├── servers
    ├── dockers
    │   ├── idx_0
    │   │   ├── requirements.txt
    │   │   ├── Dockerfile
    │   │   └── app.py
    │   ├── idx_1
    │   │   ├── requirements.txt
    │   │   ├── Dockerfile
    │   │   └── app.py
    │   ├── idx_2
    │   │   ├── requirements.txt
    │   │   ├── Dockerfile
    │   │   └── app.py
    │   ├── idx_3
    │   │   ├── requirements.txt
    │   │   ├── Dockerfile
    │   │   └── app.py
    │   ├── idx_4
    │   │   ├── requirements.txt
    │   │   ├── Dockerfile
    │   │   └── app.py
    │   ├── idx_5
    │   │   ├── requirements.txt
    │   │   ├── Dockerfile
    │   │   └── app.py
    │   ├── idx_6
    │   │   ├── requirements.txt
    │   │   ├── Dockerfile
    │   │   └── app.py
    │   ├── idx_7
    │   │   ├── requirements.txt
    │   │   ├── Dockerfile
    │   │   └── app.py
    │   ├── idx_8
    │   │   ├── requirements.txt
    │   │   ├── Dockerfile
    │   │   └── app.py
    │   ├── idx_9
    │   │   ├── requirements.txt
    │   │   ├── Dockerfile
    │   │   └── app.py
    │   └── idx_10
    │   │   ├── requirements.txt
    │   │   ├── Dockerfile
    │   │   └── app.py
    └── docker-compose.yml
├── requirements.txt
├── src
    ├── fuzzer
    │   ├── exception.py
    │   ├── minimizer.py
    │   └── reproducer.py
    ├── web_api
    │   ├── web_api_type.py
    │   ├── tag_manager.py
    │   ├── value.json
    │   ├── value_manager.py
    │   ├── tag.json
    │   └── web_object.py
    ├── js_api
    │   ├── js_api_type.py
    │   └── js_object.py
    └── script
    │   ├── testcase.py
    │   ├── string_instruction.py
    │   ├── script.py
    │   ├── js_instruction.py
    │   ├── web_instruction.py
    │   ├── web_page.py
    │   ├── statement.py
    │   ├── testcase_generator.py
    │   └── pattern_builder.py
├── tools
    └── domato
    │   ├── vbscript
    │       ├── README.md
    │       └── generator.py
    │   ├── jscript
    │       ├── README.md
    │       ├── template.html
    │       └── generator.py
    │   ├── template.html
    │   ├── php
    │       ├── README.md
    │       ├── generator.py
    │       ├── php.txt
    │       ├── parse_types.py
    │       └── template.php
    │   ├── CONTRIBUTING.md
    │   ├── mathml
    │       ├── test.py
    │       └── mathattrvalues.txt
    │   ├── canvas
    │       ├── template.html
    │       ├── README.md
    │       ├── generator.py
    │       └── canvas.txt
    │   ├── webgl
    │       ├── generator.py
    │       └── template.html
    │   ├── LICENSE
    │   └── common.txt
├── kill.sh
├── README.md
├── .gitignore
└── chrome_downloader.py


/servers/dockers/idx_0/requirements.txt:
--------------------------------------------------------------------------------
1 | flask
2 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_1/requirements.txt:
--------------------------------------------------------------------------------
1 | flask
2 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_2/requirements.txt:
--------------------------------------------------------------------------------
1 | flask
2 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_3/requirements.txt:
--------------------------------------------------------------------------------
1 | flask
2 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_4/requirements.txt:
--------------------------------------------------------------------------------
1 | flask
2 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_5/requirements.txt:
--------------------------------------------------------------------------------
1 | flask
2 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_6/requirements.txt:
--------------------------------------------------------------------------------
1 | flask
2 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_7/requirements.txt:
--------------------------------------------------------------------------------
1 | flask
2 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_8/requirements.txt:
--------------------------------------------------------------------------------
1 | flask
2 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_9/requirements.txt:
--------------------------------------------------------------------------------
1 | flask
2 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_10/requirements.txt:
--------------------------------------------------------------------------------
1 | flask
2 | 


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | selenium
2 | bs4
3 | flask
4 | msedge-selenium-tools
5 | 


--------------------------------------------------------------------------------
/src/fuzzer/exception.py:
--------------------------------------------------------------------------------
1 | class TestcaseTimeout(Exception):
2 |     """Base class for other exceptions"""
3 |     pass
4 | 


--------------------------------------------------------------------------------
/tools/domato/vbscript/README.md:
--------------------------------------------------------------------------------
1 | Script and grammar for fuzzing Microsoft VBScript engine.
2 | 
3 | Usage is the same as for DOM fuzzing.
4 | 


--------------------------------------------------------------------------------
/tools/domato/jscript/README.md:
--------------------------------------------------------------------------------
1 | Script and grammar for fuzzing Microsoft jscript.dll JavaScript engine.
2 | 
3 | Usage is the same as for DOM fuzzing.
4 | 


--------------------------------------------------------------------------------
/src/web_api/web_api_type.py:
--------------------------------------------------------------------------------
1 | from enum import Enum
2 | from enum import auto
3 | 
4 | class WebApiType(Enum):
5 |     read_property = auto()
6 |     write_property = auto()
7 |     call_method = auto()
8 |     construct = auto()


--------------------------------------------------------------------------------
/tools/domato/template.html:
--------------------------------------------------------------------------------
 1 | <!-- saved from url=(0014)about:internet -->
 2 | <html>
 3 | <head>
 4 | <style>
 5 | </style>
 6 | <script>
 7 | <foo_bar>
 8 | </script>
 9 | <head_script>
10 | </head>
11 | <body>
12 | <!--beginhtml-->
13 | <htmlfuzzer>
14 | <!--endhtml-->
15 | <body_script>
16 | </body>
17 | 
18 | </html>
19 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_0/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM python:3.7-alpine
 2 | WORKDIR /code
 3 | ENV FLASK_APP=app.py
 4 | ENV FLASK_RUN_HOST=0.0.0.0
 5 | RUN apk add --no-cache gcc musl-dev linux-headers
 6 | COPY requirements.txt requirements.txt
 7 | RUN pip install -r requirements.txt
 8 | EXPOSE 7000
 9 | COPY . .
10 | CMD ["flask", "run"]
11 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_1/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM python:3.7-alpine
 2 | WORKDIR /code
 3 | ENV FLASK_APP=app.py
 4 | ENV FLASK_RUN_HOST=0.0.0.0
 5 | RUN apk add --no-cache gcc musl-dev linux-headers
 6 | COPY requirements.txt requirements.txt
 7 | RUN pip install -r requirements.txt
 8 | EXPOSE 7001
 9 | COPY . .
10 | CMD ["flask", "run"]
11 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_10/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM python:3.7-alpine
 2 | WORKDIR /code
 3 | ENV FLASK_APP=app.py
 4 | ENV FLASK_RUN_HOST=0.0.0.0
 5 | RUN apk add --no-cache gcc musl-dev linux-headers
 6 | COPY requirements.txt requirements.txt
 7 | RUN pip install -r requirements.txt
 8 | EXPOSE 7010
 9 | COPY . .
10 | CMD ["flask", "run"]
11 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_2/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM python:3.7-alpine
 2 | WORKDIR /code
 3 | ENV FLASK_APP=app.py
 4 | ENV FLASK_RUN_HOST=0.0.0.0
 5 | RUN apk add --no-cache gcc musl-dev linux-headers
 6 | COPY requirements.txt requirements.txt
 7 | RUN pip install -r requirements.txt
 8 | EXPOSE 7002
 9 | COPY . .
10 | CMD ["flask", "run"]
11 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_3/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM python:3.7-alpine
 2 | WORKDIR /code
 3 | ENV FLASK_APP=app.py
 4 | ENV FLASK_RUN_HOST=0.0.0.0
 5 | RUN apk add --no-cache gcc musl-dev linux-headers
 6 | COPY requirements.txt requirements.txt
 7 | RUN pip install -r requirements.txt
 8 | EXPOSE 7003
 9 | COPY . .
10 | CMD ["flask", "run"]
11 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_4/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM python:3.7-alpine
 2 | WORKDIR /code
 3 | ENV FLASK_APP=app.py
 4 | ENV FLASK_RUN_HOST=0.0.0.0
 5 | RUN apk add --no-cache gcc musl-dev linux-headers
 6 | COPY requirements.txt requirements.txt
 7 | RUN pip install -r requirements.txt
 8 | EXPOSE 7004
 9 | COPY . .
10 | CMD ["flask", "run"]
11 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_5/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM python:3.7-alpine
 2 | WORKDIR /code
 3 | ENV FLASK_APP=app.py
 4 | ENV FLASK_RUN_HOST=0.0.0.0
 5 | RUN apk add --no-cache gcc musl-dev linux-headers
 6 | COPY requirements.txt requirements.txt
 7 | RUN pip install -r requirements.txt
 8 | EXPOSE 7005
 9 | COPY . .
10 | CMD ["flask", "run"]
11 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_6/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM python:3.7-alpine
 2 | WORKDIR /code
 3 | ENV FLASK_APP=app.py
 4 | ENV FLASK_RUN_HOST=0.0.0.0
 5 | RUN apk add --no-cache gcc musl-dev linux-headers
 6 | COPY requirements.txt requirements.txt
 7 | RUN pip install -r requirements.txt
 8 | EXPOSE 7006
 9 | COPY . .
10 | CMD ["flask", "run"]
11 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_7/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM python:3.7-alpine
 2 | WORKDIR /code
 3 | ENV FLASK_APP=app.py
 4 | ENV FLASK_RUN_HOST=0.0.0.0
 5 | RUN apk add --no-cache gcc musl-dev linux-headers
 6 | COPY requirements.txt requirements.txt
 7 | RUN pip install -r requirements.txt
 8 | EXPOSE 7007
 9 | COPY . .
10 | CMD ["flask", "run"]
11 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_8/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM python:3.7-alpine
 2 | WORKDIR /code
 3 | ENV FLASK_APP=app.py
 4 | ENV FLASK_RUN_HOST=0.0.0.0
 5 | RUN apk add --no-cache gcc musl-dev linux-headers
 6 | COPY requirements.txt requirements.txt
 7 | RUN pip install -r requirements.txt
 8 | EXPOSE 7008
 9 | COPY . .
10 | CMD ["flask", "run"]
11 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_9/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM python:3.7-alpine
 2 | WORKDIR /code
 3 | ENV FLASK_APP=app.py
 4 | ENV FLASK_RUN_HOST=0.0.0.0
 5 | RUN apk add --no-cache gcc musl-dev linux-headers
 6 | COPY requirements.txt requirements.txt
 7 | RUN pip install -r requirements.txt
 8 | EXPOSE 7009
 9 | COPY . .
10 | CMD ["flask", "run"]
11 | 


