | } 60 | if ts1.Field1.Field2 != "staticString" { 61 | t.Errorf("ts1.Field1.Field2 was %v but should be 'staticString'", ts1.Field1) 62 | } 63 | if ts1.Field2 != "ABC" { 64 | t.Errorf("ts1.Field1 was %v but should be 'ABC'", ts1.Field1) 65 | } 66 | } 67 | 68 | func testFuncs() []interface{} { 69 | return []interface{}{ 70 | func(j *TestStructFuncs4, c Continue) error { 71 | newString, err := c.F.GetString() 72 | if err != nil { 73 | return err 74 | } 75 | j.Field1 = newString 76 | j.Field2 = "staticString" 77 | return nil 78 | }, 79 | } 80 | } 81 | */ 82 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/AdaLogics/go-fuzz-headers 2 | 3 | go 1.20 4 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AdaLogics/go-fuzz-headers/e8a1dd7889d65b8a6f02175e0d79d7c0557db7f9/go.sum -------------------------------------------------------------------------------- /sql.go: -------------------------------------------------------------------------------- 1 | // Copyright 2023 The go-fuzz-headers Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package gofuzzheaders 16 | 17 | import ( 18 | "fmt" 19 | "strings" 20 | ) 21 | 22 | // returns a keyword by index 23 | func getKeyword(f *ConsumeFuzzer) (string, error) { 24 | index, err := f.GetInt() 25 | if err != nil { 26 | return keywords[0], err 27 | } 28 | for i, k := range keywords { 29 | if i == index { 30 | return k, nil 31 | } 32 | } 33 | return keywords[0], fmt.Errorf("could not get a kw") 34 | } 35 | 36 | // Simple utility function to check if a string 37 | // slice contains a string. 38 | func containsString(s []string, e string) bool { 39 | for _, a := range s { 40 | if a == e { 41 | return true 42 | } 43 | } 44 | return false 45 | } 46 | 47 | // These keywords are used specifically for fuzzing Vitess 48 | var keywords = []string{ 49 | "accessible", "action", "add", "after", "against", "algorithm", 50 | "all", "alter", "always", "analyze", "and", "as", "asc", "asensitive", 51 | "auto_increment", "avg_row_length", "before", "begin", "between", 52 | "bigint", "binary", "_binary", "_utf8mb4", "_utf8", "_latin1", "bit", 53 | "blob", "bool", "boolean", "both", "by", "call", "cancel", "cascade", 54 | "cascaded", "case", "cast", "channel", "change", "char", "character", 55 | "charset", "check", "checksum", "coalesce", "code", "collate", "collation", 56 | "column", "columns", "comment", "committed", "commit", "compact", "complete", 57 | "compressed", "compression", "condition", "connection", "constraint", "continue", 58 | "convert", "copy", "cume_dist", "substr", "substring", "create", "cross", 59 | "csv", "current_date", "current_time", "current_timestamp", "current_user", 60 | "cursor", "data", "database", "databases", "day", "day_hour", "day_microsecond", 61 | "day_minute", "day_second", "date", "datetime", "dec", "decimal", "declare", 62 | "default", "definer", "delay_key_write", "delayed", "delete", "dense_rank", 63 | "desc", "describe", "deterministic", "directory", "disable", "discard", 64 | "disk", "distinct", "distinctrow", "div", "double", "do", "drop", "dumpfile", 65 | "duplicate", "dynamic", "each", "else", "elseif", "empty", "enable", 66 | "enclosed", "encryption", "end", "enforced", "engine", "engines", "enum", 67 | "error", "escape", "escaped", "event", "exchange", "exclusive", "exists", 68 | "exit", "explain", "expansion", "export", "extended", "extract", "false", 69 | "fetch", "fields", "first", "first_value", "fixed", "float", "float4", 70 | "float8", "flush", "for", "force", "foreign", "format", "from", "full", 71 | "fulltext", "function", "general", "generated", "geometry", "geometrycollection", 72 | "get", "global", "gtid_executed", "grant", "group", "grouping", "groups", 73 | "group_concat", "having", "header", "high_priority", "hosts", "hour", "hour_microsecond", 74 | "hour_minute", "hour_second", "if", "ignore", "import", "in", "index", "indexes", 75 | "infile", "inout", "inner", "inplace", "insensitive", "insert", "insert_method", 76 | "int", "int1", "int2", "int3", "int4", "int8", "integer", "interval", 77 | "into", "io_after_gtids", "is", "isolation", "iterate", "invoker", "join", 78 | "json", "json_table", "key", "keys", "keyspaces", "key_block_size", "kill", "lag", 79 | "language", "last", "last_value", "last_insert_id", "lateral", "lead", "leading", 80 | "leave", "left", "less", "level", "like", "limit", "linear", "lines", 81 | "linestring", "load", "local", "localtime", "localtimestamp", "lock", "logs", 82 | "long", "longblob", "longtext", "loop", "low_priority", "manifest", 83 | "master_bind", "match", "max_rows", "maxvalue", "mediumblob", "mediumint", 84 | "mediumtext", "memory", "merge", "microsecond", "middleint", "min_rows", "minute", 85 | "minute_microsecond", "minute_second", "mod", "mode", "modify", "modifies", 86 | "multilinestring", "multipoint", "multipolygon", "month", "name", 87 | "names", "natural", "nchar", "next", "no", "none", "not", "no_write_to_binlog", 88 | "nth_value", "ntile", "null", "numeric", "of", "off", "offset", "on", 89 | "only", "open", "optimize", "optimizer_costs", "option", "optionally", 90 | "or", "order", "out", "outer", "outfile", "over", "overwrite", "pack_keys", 91 | "parser", "partition", "partitioning", "password", "percent_rank", "plugins", 92 | "point", "polygon", "precision", "primary", "privileges", "processlist", 93 | "procedure", "query", "quarter", "range", "rank", "read", "reads", "read_write", 94 | "real", "rebuild", "recursive", "redundant", "references", "regexp", "relay", 95 | "release", "remove", "rename", "reorganize", "repair", "repeat", "repeatable", 96 | "replace", "require", "resignal", "restrict", "return", "retry", "revert", 97 | "revoke", "right", "rlike", "rollback", "row", "row_format", "row_number", 98 | "rows", "s3", "savepoint", "schema", "schemas", "second", "second_microsecond", 99 | "security", "select", "sensitive", "separator", "sequence", "serializable", 100 | "session", "set", "share", "shared", "show", "signal", "signed", "slow", 101 | "smallint", "spatial", "specific", "sql", "sqlexception", "sqlstate", 102 | "sqlwarning", "sql_big_result", "sql_cache", "sql_calc_found_rows", 103 | "sql_no_cache", "sql_small_result", "ssl", "start", "starting", 104 | "stats_auto_recalc", "stats_persistent", "stats_sample_pages", "status", 105 | "storage", "stored", "straight_join", "stream", "system", "vstream", 106 | "table", "tables", "tablespace", "temporary", "temptable", "terminated", 107 | "text", "than", "then", "time", "timestamp", "timestampadd", "timestampdiff", 108 | "tinyblob", "tinyint", "tinytext", "to", "trailing", "transaction", "tree", 109 | "traditional", "trigger", "triggers", "true", "truncate", "uncommitted", 110 | "undefined", "undo", "union", "unique", "unlock", "unsigned", "update", 111 | "upgrade", "usage", "use", "user", "user_resources", "using", "utc_date", 112 | "utc_time", "utc_timestamp", "validation", "values", "variables", "varbinary", 113 | "varchar", "varcharacter", "varying", "vgtid_executed", "virtual", "vindex", 114 | "vindexes", "view", "vitess", "vitess_keyspaces", "vitess_metadata", 115 | "vitess_migration", "vitess_migrations", "vitess_replication_status", 116 | "vitess_shards", "vitess_tablets", "vschema", "warnings", "when", 117 | "where", "while", "window", "with", "without", "work", "write", "xor", 118 | "year", "year_month", "zerofill", 119 | } 120 | 121 | // Keywords that could get an additional keyword 122 | var needCustomString = []string{ 123 | "DISTINCTROW", "FROM", // Select keywords: 124 | "GROUP BY", "HAVING", "WINDOW", 125 | "FOR", 126 | "ORDER BY", "LIMIT", 127 | "INTO", "PARTITION", "AS", // Insert Keywords: 128 | "ON DUPLICATE KEY UPDATE", 129 | "WHERE", "LIMIT", // Delete keywords 130 | "INFILE", "INTO TABLE", "CHARACTER SET", // Load keywords 131 | "TERMINATED BY", "ENCLOSED BY", 132 | "ESCAPED BY", "STARTING BY", 133 | "TERMINATED BY", "STARTING BY", 134 | "IGNORE", 135 | "VALUE", "VALUES", // Replace tokens 136 | "SET", // Update tokens 137 | "ENGINE =", // Drop tokens 138 | "DEFINER =", "ON SCHEDULE", "RENAME TO", // Alter tokens 139 | "COMMENT", "DO", "INITIAL_SIZE = ", "OPTIONS", 140 | } 141 | 142 | var alterTableTokens = [][]string{ 143 | {"CUSTOM_FUZZ_STRING"}, 144 | {"CUSTOM_ALTTER_TABLE_OPTIONS"}, 145 | {"PARTITION_OPTIONS_FOR_ALTER_TABLE"}, 146 | } 147 | 148 | var alterTokens = [][]string{ 149 | { 150 | "DATABASE", "SCHEMA", "DEFINER = ", "EVENT", "FUNCTION", "INSTANCE", 151 | "LOGFILE GROUP", "PROCEDURE", "SERVER", 152 | }, 153 | {"CUSTOM_FUZZ_STRING"}, 154 | { 155 | "ON SCHEDULE", "ON COMPLETION PRESERVE", "ON COMPLETION NOT PRESERVE", 156 | "ADD UNDOFILE", "OPTIONS", 157 | }, 158 | {"RENAME TO", "INITIAL_SIZE = "}, 159 | {"ENABLE", "DISABLE", "DISABLE ON SLAVE", "ENGINE"}, 160 | {"COMMENT"}, 161 | {"DO"}, 162 | } 163 | 164 | var setTokens = [][]string{ 165 | {"CHARACTER SET", "CHARSET", "CUSTOM_FUZZ_STRING", "NAMES"}, 166 | {"CUSTOM_FUZZ_STRING", "DEFAULT", "="}, 167 | {"CUSTOM_FUZZ_STRING"}, 168 | } 169 | 170 | var dropTokens = [][]string{ 171 | {"TEMPORARY", "UNDO"}, 172 | { 173 | "DATABASE", "SCHEMA", "EVENT", "INDEX", "LOGFILE GROUP", 174 | "PROCEDURE", "FUNCTION", "SERVER", "SPATIAL REFERENCE SYSTEM", 175 | "TABLE", "TABLESPACE", "TRIGGER", "VIEW", 