--------------------------------------------------------------------------------
/src/js_api/js_api_type.py:
--------------------------------------------------------------------------------
 1 | from enum import Enum
 2 | from enum import auto
 3 | 
 4 | class JsApiType(Enum):
 5 |     assign = auto()
 6 |     operation_addition = auto()
 7 |     operation_minus = auto()
 8 |     operation_multiple = auto()
 9 |     operation_division = auto()
10 |     operation_equal = auto()
11 |     operation_not_equal = auto()
12 |     


--------------------------------------------------------------------------------
/kill.sh:
--------------------------------------------------------------------------------
1 | ps -ef | grep fuzzer.fuzzer | awk -F" " '{print "kill -9 " $2}' | sh
2 | ps -ef | grep chrome | grep /home/shelling/chromium | awk -F" " '{print "kill -9 " $2}' | sh
3 | ps -ef | grep geckodriver  | awk -F" " '{print "kill -9 " $2}' | sh
4 | ps -ef | grep firefox-bin  | awk -F" " '{print "kill -9 " $2}' | sh
5 | ps -ef | grep msedgedriver  | awk -F" " '{print "kill -9 " $2}' | sh
6 | ps -ef | grep msedge  | awk -F" " '{print "kill -9 " $2}' | sh
7 | ps -ef | grep firefox  | awk -F" " '{print "kill -9 " $2}' | sh
8 | ps -ef | grep chrome  | awk -F" " '{print "kill -9 " $2}' | sh
9 | 


--------------------------------------------------------------------------------
/src/script/testcase.py:
--------------------------------------------------------------------------------
 1 | from src.script.web_page import WebPage
 2 | 
 3 | class Testcase:
 4 |     def __init__(self, name, origins, pages):
 5 |         self.data = {}
 6 |         self.name = name
 7 |         self.origins = origins
 8 |         self.pages = pages
 9 | 
10 |         for o in range(self.origins):
11 |             self.data[o] = {}
12 |             # for p in range(pages):
13 |             #     self.data[o][p]
14 |     
15 |     def add(self, html, origin, page):
16 |         self.data[origin][page] = html
17 | 
18 |     def get(self, origin, page):
19 |         return self.data[origin][page]
20 | 


--------------------------------------------------------------------------------
/src/script/string_instruction.py:
--------------------------------------------------------------------------------
 1 | from src.web_api.web_object import WebObject
 2 | from src.web_api.web_api_type import WebApiType
 3 | 
 4 | class StrInstruction:
 5 |     def __init__(self, text, keep=True):
 6 |         self.text = text
 7 |         self.keep = keep
 8 | 
 9 |     def lift(self, guard=False, debug=False, indent=0):
10 |         code = self.text
11 |         if guard:
12 |             code = "try {" + code + "} catch(e) {"
13 |             if debug:
14 |                 code += "console.log(e);"
15 |             code += "} "
16 | 
17 |         code = "  " * indent + code
18 | 
19 |         return code
20 | 


--------------------------------------------------------------------------------
/tools/domato/php/README.md:
--------------------------------------------------------------------------------
 1 | The `php_generated.txt` file was generated by running `parse_types.py` on the
 2 | source code of php.
 3 | 
 4 | Possible improvements:
 5 | - Callbacks are currently unused (`<fuzzfunction>` always point to `phpinfo`).
 6 | 	Generating callback code in a similar manner to the main function could
 7 | 	potentially expose additional bugs, especially if callbacks get access to the
 8 | 	same variables / can mess up stuff that the caller didn't expect.
 9 | - Currently, the return values from the function / method calls are ignored.
10 | 	In cases where function / method calls return non-trivial types, it be better
11 | 	to store these return values in variables and use them as function arguments
12 | 	in later calls or potentially call methods on these "generated" objects.
13 | - It would be great to be able to infer the expected classes of the objects
14 | 	parameters taken by functions/methods.
15 | - The `parse_type.py` code is ugly, and should be refactored a bit.
16 | - Randomize the references (`$ref_` in template.php).
17 | 
18 | 


--------------------------------------------------------------------------------
/tools/domato/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # How to contribute
 2 | 
 3 | We'd love to accept your patches and contributions to this project. There are
 4 | just a few small guidelines you need to follow.
 5 | 
 6 | ## Contributor License Agreement
 7 | 
 8 | Contributions to any Google project must be accompanied by a Contributor License
 9 | Agreement. This is necessary because you own the copyright to your changes, even
10 | after your contribution becomes part of this project. So this agreement simply
11 | gives us permission to use and redistribute your contributions as part of the
12 | project. Head over to <https://cla.developers.google.com/> to see your current
13 | agreements on file or to sign a new one.
14 | 
15 | You generally only need to submit a CLA once, so if you've already submitted one
16 | (even if it was for a different project), you probably don't need to do it
17 | again.
18 | 
19 | ## Code reviews
20 | 
21 | All submissions, including submissions by project members, require review. We
22 | use GitHub pull requests for this purpose. Consult [GitHub Help] for more
23 | information on using pull requests.
24 | 
25 | [GitHub Help]: https://help.github.com/articles/about-pull-requests/
26 | 


--------------------------------------------------------------------------------
/src/web_api/tag_manager.py:
--------------------------------------------------------------------------------
 1 | import json
 2 | import random
 3 | 
 4 | class TagManager:
 5 |     __grammar = None
 6 | 
 7 |     @classmethod
 8 |     def init(cls):
 9 |         if cls.__grammar is None:
10 |             with open("src/web_api/tag.json") as f:
11 |                 cls.__grammar = json.load(f)
12 | 
13 |     @classmethod
14 |     def bind(cls, name):
15 |         cls.init()
16 |         if name in cls.__grammar:
17 |             try:
18 |                 obj = cls.__grammar[name]
19 |                 if obj:
20 |                     return obj
21 |                 else:
22 |                     return "HTMLElement"
23 |             except KeyError as e:
24 |                 return "HTMLElement"
25 | 
26 |     @classmethod
27 |     def tags(cls):
28 |         cls.init()
29 |         return list(cls.__grammar.keys())
30 | 
31 |     @classmethod
32 |     def random_tag(cls):
33 |         cls.init()
34 |         tag = random.choice(list(cls.__grammar.keys()))
35 |         return f"'{tag}'"
36 | 
37 | 
38 | def main():
39 |     candidate = TagManager.tags()
40 |     print(candidate)
41 | 
42 |     obj = TagManager.bind("a")
43 |     print(obj)
44 | 
45 | if __name__ == "__main__":
46 |     main()


--------------------------------------------------------------------------------
/tools/domato/mathml/test.py:
--------------------------------------------------------------------------------
 1 | #   Copyright 2017 Google Inc. All Rights Reserved.
 2 | #   Licensed under the Apache License, Version 2.0 (the "License");
 3 | #   you may not use this file except in compliance with the License.
 4 | #   You may obtain a copy of the License at
 5 | #
 6 | #       http://www.apache.org/licenses/LICENSE-2.0
 7 | #
 8 | #   Unless required by applicable law or agreed to in writing, software
 9 | #   distributed under the License is distributed on an "AS IS" BASIS,
10 | #   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11 | #   See the License for the specific language governing permissions and
12 | #   limitations under the License.
13 | 
14 | from __future__ import print_function
15 | import os
16 | import re
17 | import random
18 | import sys
19 | 
20 | from grammar import Grammar
21 | 
22 | cssgrammar = Grammar()
23 | err = cssgrammar.parse_from_file('css.txt')
24 | 
25 | htmlgrammar = Grammar()
26 | htmlgrammar.add_import('cssgrammar', cssgrammar)
27 | htmlgrammar.parse_from_file('mathml.txt')
28 | 
29 | # result_string = htmlgrammar .generate_symbol('svgelement_svg')
30 | # just math, without svg
31 | 
32 | result_string = htmlgrammar .generate_symbol('mathelement_math')
33 | print('\n' + result_string)
34 | 


--------------------------------------------------------------------------------
/tools/domato/canvas/template.html:
--------------------------------------------------------------------------------
 1 | <!-- #   Copyright 2017 Google Inc. All Rights Reserved.
 2 | #   Licensed under the Apache License, Version 2.0 (the "License");
 3 | #   you may not use this file except in compliance with the License.
 4 | #   You may obtain a copy of the License at
 5 | #
 6 | #       http://www.apache.org/licenses/LICENSE-2.0
 7 | #
 8 | #   Unless required by applicable law or agreed to in writing, software
 9 | #   distributed under the License is distributed on an "AS IS" BASIS,
10 | #   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11 | #   See the License for the specific language governing permissions and
12 | #   limitations under the License.
13 |  -->
14 |  
15 | <input id="button" type="range" min="1" max="12">
16 | 
17 | <script>
18 | 
19 | function GetVariable(fuzzervars, var_type) { if(fuzzervars[var_type]) { return fuzzervars[var_type]; } else { return null; }}
20 | 
21 | function SetVariable(fuzzervars, var_name, var_type) { fuzzervars[var_type] = var_name; }
22 | 
23 | var canvas = document.createElement('canvas');
24 | 
25 | canvas.id = "canvas";
26 | canvas.width = 200;
27 | canvas.height = 200;
28 | canvas.style.position = "absolute";
29 | canvas.style.border = "1px solid";
30 | 
31 | var body = document.getElementsByTagName("body")[0];
32 | body.appendChild(canvas);
33 | 
34 | var ctx = canvas.getContext('2d');
35 | 
36 | <canvasfuzz>
37 | 
38 | </script>


--------------------------------------------------------------------------------
/servers/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | version: "3.5"
 2 | services:
 3 |   idx_0:
 4 |     build: dockers/idx_0
 5 |     ports:
 6 |       - "7000:5000"
 7 |     volumes:
 8 |       - ./data/idx_0:/data
 9 |   idx_1:
10 |     build: dockers/idx_1
11 |     ports:
12 |       - "7001:5000"
13 |     volumes:
14 |       - ./data/idx_1:/data
15 |   idx_2:
16 |     build: dockers/idx_2
17 |     ports:
18 |       - "7002:5000"
19 |     volumes:
20 |       - ./data/idx_2:/data
21 |   idx_3:
22 |     build: dockers/idx_3
23 |     ports:
24 |       - "7003:5000"
25 |     volumes:
26 |       - ./data/idx_3:/data
27 |   idx_4:
28 |     build: dockers/idx_4
29 |     ports:
30 |       - "7004:5000"
31 |     volumes:
32 |       - ./data/idx_4:/data
33 |   idx_5:
34 |     build: dockers/idx_5
35 |     ports:
36 |       - "7005:5000"
37 |     volumes:
38 |       - ./data/idx_5:/data
39 |   idx_6:
40 |     build: dockers/idx_6
41 |     ports:
42 |       - "7006:5000"
43 |     volumes:
44 |       - ./data/idx_6:/data
45 |   idx_7:
46 |     build: dockers/idx_7
47 |     ports:
48 |       - "7007:5000"
49 |     volumes:
50 |       - ./data/idx_7:/data
51 |   idx_8:
52 |     build: dockers/idx_8
53 |     ports:
54 |       - "7008:5000"
55 |     volumes:
56 |       - ./data/idx_8:/data
57 |   idx_9:
58 |     build: dockers/idx_9
59 |     ports:
60 |       - "7009:5000"
61 |     volumes:
62 |       - ./data/idx_9:/data
63 |   idx_10:
64 |     build: dockers/idx_10
65 |     ports:
66 |       - "7010:5000"
67 |     volumes:
68 |       - ./data/idx_10:/data


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # FuzzOrigin
 2 | 
 3 | ## Paper
 4 | [FuzzOrigin: Detecting UXSS vulnerabilities in Browsers through Origin Fuzzing](https://www.usenix.org/conference/usenixsecurity22/presentation/kim)
 5 | 
 6 | ## Server Setting
 7 | ```
 8 | $ sudo apt-get install docker-compose
 9 | $ cd servers
10 | $ sudo docker-compose up -d
11 | $ sudo chown -R $(id -nu):$(id -ng) .
12 | ```
13 | 
14 | ## Download chrome
15 | ```
16 | $ python3 chrome_downloader.py [version]
17 | ```
18 | Visit [OmahaProxy](https://omahaproxy.appspot.com/) to check chrome version.
19 | 
20 | ## Run fuzzer
21 | python3 -m src.fuzzer.fuzzer [browser type] [browser binary] [idx]
22 | - browser type: chrome, firefox, edge
23 | - browser binary: browser binary path
24 | - idx: test idx
25 | ```
26 | $ python3 -m src.fuzzer.fuzzer chrome chrome/103.0.5042.0_999146/chrome 0
27 | ```
28 | 
29 | ## Result
30 | tests/output_[idx]
31 | ```
32 | $ ls tests/output_0
33 | ```
34 | 
35 | ## Citation
36 | ```
37 | @inproceedings {281314,
38 |     author = {Sunwoo Kim and Young Min Kim and Jaewon Hur and Suhwan Song and Gwangmu Lee and Byoungyoung Lee},
39 |     title = {{FuzzOrigin}: Detecting {UXSS} vulnerabilities in Browsers through Origin Fuzzing},
40 |     booktitle = {31st USENIX Security Symposium (USENIX Security 22)},
41 |     year = {2022},
42 |     isbn = {978-1-939133-31-1},
43 |     address = {Boston, MA},
44 |     pages = {1008--1023},
45 |     url = {https://www.usenix.org/conference/usenixsecurity22/presentation/kim},
46 |     publisher = {USENIX Association},
47 |     month = aug,
48 | }
49 | ```