176 | }, 177 | {"IF EXISTS"}, 178 | {"CUSTOM_FUZZ_STRING"}, 179 | {"ON", "ENGINE = ", "RESTRICT", "CASCADE"}, 180 | } 181 | 182 | var renameTokens = [][]string{ 183 | {"TABLE"}, 184 | {"CUSTOM_FUZZ_STRING"}, 185 | {"TO"}, 186 | {"CUSTOM_FUZZ_STRING"}, 187 | } 188 | 189 | var truncateTokens = [][]string{ 190 | {"TABLE"}, 191 | {"CUSTOM_FUZZ_STRING"}, 192 | } 193 | 194 | var createTokens = [][]string{ 195 | {"OR REPLACE", "TEMPORARY", "UNDO"}, // For create spatial reference system 196 | { 197 | "UNIQUE", "FULLTEXT", "SPATIAL", "ALGORITHM = UNDEFINED", "ALGORITHM = MERGE", 198 | "ALGORITHM = TEMPTABLE", 199 | }, 200 | { 201 | "DATABASE", "SCHEMA", "EVENT", "FUNCTION", "INDEX", "LOGFILE GROUP", 202 | "PROCEDURE", "SERVER", "SPATIAL REFERENCE SYSTEM", "TABLE", "TABLESPACE", 203 | "TRIGGER", "VIEW", 204 | }, 205 | {"IF NOT EXISTS"}, 206 | {"CUSTOM_FUZZ_STRING"}, 207 | } 208 | 209 | /* 210 | // For future use. 211 | var updateTokens = [][]string{ 212 | {"LOW_PRIORITY"}, 213 | {"IGNORE"}, 214 | {"SET"}, 215 | {"WHERE"}, 216 | {"ORDER BY"}, 217 | {"LIMIT"}, 218 | } 219 | */ 220 | 221 | var replaceTokens = [][]string{ 222 | {"LOW_PRIORITY", "DELAYED"}, 223 | {"INTO"}, 224 | {"PARTITION"}, 225 | {"CUSTOM_FUZZ_STRING"}, 226 | {"VALUES", "VALUE"}, 227 | } 228 | 229 | var loadTokens = [][]string{ 230 | {"DATA"}, 231 | {"LOW_PRIORITY", "CONCURRENT", "LOCAL"}, 232 | {"INFILE"}, 233 | {"REPLACE", "IGNORE"}, 234 | {"INTO TABLE"}, 235 | {"PARTITION"}, 236 | {"CHARACTER SET"}, 237 | {"FIELDS", "COLUMNS"}, 238 | {"TERMINATED BY"}, 239 | {"OPTIONALLY"}, 240 | {"ENCLOSED BY"}, 241 | {"ESCAPED BY"}, 242 | {"LINES"}, 243 | {"STARTING BY"}, 244 | {"TERMINATED BY"}, 245 | {"IGNORE"}, 246 | {"LINES", "ROWS"}, 247 | {"CUSTOM_FUZZ_STRING"}, 248 | } 249 | 250 | // These Are everything that comes after "INSERT" 251 | var insertTokens = [][]string{ 252 | {"LOW_PRIORITY", "DELAYED", "HIGH_PRIORITY", "IGNORE"}, 253 | {"INTO"}, 254 | {"PARTITION"}, 255 | {"CUSTOM_FUZZ_STRING"}, 256 | {"AS"}, 257 | {"ON DUPLICATE KEY UPDATE"}, 258 | } 259 | 260 | // These are everything that comes after "SELECT" 261 | var selectTokens = [][]string{ 262 | {"*", "CUSTOM_FUZZ_STRING", "DISTINCTROW"}, 263 | {"HIGH_PRIORITY"}, 264 | {"STRAIGHT_JOIN"}, 265 | {"SQL_SMALL_RESULT", "SQL_BIG_RESULT", "SQL_BUFFER_RESULT"}, 266 | {"SQL_NO_CACHE", "SQL_CALC_FOUND_ROWS"}, 267 | {"CUSTOM_FUZZ_STRING"}, 268 | {"FROM"}, 269 | {"WHERE"}, 270 | {"GROUP BY"}, 271 | {"HAVING"}, 272 | {"WINDOW"}, 273 | {"ORDER BY"}, 274 | {"LIMIT"}, 275 | {"CUSTOM_FUZZ_STRING"}, 276 | {"FOR"}, 277 | } 278 | 279 | // These are everything that comes after "DELETE" 280 | var deleteTokens = [][]string{ 281 | {"LOW_PRIORITY", "QUICK", "IGNORE", "FROM", "AS"}, 282 | {"PARTITION"}, 283 | {"WHERE"}, 284 | {"ORDER BY"}, 285 | {"LIMIT"}, 286 | } 287 | 288 | var alter_table_options = []string{ 289 | "ADD", "COLUMN", "FIRST", "AFTER", "INDEX", "KEY", "FULLTEXT", "SPATIAL", 290 | "CONSTRAINT", "UNIQUE", "FOREIGN KEY", "CHECK", "ENFORCED", "DROP", "ALTER", 291 | "NOT", "INPLACE", "COPY", "SET", "VISIBLE", "INVISIBLE", "DEFAULT", "CHANGE", 