--------------------------------------------------------------------------------
/src/script/script.py:
--------------------------------------------------------------------------------
 1 | from src.script.web_instruction import WebInstruction
 2 | from src.script.statement import *
 3 | from src.web_api.web_api_type import WebApiType
 4 | 
 5 | 
 6 | class Script:
 7 |     def __init__(self):
 8 |         self.instructions = []
 9 | 
10 |     def lift(self, guard=False, debug=False, indent=0):
11 |         code = ""
12 |         for inst in self.instructions:
13 |             code += inst.lift(guard, debug, indent) + "\n"
14 |         return code
15 | 
16 | 
17 | def main():
18 |     sc = Script()
19 |     inst = WebInstruction("v1", [], "v2", "Node", WebApiType.read_property, "baseURI")
20 |     sc.instructions.append(inst)
21 |     
22 |     state = IfElseStatement()
23 |     inst = WebInstruction("v1", [], "v2", "Node", WebApiType.write_property, "nodeValue")
24 |     state.if_instructions.append(inst)
25 | 
26 |     sc.instructions.append(state)
27 | 
28 |     inst = WebInstruction("v1", ["v2"], "v3", "Element", WebApiType.call_method, "appendChild")
29 |     sc.instructions.append(inst)
30 | 
31 |     state = FunctionStatement("f1", ["v1"])
32 |     inst = WebInstruction("v1", [], "v2", "Node", WebApiType.read_property, "baseURI")
33 |     state.instructions.append(inst)
34 |     sc.instructions.append(state)
35 | 
36 |     state = TryCatchStatement()
37 |     inst = WebInstruction("v1", [], None, "Node", WebApiType.read_property, "baseURI")
38 |     state.try_instructions.append(inst)
39 |     inst = WebInstruction("v1", ["v2"], "v3", "Element", WebApiType.call_method, "appendChild")
40 |     state.catch_instructions.append(inst)
41 |     sc.instructions.append(state)
42 | 
43 | 
44 | if __name__ == "__main__":
45 |     main()
46 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_1/app.py:
--------------------------------------------------------------------------------
 1 | import flask
 2 | import time
 3 | import logging
 4 |  
 5 | logging.basicConfig(filename = "/data/log.txt", level = logging.DEBUG)
 6 | 
 7 | app = flask.Flask(__name__)
 8 | 
 9 | @app.route('/sop/<name>')
10 | def sop_send(name):
11 |     with open(f"/data/sop/{name}") as f:
12 |         html = f.read()
13 | 
14 |     response = flask.Response(html)
15 |     response.headers["X-Frame-Options"] = "SAMEORIGIN"
16 |     return response
17 | 
18 | @app.route('/<name>')
19 | def send(name):
20 |     # return flask.send_from_directory('.', name)
21 |     logging.info(f"[LOG] {name}")
22 |     r = flask.make_response(flask.send_from_directory('/data', name))
23 |     r.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
24 |     r.headers["Pragma"] = "no-cache"
25 |     r.headers["Expires"] = "0"
26 |     r.headers['Cache-Control'] = 'public, max-age=0'
27 |     r.set_cookie('userID', 'parent')
28 |     return r
29 | 
30 | @app.route('/svg/<name>')
31 | def svg_send(name):
32 |     with open("/data/svg/template.svg") as f:
33 |         html = f.read()
34 |     html = html.replace("<name>", name.split(".")[0])
35 |     r = flask.Response(html, mimetype='image/svg+xml')
36 |     return r
37 | 
38 | @app.route('/svg_parent/<name>')
39 | def svg_parent_send(name):
40 |     with open("/data/svg/template.svg") as f:
41 |         html = f.read()
42 |     html = html.replace("<name>", f"{name.split('.')[0]}.parentNode")
43 |     r = flask.Response(html, mimetype='image/svg+xml')
44 |     return r
45 | 
46 | @app.route('/')
47 | def hello_world():
48 |     return 'Hello, idx_1!'
49 | 
50 | if __name__ == '__main__':
51 |     app.debug=True
52 |     app.run(host="0.0.0.0", port=7001)
53 |     #app.run(port=7000)
54 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_10/app.py:
--------------------------------------------------------------------------------
 1 | import flask
 2 | import time
 3 | import logging
 4 |  
 5 | logging.basicConfig(filename = "/data/log.txt", level = logging.DEBUG)
 6 | 
 7 | app = flask.Flask(__name__)
 8 | 
 9 | @app.route('/sop/<name>')
10 | def sop_send(name):
11 |     with open(f"/data/sop/{name}") as f:
12 |         html = f.read()
13 | 
14 |     response = flask.Response(html)
15 |     response.headers["X-Frame-Options"] = "SAMEORIGIN"
16 |     return response
17 | 
18 | @app.route('/<name>')
19 | def send(name):
20 |     # return flask.send_from_directory('.', name)
21 |     logging.info(f"[LOG] {name}")
22 |     r = flask.make_response(flask.send_from_directory('/data', name))
23 |     r.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
24 |     r.headers["Pragma"] = "no-cache"
25 |     r.headers["Expires"] = "0"
26 |     r.headers['Cache-Control'] = 'public, max-age=0'
27 |     r.set_cookie('userID', 'parent')
28 |     return r
29 | 
30 | @app.route('/svg/<name>')
31 | def svg_send(name):
32 |     with open("/data/svg/template.svg") as f:
33 |         html = f.read()
34 |     html = html.replace("<name>", name.split(".")[0])
35 |     r = flask.Response(html, mimetype='image/svg+xml')
36 |     return r
37 | 
38 | @app.route('/svg_parent/<name>')
39 | def svg_parent_send(name):
40 |     with open("/data/svg/template.svg") as f:
41 |         html = f.read()
42 |     html = html.replace("<name>", f"{name.split('.')[0]}.parentNode")
43 |     r = flask.Response(html, mimetype='image/svg+xml')
44 |     return r
45 | 
46 | @app.route('/')
47 | def hello_world():
48 |     return 'Hello, idx_10!'
49 | 
50 | if __name__ == '__main__':
51 |     app.debug=True
52 |     app.run(host="0.0.0.0", port=7010)
53 |     #app.run(port=7000)
54 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_2/app.py:
--------------------------------------------------------------------------------
 1 | import flask
 2 | import time
 3 | import logging
 4 |  
 5 | logging.basicConfig(filename = "/data/log.txt", level = logging.DEBUG)
 6 | 
 7 | app = flask.Flask(__name__)
 8 | 
 9 | @app.route('/sop/<name>')
10 | def sop_send(name):
11 |     with open(f"/data/sop/{name}") as f:
12 |         html = f.read()
13 | 
14 |     response = flask.Response(html)
15 |     response.headers["X-Frame-Options"] = "SAMEORIGIN"
16 |     return response
17 | 
18 | @app.route('/<name>')
19 | def send(name):
20 |     # return flask.send_from_directory('.', name)
21 |     logging.info(f"[LOG] {name}")
22 |     r = flask.make_response(flask.send_from_directory('/data', name))
23 |     r.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
24 |     r.headers["Pragma"] = "no-cache"
25 |     r.headers["Expires"] = "0"
26 |     r.headers['Cache-Control'] = 'public, max-age=0'
27 |     r.set_cookie('userID', 'parent')
28 |     return r
29 | 
30 | @app.route('/svg/<name>')
31 | def svg_send(name):
32 |     with open("/data/svg/template.svg") as f:
33 |         html = f.read()
34 |     html = html.replace("<name>", name.split(".")[0])
35 |     r = flask.Response(html, mimetype='image/svg+xml')
36 |     return r
37 | 
38 | @app.route('/svg_parent/<name>')
39 | def svg_parent_send(name):
40 |     with open("/data/svg/template.svg") as f:
41 |         html = f.read()
42 |     html = html.replace("<name>", f"{name.split('.')[0]}.parentNode")
43 |     r = flask.Response(html, mimetype='image/svg+xml')
44 |     return r
45 | 
46 | @app.route('/')
47 | def hello_world():
48 |     return 'Hello, idx_2!'
49 | 
50 | if __name__ == '__main__':
51 |     app.debug=True
52 |     app.run(host="0.0.0.0", port=7002)
53 |     #app.run(port=7000)
54 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_3/app.py:
--------------------------------------------------------------------------------
 1 | import flask
 2 | import time
 3 | import logging
 4 |  
 5 | logging.basicConfig(filename = "/data/log.txt", level = logging.DEBUG)
 6 | 
 7 | app = flask.Flask(__name__)
 8 | 
 9 | @app.route('/sop/<name>')
10 | def sop_send(name):
11 |     with open(f"/data/sop/{name}") as f:
12 |         html = f.read()
13 | 
14 |     response = flask.Response(html)
15 |     response.headers["X-Frame-Options"] = "SAMEORIGIN"
16 |     return response
17 | 
18 | @app.route('/<name>')
19 | def send(name):
20 |     # return flask.send_from_directory('.', name)
21 |     logging.info(f"[LOG] {name}")
22 |     r = flask.make_response(flask.send_from_directory('/data', name))
23 |     r.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
24 |     r.headers["Pragma"] = "no-cache"
25 |     r.headers["Expires"] = "0"
26 |     r.headers['Cache-Control'] = 'public, max-age=0'
27 |     r.set_cookie('userID', 'parent')
28 |     return r
29 | 
30 | @app.route('/svg/<name>')
31 | def svg_send(name):
32 |     with open("/data/svg/template.svg") as f:
33 |         html = f.read()
34 |     html = html.replace("<name>", name.split(".")[0])
35 |     r = flask.Response(html, mimetype='image/svg+xml')
36 |     return r
37 | 
38 | @app.route('/svg_parent/<name>')
39 | def svg_parent_send(name):
40 |     with open("/data/svg/template.svg") as f:
41 |         html = f.read()
42 |     html = html.replace("<name>", f"{name.split('.')[0]}.parentNode")
43 |     r = flask.Response(html, mimetype='image/svg+xml')
44 |     return r
45 | 
46 | @app.route('/')
47 | def hello_world():
48 |     return 'Hello, idx_3!'
49 | 
50 | if __name__ == '__main__':
51 |     app.debug=True
52 |     app.run(host="0.0.0.0", port=7003)
53 |     #app.run(port=7000)
54 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_4/app.py:
--------------------------------------------------------------------------------
 1 | import flask
 2 | import time
 3 | import logging
 4 |  
 5 | logging.basicConfig(filename = "/data/log.txt", level = logging.DEBUG)
 6 | 
 7 | app = flask.Flask(__name__)
 8 | 
 9 | @app.route('/sop/<name>')
10 | def sop_send(name):
11 |     with open(f"/data/sop/{name}") as f:
12 |         html = f.read()
13 | 
14 |     response = flask.Response(html)
15 |     response.headers["X-Frame-Options"] = "SAMEORIGIN"
16 |     return response
17 | 
18 | @app.route('/<name>')
19 | def send(name):
20 |     # return flask.send_from_directory('.', name)
21 |     logging.info(f"[LOG] {name}")
22 |     r = flask.make_response(flask.send_from_directory('/data', name))
23 |     r.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
24 |     r.headers["Pragma"] = "no-cache"
25 |     r.headers["Expires"] = "0"
26 |     r.headers['Cache-Control'] = 'public, max-age=0'
27 |     r.set_cookie('userID', 'parent')
28 |     return r
29 | 
30 | @app.route('/svg/<name>')
31 | def svg_send(name):
32 |     with open("/data/svg/template.svg") as f:
33 |         html = f.read()
34 |     html = html.replace("<name>", name.split(".")[0])
35 |     r = flask.Response(html, mimetype='image/svg+xml')
36 |     return r
37 | 
38 | @app.route('/svg_parent/<name>')
39 | def svg_parent_send(name):
40 |     with open("/data/svg/template.svg") as f:
41 |         html = f.read()
42 |     html = html.replace("<name>", f"{name.split('.')[0]}.parentNode")
43 |     r = flask.Response(html, mimetype='image/svg+xml')
44 |     return r
45 | 
46 | @app.route('/')
47 | def hello_world():
48 |     return 'Hello, idx_4!'
49 | 
50 | if __name__ == '__main__':
51 |     app.debug=True
52 |     app.run(host="0.0.0.0", port=7004)
53 |     #app.run(port=7000)
54 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_5/app.py:
--------------------------------------------------------------------------------
 1 | import flask
 2 | import time
 3 | import logging
 4 |  
 5 | logging.basicConfig(filename = "/data/log.txt", level = logging.DEBUG)
 6 | 
 7 | app = flask.Flask(__name__)
 8 | 
 9 | @app.route('/sop/<name>')
10 | def sop_send(name):
11 |     with open(f"/data/sop/{name}") as f:
12 |         html = f.read()
13 | 
14 |     response = flask.Response(html)
15 |     response.headers["X-Frame-Options"] = "SAMEORIGIN"
16 |     return response
17 | 
18 | @app.route('/<name>')
19 | def send(name):
20 |     # return flask.send_from_directory('.', name)
21 |     logging.info(f"[LOG] {name}")
22 |     r = flask.make_response(flask.send_from_directory('/data', name))
23 |     r.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
24 |     r.headers["Pragma"] = "no-cache"
25 |     r.headers["Expires"] = "0"
26 |     r.headers['Cache-Control'] = 'public, max-age=0'
27 |     r.set_cookie('userID', 'parent')
28 |     return r
29 | 
30 | @app.route('/svg/<name>')
31 | def svg_send(name):
32 |     with open("/data/svg/template.svg") as f:
33 |         html = f.read()
34 |     html = html.replace("<name>", name.split(".")[0])
35 |     r = flask.Response(html, mimetype='image/svg+xml')
36 |     return r
37 | 
38 | @app.route('/svg_parent/<name>')
39 | def svg_parent_send(name):
40 |     with open("/data/svg/template.svg") as f:
41 |         html = f.read()
42 |     html = html.replace("<name>", f"{name.split('.')[0]}.parentNode")
43 |     r = flask.Response(html, mimetype='image/svg+xml')
44 |     return r
45 | 
46 | @app.route('/')
47 | def hello_world():
48 |     return 'Hello, idx_5!'
49 | 
50 | if __name__ == '__main__':
51 |     app.debug=True
52 |     app.run(host="0.0.0.0", port=7005)
53 |     #app.run(port=7000)
54 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_6/app.py:
--------------------------------------------------------------------------------
 1 | import flask
 2 | import time
 3 | import logging
 4 |  
 5 | logging.basicConfig(filename = "/data/log.txt", level = logging.DEBUG)
 6 | 
 7 | app = flask.Flask(__name__)
 8 | 
 9 | @app.route('/sop/<name>')
10 | def sop_send(name):
11 |     with open(f"/data/sop/{name}") as f:
12 |         html = f.read()
13 | 
14 |     response = flask.Response(html)
15 |     response.headers["X-Frame-Options"] = "SAMEORIGIN"
16 |     return response
17 | 
18 | @app.route('/<name>')
19 | def send(name):
20 |     # return flask.send_from_directory('.', name)
21 |     logging.info(f"[LOG] {name}")
22 |     r = flask.make_response(flask.send_from_directory('/data', name))
23 |     r.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
24 |     r.headers["Pragma"] = "no-cache"
25 |     r.headers["Expires"] = "0"
26 |     r.headers['Cache-Control'] = 'public, max-age=0'
27 |     r.set_cookie('userID', 'parent')
28 |     return r
29 | 
30 | @app.route('/svg/<name>')
31 | def svg_send(name):
32 |     with open("/data/svg/template.svg") as f:
33 |         html = f.read()
34 |     html = html.replace("<name>", name.split(".")[0])
35 |     r = flask.Response(html, mimetype='image/svg+xml')
36 |     return r
37 | 
38 | @app.route('/svg_parent/<name>')
39 | def svg_parent_send(name):
40 |     with open("/data/svg/template.svg") as f:
41 |         html = f.read()
42 |     html = html.replace("<name>", f"{name.split('.')[0]}.parentNode")
43 |     r = flask.Response(html, mimetype='image/svg+xml')
44 |     return r
45 | 
46 | @app.route('/')
47 | def hello_world():
48 |     return 'Hello, idx_6!'
49 | 
50 | if __name__ == '__main__':
51 |     app.debug=True
52 |     app.run(host="0.0.0.0", port=7006)
53 |     #app.run(port=7000)
54 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_7/app.py:
--------------------------------------------------------------------------------
 1 | import flask
 2 | import time
 3 | import logging
 4 |  
 5 | logging.basicConfig(filename = "/data/log.txt", level = logging.DEBUG)
 6 | 
 7 | app = flask.Flask(__name__)
 8 | 
 9 | @app.route('/sop/<name>')
10 | def sop_send(name):
11 |     with open(f"/data/sop/{name}") as f:
12 |         html = f.read()
13 | 
14 |     response = flask.Response(html)
15 |     response.headers["X-Frame-Options"] = "SAMEORIGIN"
16 |     return response
17 | 
18 | @app.route('/<name>')
19 | def send(name):
20 |     # return flask.send_from_directory('.', name)
21 |     logging.info(f"[LOG] {name}")
22 |     r = flask.make_response(flask.send_from_directory('/data', name))
23 |     r.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
24 |     r.headers["Pragma"] = "no-cache"
25 |     r.headers["Expires"] = "0"
26 |     r.headers['Cache-Control'] = 'public, max-age=0'
27 |     r.set_cookie('userID', 'parent')
28 |     return r
29 | 
30 | @app.route('/svg/<name>')
31 | def svg_send(name):
32 |     with open("/data/svg/template.svg") as f:
33 |         html = f.read()
34 |     html = html.replace("<name>", name.split(".")[0])
35 |     r = flask.Response(html, mimetype='image/svg+xml')
36 |     return r
37 | 
38 | @app.route('/svg_parent/<name>')
39 | def svg_parent_send(name):
40 |     with open("/data/svg/template.svg") as f:
41 |         html = f.read()
42 |     html = html.replace("<name>", f"{name.split('.')[0]}.parentNode")
43 |     r = flask.Response(html, mimetype='image/svg+xml')
44 |     return r
45 | 
46 | @app.route('/')
47 | def hello_world():
48 |     return 'Hello, idx_7!'
49 | 
50 | if __name__ == '__main__':
51 |     app.debug=True
52 |     app.run(host="0.0.0.0", port=7007)
53 |     #app.run(port=7000)
54 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_8/app.py:
--------------------------------------------------------------------------------
 1 | import flask
 2 | import time
 3 | import logging
 4 |  
 5 | logging.basicConfig(filename = "/data/log.txt", level = logging.DEBUG)
 6 | 
 7 | app = flask.Flask(__name__)
 8 | 
 9 | @app.route('/sop/<name>')
10 | def sop_send(name):
11 |     with open(f"/data/sop/{name}") as f:
12 |         html = f.read()
13 | 
14 |     response = flask.Response(html)
15 |     response.headers["X-Frame-Options"] = "SAMEORIGIN"
16 |     return response
17 | 
18 | @app.route('/<name>')
19 | def send(name):
20 |     # return flask.send_from_directory('.', name)
21 |     logging.info(f"[LOG] {name}")
22 |     r = flask.make_response(flask.send_from_directory('/data', name))
23 |     r.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
24 |     r.headers["Pragma"] = "no-cache"
25 |     r.headers["Expires"] = "0"
26 |     r.headers['Cache-Control'] = 'public, max-age=0'
27 |     r.set_cookie('userID', 'parent')
28 |     return r
29 | 
30 | @app.route('/svg/<name>')
31 | def svg_send(name):
32 |     with open("/data/svg/template.svg") as f:
33 |         html = f.read()
34 |     html = html.replace("<name>", name.split(".")[0])
35 |     r = flask.Response(html, mimetype='image/svg+xml')
36 |     return r
37 | 
38 | @app.route('/svg_parent/<name>')
39 | def svg_parent_send(name):
40 |     with open("/data/svg/template.svg") as f:
41 |         html = f.read()
42 |     html = html.replace("<name>", f"{name.split('.')[0]}.parentNode")
43 |     r = flask.Response(html, mimetype='image/svg+xml')
44 |     return r
45 | 
46 | @app.route('/')
47 | def hello_world():
48 |     return 'Hello, idx_8!'
49 | 
50 | if __name__ == '__main__':
51 |     app.debug=True
52 |     app.run(host="0.0.0.0", port=7008)
53 |     #app.run(port=7000)
54 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_9/app.py:
--------------------------------------------------------------------------------
 1 | import flask
 2 | import time
 3 | import logging
 4 |  
 5 | logging.basicConfig(filename = "/data/log.txt", level = logging.DEBUG)
 6 | 
 7 | app = flask.Flask(__name__)
 8 | 
 9 | @app.route('/sop/<name>')
10 | def sop_send(name):
11 |     with open(f"/data/sop/{name}") as f:
12 |         html = f.read()
13 | 
14 |     response = flask.Response(html)
15 |     response.headers["X-Frame-Options"] = "SAMEORIGIN"
16 |     return response
17 | 
18 | @app.route('/<name>')
19 | def send(name):
20 |     # return flask.send_from_directory('.', name)
21 |     logging.info(f"[LOG] {name}")
22 |     r = flask.make_response(flask.send_from_directory('/data', name))
23 |     r.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
24 |     r.headers["Pragma"] = "no-cache"
25 |     r.headers["Expires"] = "0"
26 |     r.headers['Cache-Control'] = 'public, max-age=0'
27 |     r.set_cookie('userID', 'parent')
28 |     return r
29 | 
30 | @app.route('/svg/<name>')
31 | def svg_send(name):
32 |     with open("/data/svg/template.svg") as f:
33 |         html = f.read()
34 |     html = html.replace("<name>", name.split(".")[0])
35 |     r = flask.Response(html, mimetype='image/svg+xml')
36 |     return r
37 | 
38 | @app.route('/svg_parent/<name>')
39 | def svg_parent_send(name):
40 |     with open("/data/svg/template.svg") as f:
41 |         html = f.read()
42 |     html = html.replace("<name>", f"{name.split('.')[0]}.parentNode")
43 |     r = flask.Response(html, mimetype='image/svg+xml')
44 |     return r
45 | 
46 | @app.route('/')
47 | def hello_world():
48 |     return 'Hello, idx_9!'
49 | 
50 | if __name__ == '__main__':
51 |     app.debug=True
52 |     app.run(host="0.0.0.0", port=7009)
53 |     #app.run(port=7000)
54 | 