292 | "CHARACTER SET", "COLLATE", "DISABLE", "ENABLE", "KEYS", "TABLESPACE", "LOCK", 293 | "FORCE", "MODIFY", "SHARED", "EXCLUSIVE", "NONE", "ORDER BY", "RENAME COLUMN", 294 | "AS", "=", "ASC", "DESC", "WITH", "WITHOUT", "VALIDATION", "ADD PARTITION", 295 | "DROP PARTITION", "DISCARD PARTITION", "IMPORT PARTITION", "TRUNCATE PARTITION", 296 | "COALESCE PARTITION", "REORGANIZE PARTITION", "EXCHANGE PARTITION", 297 | "ANALYZE PARTITION", "CHECK PARTITION", "OPTIMIZE PARTITION", "REBUILD PARTITION", 298 | "REPAIR PARTITION", "REMOVE PARTITIONING", "USING", "BTREE", "HASH", "COMMENT", 299 | "KEY_BLOCK_SIZE", "WITH PARSER", "AUTOEXTEND_SIZE", "AUTO_INCREMENT", "AVG_ROW_LENGTH", 300 | "CHECKSUM", "INSERT_METHOD", "ROW_FORMAT", "DYNAMIC", "FIXED", "COMPRESSED", "REDUNDANT", 301 | "COMPACT", "SECONDARY_ENGINE_ATTRIBUTE", "STATS_AUTO_RECALC", "STATS_PERSISTENT", 302 | "STATS_SAMPLE_PAGES", "ZLIB", "LZ4", "ENGINE_ATTRIBUTE", "KEY_BLOCK_SIZE", "MAX_ROWS", 303 | "MIN_ROWS", "PACK_KEYS", "PASSWORD", "COMPRESSION", "CONNECTION", "DIRECTORY", 304 | "DELAY_KEY_WRITE", "ENCRYPTION", "STORAGE", "DISK", "MEMORY", "UNION", 305 | } 306 | 307 | // Creates an 'alter table' statement. 'alter table' is an exception 308 | // in that it has its own function. The majority of statements 309 | // are created by 'createStmt()'. 310 | func createAlterTableStmt(f *ConsumeFuzzer) (string, error) { 311 | maxArgs, err := f.GetInt() 312 | if err != nil { 313 | return "", err 314 | } 315 | maxArgs = maxArgs % 30 316 | if maxArgs == 0 { 317 | return "", fmt.Errorf("could not create alter table stmt") 318 | } 319 | 320 | var stmt strings.Builder 321 | stmt.WriteString("ALTER TABLE ") 322 | for i := 0; i < maxArgs; i++ { 323 | // Calculate if we get existing token or custom string 324 | tokenType, err := f.GetInt() 325 | if err != nil { 326 | return "", err 327 | } 328 | if tokenType%4 == 1 { 329 | customString, err := f.GetString() 330 | if err != nil { 331 | return "", err 332 | } 333 | stmt.WriteString(" " + customString) 334 | } else { 335 | tokenIndex, err := f.GetInt() 336 | if err != nil { 337 | return "", err 338 | } 339 | stmt.WriteString(" " + alter_table_options[tokenIndex%len(alter_table_options)]) 340 | } 341 | } 342 | return stmt.String(), nil 343 | } 344 | 345 | func chooseToken(tokens []string, f *ConsumeFuzzer) (string, error) { 346 | index, err := f.GetInt() 347 | if err != nil { 348 | return "", err 349 | } 350 | var token strings.Builder 351 | token.WriteString(tokens[index%len(tokens)]) 352 | if token.String() == "CUSTOM_FUZZ_STRING" { 353 | customFuzzString, err := f.GetString() 354 | if err != nil { 355 | return "", err 356 | } 357 | return customFuzzString, nil 358 | } 359 | 360 | // Check if token requires an argument 361 | if containsString(needCustomString, token.String()) { 362 | customFuzzString, err := f.GetString() 363 | if err != nil { 364 | return "", err 365 | } 366 | token.WriteString(" " + customFuzzString) 367 | } 368 | return token.String(), nil 369 | } 370 | 371 | var stmtTypes = map[string][][]string{ 