--------------------------------------------------------------------------------
/servers/dockers/idx_0/app.py:
--------------------------------------------------------------------------------
 1 | import flask
 2 | import time
 3 | import logging
 4 |  
 5 | logging.basicConfig(filename = "/data/log.txt", level = logging.DEBUG)
 6 | 
 7 | app = flask.Flask(__name__)
 8 | 
 9 | @app.route('/sop/<name>')
10 | def sop_send(name):
11 |     with open(f"/data/sop/{name}") as f:
12 |         html = f.read()
13 | 
14 |     response = flask.Response(html)
15 |     response.headers["X-Frame-Options"] = "SAMEORIGIN"
16 |     return response
17 | 
18 | @app.route('/<name>')
19 | def send(name):
20 |     # return flask.send_from_directory('.', name)
21 |     logging.info(f"[LOG] {name}")
22 |     r = flask.make_response(flask.send_from_directory('/data', name))
23 |     r.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
24 |     r.headers["Pragma"] = "no-cache"
25 |     r.headers["Expires"] = "0"
26 |     r.headers['Cache-Control'] = 'public, max-age=0'
27 |     r.set_cookie('userID', 'parent')
28 |     
29 |     return r
30 | 
31 | @app.route('/svg/<name>')
32 | def svg_send(name):
33 |     with open("/data/svg/template.svg") as f:
34 |         html = f.read()
35 |     html = html.replace("<name>", name.split(".")[0])
36 |     r = flask.Response(html, mimetype='image/svg+xml')
37 |     return r
38 | 
39 | @app.route('/svg_parent/<name>')
40 | def svg_parent_send(name):
41 |     with open("/data/svg/template.svg") as f:
42 |         html = f.read()
43 |     html = html.replace("<name>", f"{name.split('.')[0]}.parentNode")
44 |     r = flask.Response(html, mimetype='image/svg+xml')
45 |     return r
46 | 
47 | @app.route('/')
48 | def hello_world():
49 |     return 'Hello, idx_0!'
50 | 
51 | if __name__ == '__main__':
52 |     app.debug=True
53 |     app.run(host="0.0.0.0", port=7000)
54 |     #app.run(port=7000)
55 | 


--------------------------------------------------------------------------------
/src/script/js_instruction.py:
--------------------------------------------------------------------------------
 1 | from src.js_api.js_api_type import JsApiType
 2 | 
 3 | 
 4 | class JsInstruction:
 5 |     def __init__(self, input, params, output, obj, api_type, name=None, keep=True):
 6 |         self.input = input
 7 |         self.params = params
 8 |         self.output = output
 9 |         self.obj = obj
10 |         self.api_type = api_type
11 |         self.name = name
12 |         self.keep = keep
13 | 
14 |     def lift(self, guard=False, debug=False, indent=0):
15 |         code = ""
16 | 
17 |         if self.api_type == JsApiType.assign:
18 |             code += f"{self.input}"
19 |         else:
20 |             if self.api_type == JsApiType.operation_addition:
21 |                 operation = "+"
22 |             elif self.api_type == JsApiType.operation_minus:
23 |                 operation = "-"
24 |             elif self.api_type == JsApiType.operation_multiple:
25 |                 operation = "*"
26 |             elif self.api_type == JsApiType.operation_division:
27 |                 operation = "/"
28 |             elif self.api_type == JsApiType.operation_equal:
29 |                 operation = "=="
30 |             elif self.api_type == JsApiType.operation_not_equal:
31 |                 operation = "!="
32 |             code += f"{self.input} {operation} {self.params[0]}"
33 | 
34 |         if self.output:
35 |             code = f"{self.output} = {code}"
36 | 
37 |         code += ";"
38 |         if guard:
39 |             code = "try {" + code + "} catch(e) {"
40 |             if debug:
41 |                 code += "console.log(e);"
42 |             code += "} "
43 | 
44 |         code = "  " * indent + code
45 | 
46 |         return code
47 | 
48 | 
49 | def main():
50 |     inst = JsInstruction("v1", [1], "v2", "Integer", JsApiType.operation_addition, None)
51 |     print(inst.lift())
52 | 
53 | 
54 | if __name__ == "__main__":
55 |     main()


--------------------------------------------------------------------------------
/tools/domato/canvas/README.md:
--------------------------------------------------------------------------------
 1 | Script and grammar for fuzzing Canvas API based on CanvasRenderingContext2D specification found at https://developer.mozilla.org/en-US/docs/Web/API/CanvasRenderingContext2D
 2 | 
 3 | *** Example usage ***
 4 | 
 5 | Running the generate_one_case.py script will yield a sample fuzzed case:
 6 | 
 7 | ```
 8 | ctx.clearHitRegions();
 9 | /* newvar{fuzzvar00001:path2d} */ var fuzzvar00001 = new Path2D('M1 0 H -1 V 0 H 10 L 1 1');
10 | if (!fuzzvar00001) { fuzzvar00001 = GetVariable(fuzzervars, 'path2d'); } else { SetVariable(fuzzvar00001, 'path2d');  }
11 | ctx.stroke(fuzzvar00001);
12 | console.log(ctx.isPointInPath(fuzzvar00001, 1073741824, 2147483647, "nonzero"));
13 | console.log(ctx.isPointInStroke(fuzzvar00001, -2147483648, 2147483647));
14 | ctx.stroke(fuzzvar00001);
15 | ctx.fill(fuzzvar00001, "evenodd");
16 | console.log(ctx.isPointInPath(fuzzvar00001, -1, 0, "nonzero"));
17 | console.log(ctx.isPointInStroke(fuzzvar00001, -1073741824, 2147483648));
18 | console.log(ctx.isPointInStroke(fuzzvar00001, 536870912, 268435456));
19 | console.log(ctx.isPointInStroke(fuzzvar00001, 268435456, -32769));
20 | ctx.clip(fuzzvar00001, "nonzero");
21 | /* newvar{fuzzvar00002:path2d} */ var fuzzvar00002 = new Path2D(fuzzvar00001);
22 | if (!fuzzvar00002) { fuzzvar00002 = GetVariable(fuzzervars, 'path2d'); } else { SetVariable(fuzzvar00002, 'path2d');  }
23 | console.log(ctx.isPointInPath(fuzzvar00002, -32769, 32768, "nonzero"));
24 | ctx.clip(fuzzvar00002, "nonzero");
25 | console.log(ctx.isPointInPath(fuzzvar00001, -32769, 268435456, "evenodd"));
26 | ctx.clip(fuzzvar00001, "nonzero");
27 | ctx.bezierCurveTo(-2147483648, -2147483648, 268435456, 4294967295, 2147483647, 65535);
28 | ctx.fill(fuzzvar00001, "nonzero");
29 | ctx.fill(fuzzvar00001, "evenodd");
30 | /* newvar{fuzzvar00003:path2d} */ var fuzzvar00003 = new Path2D(fuzzvar00002);
31 | if (!fuzzvar00003) { fuzzvar00003 = GetVariable(fuzzervars, 'path2d'); } else { SetVariable(fuzzvar00003, 'path2d');  }
32 | ```
33 | 
34 | Your mileage may vary so feel free to modify/edit template.html.
35 | 
36 | 
37 | 


--------------------------------------------------------------------------------
/src/web_api/value.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "Boolean": ["true", "false"],
 3 |     "rtlltrString": ["rtl", "ltr"],
 4 |     "OnOffString": ["on", "off"],
 5 |     "ReferrerPolicyString": ["no-referrer", "no-referrer-when-downgrade", "origin", "origin-when-cross-origin", "same-origin", "strict-origin", "strict-origin-when-cross-origin", "unsafe-url"],
 6 |     "RelString": ["alternate", "author", "bookmark", "external", "help", "license", "next", "nofollow", "noreferrer", "noopener", "prev", "search", "tag"],
 7 |     "TargetString": ["_blank", "_parent", "_self", "_top"],
 8 |     "CoordsString": ["10, 10, 10", "20, 20, 20, 20"],
 9 |     "ShapeString": ["rect", "circle", "poly", "default"],
10 |     "MethodString": ["get", "post", "dialog"],
11 |     "HTTPMethodString": ["GET", "POST", "PUT", "DELETE"],
12 |     "TypeString": ["submit", "reset", "button", "menu"],
13 |     "AlignString": ["left", "right", "justify", "center"],
14 |     "vAlignString": ["top", "middle", "bottom", "baseline"],
15 |     "FeaturePolicyString": ["allowsFeature", "features", "allowedFeatures", "getAllowlistForFeature"],
16 |     "SandboxString": ["allow-forms", "allow-pointer-lock", "allow-popups", "allow-same-origin", "allow-scripts", "allow-top-navigation"],
17 |     "RefString": ["sync", "async", "auto"],
18 |     "EagerLazyString": ["eager", "lazy"],
19 |     "InputtypeString": ["button", "checkbox", "color", "date", "datetime-local", "email", "file", "hidden", "image", "month", "number", "password", "radio", "range", "reset", "search", "submit", "tel", "text", "time", "url", "week", "datetime"],
20 |     "PreloadString": ["none", "metadata", "auto"],
21 |     "DateTimeString": ["0062-02-05", "1993-11-01", "2021-07-01", "2162-02-05"],
22 |     "ValueTypeString": ["data", "ref", "object"],
23 |     "SelectionDirectionString": ["forward", "backward", "none"],
24 |     "KindString": ["subtitles", "captions", "descriptions", "chapters", "metadata"],
25 |     "PositionString": ["beforebegin", "afterbegin", "beforeend", "afterend"],
26 |     "ReadyStateString": ["loading", "interactive", "complete"]
27 |     
28 | 
29 | 
30 |     
31 | 
32 | }