372 | "DELETE": deleteTokens, 373 | "INSERT": insertTokens, 374 | "SELECT": selectTokens, 375 | "LOAD": loadTokens, 376 | "REPLACE": replaceTokens, 377 | "CREATE": createTokens, 378 | "DROP": dropTokens, 379 | "RENAME": renameTokens, 380 | "TRUNCATE": truncateTokens, 381 | "SET": setTokens, 382 | "ALTER": alterTokens, 383 | "ALTER TABLE": alterTableTokens, // ALTER TABLE has its own set of tokens 384 | } 385 | 386 | var stmtTypeEnum = map[int]string{ 387 | 0: "DELETE", 388 | 1: "INSERT", 389 | 2: "SELECT", 390 | 3: "LOAD", 391 | 4: "REPLACE", 392 | 5: "CREATE", 393 | 6: "DROP", 394 | 7: "RENAME", 395 | 8: "TRUNCATE", 396 | 9: "SET", 397 | 10: "ALTER", 398 | 11: "ALTER TABLE", 399 | } 400 | 401 | func createStmt(f *ConsumeFuzzer) (string, error) { 402 | stmtIndex, err := f.GetInt() 403 | if err != nil { 404 | return "", err 405 | } 406 | stmtIndex = stmtIndex % len(stmtTypes) 407 | 408 | queryType := stmtTypeEnum[stmtIndex] 409 | tokens := stmtTypes[queryType] 410 | 411 | // We have custom creator for ALTER TABLE 412 | if queryType == "ALTER TABLE" { 413 | query, err := createAlterTableStmt(f) 414 | if err != nil { 415 | return "", err 416 | } 417 | return query, nil 418 | } 419 | 420 | // Here we are creating a query that is not 421 | // an 'alter table' query. For available 422 | // queries, see "stmtTypes" 423 | 424 | // First specify the first query keyword: 425 | var query strings.Builder 426 | query.WriteString(queryType) 427 | 428 | // Next create the args for the 429 | queryArgs, err := createStmtArgs(tokens, f) 430 | if err != nil { 431 | return "", err 432 | } 433 | query.WriteString(" " + queryArgs) 434 | return query.String(), nil 435 | } 436 | 437 | // Creates the arguments of a statements. In a select statement 438 | // that would be everything after "select". 439 | func createStmtArgs(tokenslice [][]string, f *ConsumeFuzzer) (string, error) { 440 | var query, token strings.Builder 441 | 442 | // We go through the tokens in the tokenslice, 443 | // create the respective token and add it to 444 | // "query" 445 | for _, tokens := range tokenslice { 446 | // For extra randomization, the fuzzer can 447 | // choose to not include this token. 448 | includeThisToken, err := f.GetBool() 449 | if err != nil { 450 | return "", err 451 | } 452 | if !includeThisToken { 453 | continue 454 | } 455 | 456 | // There may be several tokens to choose from: 457 | if len(tokens) > 1 { 458 | chosenToken, err := chooseToken(tokens, f) 459 | if err != nil { 460 | return "", err 461 | } 462 | query.WriteString(" " + chosenToken) 463 | } else { 464 | token.WriteString(tokens[0]) 465 | 466 | // In case the token is "CUSTOM_FUZZ_STRING" 467 | // we will then create a non-structured string 468 | if token.String() == "CUSTOM_FUZZ_STRING" { 469 | customFuzzString, err := f.GetString() 470 | if err != nil { 471 | return "", err 472 | } 473 | query.WriteString(" " + customFuzzString) 474 | continue 475 | } 476 | 477 | // Check if token requires an argument. 