--------------------------------------------------------------------------------
/tools/domato/jscript/template.html:
--------------------------------------------------------------------------------
  1 | <!-- saved from url=(0014)about:internet -->
  2 | <html>
  3 | <head>
  4 | <meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
  5 | </head>
  6 | <body>
  7 | <script language="Jscript.Encode">
  8 | 
  9 | var vars = new Array(100);
 10 | 
 11 | var runcount = {main:0, f0:0, f1:0, f2:0, f3:0, f4:0, f5:0, f6:0, f7:0, f8:0, f9:0}
 12 | 
 13 | function main() {
 14 | runcount.main++; if(runcount.main>2) return;
 15 | //alert('main');
 16 | <jsfuzzer>
 17 | }
 18 | 
 19 | function f0(arg1, arg2, arg3) {
 20 | runcount.f0++; if(runcount.f0>2) return;
 21 | //alert(0);
 22 | <jsfuzzer>
 23 | }
 24 | 
 25 | function f1(arg4, arg5, arg6) {
 26 | runcount.f1++; if(runcount.f1>2) return;
 27 | //alert(1);
 28 | <jsfuzzer>
 29 | }
 30 | 
 31 | function f2(arg7, arg8, arg9) {
 32 | runcount.f2++; if(runcount.f2>2) return;
 33 | //alert(2);
 34 | <jsfuzzer>
 35 | }
 36 | 
 37 | function f3(arg1, arg2, arg3) {
 38 | runcount.f3++; if(runcount.f3>2) return;
 39 | //alert(3);
 40 | <jsfuzzer>
 41 | }
 42 | 
 43 | function f4(arg4, arg5, arg6) {
 44 | runcount.f4++; if(runcount.f4>2) return;
 45 | //alert(4);
 46 | <jsfuzzer>
 47 | }
 48 | 
 49 | function f5(arg7, arg8, arg9) {
 50 | runcount.f5++; if(runcount.f5>2) return;
 51 | //alert(5);
 52 | <jsfuzzer>
 53 | }
 54 | 
 55 | function f6(arg1, arg2, arg3) {
 56 | runcount.f6++; if(runcount.f6>2) return;
 57 | //alert(6);
 58 | <jsfuzzer>
 59 | }
 60 | 
 61 | function f7(arg4, arg5, arg6) {
 62 | runcount.f7++; if(runcount.f7>2) return;
 63 | //alert(7);
 64 | <jsfuzzer>
 65 | }
 66 | 
 67 | function f8(arg7, arg8, arg9) {
 68 | runcount.f8++; if(runcount.f8>2) return;
 69 | //alert(8);
 70 | <jsfuzzer>
 71 | }
 72 | 
 73 | function f9(arg1, arg2, arg3) {
 74 | runcount.f9++; if(runcount.f9>2) return;
 75 | //alert(9);
 76 | <jsfuzzer>
 77 | }
 78 | 
 79 | for(var i=0;i<20;i++) {
 80 |   vars[i] = new Array(10);
 81 | }
 82 | for(var i=20;i<40;i++) {
 83 |   vars[i] = 'aaaaaaaaaa';
 84 | }
 85 | for(var i=40;i<60;i++) {
 86 |   vars[i] = document.createElement("foo");
 87 | }
 88 | for(var i=60;i<90;i++) {
 89 |   vars[i] = {};
 90 | }
 91 | vars[90] = f0;
 92 | vars[91] = f1;
 93 | vars[92] = f2;
 94 | vars[93] = f3;
 95 | vars[94] = f4;
 96 | vars[95] = f5;
 97 | vars[96] = f6;
 98 | vars[97] = f7;
 99 | vars[98] = f8;
100 | vars[99] = f9;
101 | 
102 | main();
103 | 
104 | </script>
105 | </body>
106 | </html>
107 | 


--------------------------------------------------------------------------------
/src/script/web_instruction.py:
--------------------------------------------------------------------------------
 1 | from src.web_api.web_object import WebObject
 2 | from src.web_api.web_api_type import WebApiType
 3 | 
 4 | class WebInstruction:
 5 |     def __init__(self, input, params, output, obj, api_type, name, keep=True):
 6 |         self.input = input
 7 |         self.params = params
 8 |         self.output = output
 9 |         self.obj = obj
10 |         self.api_type = api_type
11 |         self.name = name
12 |         self.keep = keep
13 | 
14 |     def lift(self, guard=False, debug=False, indent=0):
15 |         code = ""
16 | 
17 |         if self.input and self.obj != "Function" and self.obj != "Built-in":
18 |             code += f"{self.input}."
19 | 
20 |         if self.api_type == WebApiType.call_method or self.api_type == WebApiType.construct:
21 |             if self.name == "item":
22 |                 code = code[:-1] + f"[{', '.join(map(str, self.params))}]"
23 |             else:
24 |                 code += f"{self.name}"
25 |                 code += f"({', '.join(map(str, self.params))})"
26 | 
27 |         else:
28 |             code += f"{self.name}"
29 | 
30 |         if self.api_type == WebApiType.construct:
31 |             code = "new " + code
32 | 
33 |         if self.output:
34 |             if self.api_type == WebApiType.read_property or \
35 |                     self.api_type == WebApiType.call_method or \
36 |                     self.api_type == WebApiType.construct:
37 |                 code = f"{self.output} = {code}"
38 |             if self.api_type == WebApiType.write_property:
39 |                 code = f"{code} = {self.output}"
40 | 
41 |         code += ";"
42 |         if guard:
43 |             code = "try {" + code + "} catch(e) {"
44 |             if debug:
45 |                 code += "console.log(e);"
46 |             code += "} "
47 | 
48 |         code = "  " * indent + code
49 | 
50 |         return code
51 | 
52 |     def get_input_object(self):
53 |         return WebObject.create(self.obj)
54 | 
55 |     def get_output_object(self):
56 |         instance = WebObject.create(self.obj)
57 |         if instance is not None:
58 |             if self.api_type == WebApiType.call_method:
59 |                 return instance.get_method_return(self.name)
60 |             elif self.api_type == WebApiType.construct:
61 |                 return instance.get_constructor_return(self.name)
62 |             else:
63 |                 return instance.get_property_return(self.name)
64 | 
65 | 
66 | def main():
67 |     inst = WebInstruction("v1", [], "v2", "Node", WebApiType.read_property, "baseURI")
68 |     print(inst.lift())
69 | 
70 | 
71 | if __name__ == "__main__":
72 |     main()


--------------------------------------------------------------------------------
/src/script/web_page.py:
--------------------------------------------------------------------------------
 1 | import secrets
 2 | 
 3 | class WebPage:
 4 |     def __init__(self, html=None, event_handlers=[], body_script=[],
 5 |                  foo_bar=None):
 6 |         self.html = html
 7 |         self.event_handlers = event_handlers
 8 |         self.body_script = body_script
 9 | 
10 |         self.handler = False
11 |         if len(self.event_handlers) > 0:
12 |             self.handler = True
13 |             self.event_handler1 = event_handlers[0]
14 |             self.event_handler2 = event_handlers[1]
15 |             
16 | 
17 |         self.loader = False
18 | 
19 |         if len(self.event_handlers) > 2:
20 |             self.loader = True
21 |             self.load_handler1 = event_handlers[2]
22 |             self.load_handler2 = event_handlers[3]
23 |             self.load_handler3 = event_handlers[4]
24 |             self.load_handler4 = event_handlers[5]
25 | 
26 |         self.foo_bar = foo_bar
27 | 
28 |     def to_string(self, skip=False, debug=False):
29 |         code = self.html
30 |         if skip:
31 |             return code
32 | 
33 |         head_script = \
34 |             "<script>\n"
35 | 
36 |         if self.loader:
37 |             head_script += \
38 |             "function eventhandler1() {\n" + \
39 |             self.event_handler1.lift(guard=True, debug=debug) + "}\n" + \
40 |             "function eventhandler2() {\n" + \
41 |             self.event_handler2.lift(guard=True, debug=debug) + "}\n"
42 | 
43 |         if self.loader:
44 |             head_script += \
45 |                 "function load_handler1() {\n" + \
46 |                 self.load_handler1.lift(guard=True, debug=debug) + "}\n" + \
47 |                 "function load_handler2() {\n" + \
48 |                 self.load_handler2.lift(guard=True, debug=debug) + "}\n" + \
49 |                 "function load_handler3() {\n" + \
50 |                 self.load_handler3.lift(guard=True, debug=debug) + "}\n" + \
51 |                 "function load_handler4() {\n" + \
52 |                 self.load_handler4.lift(guard=True, debug=debug) + "}\n" 
53 | 
54 |         head_script += "</script>\n"
55 |         code = code.replace('<head_script>', head_script)
56 | 
57 |         if "<foo_bar>" in code:
58 |             code = code.replace('<foo_bar>', self.foo_bar)
59 | 
60 |         for script in self.body_script:
61 |             lift = \
62 |                 "<script>\n" + \
63 |                     "window.addEventListener('beforeunload', load_handler1)\n" + \
64 |                     "window.addEventListener('unload', load_handler2)\n" + \
65 |                     "window.addEventListener('DOMContentLoaded', load_handler3)\n" + \
66 |                     "window.addEventListener('load', load_handler4)\n" + \
67 |                 script.lift(guard=True, debug=debug) + "\n" + \
68 |                 "</script>\n"
69 | 
70 |             code = code.replace('<body_script>', lift, 1)
71 |         return code