478 | // Tokens that take an argument can be found 479 | // in 'needCustomString'. If so, we add a 480 | // non-structured string to the token. 481 | if containsString(needCustomString, token.String()) { 482 | customFuzzString, err := f.GetString() 483 | if err != nil { 484 | return "", err 485 | } 486 | token.WriteString(fmt.Sprintf(" %s", customFuzzString)) 487 | } 488 | query.WriteString(fmt.Sprintf(" %s", token.String())) 489 | } 490 | } 491 | return query.String(), nil 492 | } 493 | 494 | // Creates a semi-structured query. It creates a string 495 | // that is a combination of the keywords and random strings. 496 | func createQuery(f *ConsumeFuzzer) (string, error) { 497 | queryLen, err := f.GetInt() 498 | if err != nil { 499 | return "", err 500 | } 501 | maxLen := queryLen % 60 502 | if maxLen == 0 { 503 | return "", fmt.Errorf("could not create a query") 504 | } 505 | var query strings.Builder 506 | for i := 0; i < maxLen; i++ { 507 | // Get a new token: 508 | useKeyword, err := f.GetBool() 509 | if err != nil { 510 | return "", err 511 | } 512 | if useKeyword { 513 | keyword, err := getKeyword(f) 514 | if err != nil { 515 | return "", err 516 | } 517 | query.WriteString(" " + keyword) 518 | } else { 519 | customString, err := f.GetString() 520 | if err != nil { 521 | return "", err 522 | } 523 | query.WriteString(" " + customString) 524 | } 525 | } 526 | if query.String() == "" { 527 | return "", fmt.Errorf("could not create a query") 528 | } 529 | return query.String(), nil 530 | } 531 | 532 | // GetSQLString is the API that users interact with. 533 | // 534 | // Usage: 535 | // 536 | // f := NewConsumer(data) 537 | // sqlString, err := f.GetSQLString() 538 | func (f *ConsumeFuzzer) GetSQLString() (string, error) { 539 | var query string 540 | veryStructured, err := f.GetBool() 541 | if err != nil { 542 | return "", err 543 | } 544 | if veryStructured { 545 | query, err = createStmt(f) 546 | if err != nil { 547 | return "", err 548 | } 549 | } else { 550 | query, err = createQuery(f) 551 | if err != nil { 552 | return "", err 553 | } 554 | } 555 | return query, nil 556 | } 557 | -------------------------------------------------------------------------------- /sql_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2023 The go-fuzz-headers Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package gofuzzheaders 16 | 17 | import ( 18 | "testing" 19 | ) 20 | 21 | func TestSQLAPI(t *testing.T) { 22 | t.Run("Test 1", func(t *testing.T) { 23 | data := []byte{1, 1, 0, 1} 24 | f := NewConsumer(data) 25 | query, err := f.GetSQLString() 26 | if err != nil { 27 | t.Error(err) 28 | } 29 | if query != " action" { 30 | t.Errorf("expected ' action', got: '%s'", query) 31 | } 32 | }) 33 | t.Run("Test 2", func(t *testing.T) { 34 | data := []byte{ 35 | 222, 255, 0, 100, 10, 64, 2, 0, 0, 0, 36 | 0, 0, 0, 100, 6, 0, 0, 0, 0, 0, 0, 255, 37 | 61, 100, 170, 0, 0, 38 | } 39 | f := NewConsumer(data) 40 | query, err := f.GetSQLString() 41 | if err != nil { 42 | t.Error(err) 43 | } 44 | t.Log(query) 45 | }) 46 | } 47 | --------------------------------------------------------------------------------