--------------------------------------------------------------------------------
/src/web_api/value_manager.py:
--------------------------------------------------------------------------------
 1 | import json
 2 | import random
 3 | import string
 4 | 
 5 | class ValueManager:
 6 |     __grammar = None
 7 | 
 8 |     @classmethod
 9 |     def init(cls):
10 |         if cls.__grammar is None:
11 |             with open("src/web_api/value.json") as f:
12 |                 cls.__grammar = json.load(f)
13 | 
14 |     @classmethod
15 |     def bind(cls, name):
16 |         cls.init()
17 |         if name in cls.__grammar:
18 |             try:
19 |                 arr = cls.__grammar[name]
20 |                 if arr:
21 |                     return arr
22 |                 else:
23 |                     return []
24 |             except KeyError as e:
25 |                 return []
26 | 
27 |     @classmethod
28 |     def random_bind(cls, name):
29 |         cls.init()
30 |         if name in cls.__grammar:
31 |             try:
32 |                 arr = cls.__grammar[name]
33 |                 if arr:
34 |                     value = random.choice(arr)
35 |                     if name.endswith("String"):
36 |                         value = f"'{value}'"
37 |                     return value
38 |                 else:
39 |                     return "null"
40 |             except KeyError as e:
41 |                 return "null"
42 |         elif name == "Integer":
43 |             return str(random.randrange(100))
44 |         elif name == "Double":
45 |             return str(random.random() * 100)
46 |         elif name == "String":
47 |             N = random.randrange(10) + 1
48 |             value = ''.join(random.choices(string.ascii_letters + string.digits, k=N))
49 |             return f"'{value}'"
50 |         elif name == "DOMString":
51 |             N = random.randrange(10) + 1
52 |             value = ''.join(random.choices(string.ascii_letters + string.digits, k=N))
53 |             return f"'{value}'"
54 |         elif name == "URI":
55 |             value = "http://127.0.0.1"
56 |             return f"'{value}'"
57 |         elif name == "DomainString":
58 |             value = "127.0.0.1"
59 |             return f"'{value}'"
60 |         # elif name == "Markup":
61 |         #     value = "<script>alert(location)<\/script>"
62 |         #     return f"'{value}'"
63 |         else:
64 |             return "null"
65 | 
66 |     @classmethod
67 |     def values(cls):
68 |         cls.init()
69 |         return list(cls.__grammar.keys())
70 | 
71 | 
72 | 
73 | def main():
74 |     candidate = ValueManager.bind("rtlltrString")
75 |     print(candidate)
76 | 
77 |     value = ValueManager.random_bind("Boolean")
78 |     print(value)
79 | 
80 |     value = ValueManager.random_bind("Integer")
81 |     print(value)
82 | 
83 |     value = ValueManager.random_bind("Double")
84 |     print(value)
85 | 
86 |     value = ValueManager.random_bind("String")
87 |     print(value)
88 | 
89 |     values = ValueManager.values()
90 |     print(values)
91 | 
92 | if __name__ == "__main__":
93 |     main()


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | # make empty directory
  2 | !.empty
  3 | 
  4 | # project
  5 | logs/**
  6 | tests/input/**
  7 | tests/output/**
  8 | servers/data/*/*.html
  9 | servers/data/*/log.txt
 10 | 
 11 | # add html
 12 | !servers/data/parent/.empty
 13 | !servers/data/child/.empty
 14 | !servers/data/*/svg
 15 | !servers/data/*/sample*
 16 | !servers/data/*/sop
 17 | !servers/data/*/test.html
 18 | 
 19 | # chrome binary
 20 | chrome/**
 21 | 
 22 | # test directory
 23 | tests/**
 24 | 
 25 | # Byte-compiled / optimized / DLL files
 26 | __pycache__/
 27 | *.py[cod]
 28 | *$py.class
 29 | 
 30 | # C extensions
 31 | *.so
 32 | 
 33 | # Distribution / packaging
 34 | .Python
 35 | build/
 36 | develop-eggs/
 37 | dist/
 38 | downloads/
 39 | eggs/
 40 | .eggs/
 41 | lib/
 42 | lib64/
 43 | parts/
 44 | sdist/
 45 | var/
 46 | wheels/
 47 | pip-wheel-metadata/
 48 | share/python-wheels/
 49 | *.egg-info/
 50 | .installed.cfg
 51 | *.egg
 52 | MANIFEST
 53 | 
 54 | # PyInstaller
 55 | #  Usually these files are written by a python script from a template
 56 | #  before PyInstaller builds the exe, so as to inject date/other infos into it.
 57 | *.manifest
 58 | *.spec
 59 | 
 60 | # Installer logs
 61 | pip-log.txt
 62 | pip-delete-this-directory.txt
 63 | 
 64 | # Unit test / coverage reports
 65 | htmlcov/
 66 | .tox/
 67 | .nox/
 68 | .coverage
 69 | .coverage.*
 70 | .cache
 71 | nosetests.xml
 72 | coverage.xml
 73 | *.cover
 74 | *.py,cover
 75 | .hypothesis/
 76 | .pytest_cache/
 77 | 
 78 | # Translations
 79 | *.mo
 80 | *.pot
 81 | 
 82 | # Django stuff:
 83 | *.log
 84 | local_settings.py
 85 | db.sqlite3
 86 | db.sqlite3-journal
 87 | 
 88 | # Flask stuff:
 89 | instance/
 90 | .webassets-cache
 91 | 
 92 | # Scrapy stuff:
 93 | .scrapy
 94 | 
 95 | # Sphinx documentation
 96 | docs/_build/
 97 | 
 98 | # PyBuilder
 99 | target/
100 | 
101 | # Jupyter Notebook
102 | .ipynb_checkpoints
103 | 
104 | # IPython
105 | profile_default/
106 | ipython_config.py
107 | 
108 | # pyenv
109 | .python-version
110 | 
111 | # pipenv
112 | #   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
113 | #   However, in case of collaboration, if having platform-specific dependencies or dependencies
114 | #   having no cross-platform support, pipenv may install dependencies that don't work, or not
115 | #   install all needed dependencies.
116 | #Pipfile.lock
117 | 
118 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow
119 | __pypackages__/
120 | 
121 | # Celery stuff
122 | celerybeat-schedule
123 | celerybeat.pid
124 | 
125 | # SageMath parsed files
126 | *.sage.py
127 | 
128 | # Environments
129 | .env
130 | .venv
131 | env/
132 | venv/
133 | ENV/
134 | env.bak/
135 | venv.bak/
136 | 
137 | # Spyder project settings
138 | .spyderproject
139 | .spyproject
140 | 
141 | # Rope project settings
142 | .ropeproject
143 | 
144 | # mkdocs documentation
145 | /site
146 | 
147 | # mypy
148 | .mypy_cache/
149 | .dmypy.json
150 | dmypy.json
151 | 
152 | # Pyre type checker
153 | .pyre/
154 | 


--------------------------------------------------------------------------------
/src/web_api/tag.json:
--------------------------------------------------------------------------------
  1 | {
  2 |     "a": "HTMLAnchorElement", 
  3 |     "abbr": "",
  4 |     "address": "",
  5 |     "area": "HTMLAreaElement",
  6 |     "article": "",
  7 |     "aside": "",
  8 |     "audio": "HTMLAudioElement",
  9 |     "b": "",
 10 |     "base": "HTMLBaseElement",
 11 |     "bdi": "",
 12 |     "bdo": "",
 13 |     "blockquote": "HTMLQuoteElement",
 14 |     "body": "HTMLBodyElement",
 15 |     "br": "HTMLBRElement",
 16 |     "button": "HTMLButtonElement",
 17 |     "canvas": "HTMLCanvasElement",
 18 |     "caption": "",
 19 |     "cite": "",
 20 |     "code": "",
 21 |     "col": "",
 22 |     "colgroup": "",
 23 |     "data": "HTMLDataElement",
 24 |     "datalist": "HTMLDataListElement",
 25 |     "dd": "",
 26 |     "del": "HTMLModElement",
 27 |     "details": "",
 28 |     "dfn": "",
 29 |     "dialog": "HTMLDialogElement",
 30 |     "div": "HTMLDivElement",
 31 |     "dl": "HTMLDListElement",
 32 |     "dt": "",
 33 |     "em": "",
 34 |     "embed": "HTMLEmbedElement",
 35 |     "fieldset": "HTMLFieldSetElement",
 36 |     "figcaption": "",
 37 |     "figure": "",
 38 |     "footer": "",
 39 |     "form": "HTMLFormElement",
 40 |     "h1": "HTMLHeadingElement",
 41 |     "h2": "HTMLHeadingElement",
 42 |     "h3": "HTMLHeadingElement",
 43 |     "h4": "HTMLHeadingElement",
 44 |     "h5": "HTMLHeadingElement",
 45 |     "h6": "HTMLHeadingElement",
 46 |     "head": "HTMLHeadElement",
 47 |     "header": "",
 48 |     "hr": "HTMLHRElement",
 49 |     "html": "HTMLHtmlElement",
 50 |     "i": "",
 51 |     "iframe": "HTMLIFrameElement",
 52 |     "img": "HTMLImageElement",
 53 |     "input": "HTMLInputElement",
 54 |     "ins": "HTMLModElement",
 55 |     "kbd": "", 
 56 |     "label": "HTMLLabelElement",
 57 |     "legend": "HTMLLegendElement",
 58 |     "li": "HTMLLIElement",
 59 |     "link": "HTMLLinkElement",
 60 |     "main": "",
 61 |     "map": "HTMLMapElement",
 62 |     "mark": "",
 63 |     "meta": "HTMLMetaElement",
 64 |     "meter": "HTMLMeterElement",
 65 |     "nav": "",
 66 |     "noscript": "",
 67 |     "object": "HTMLObjectElement",
 68 |     "ol": "",
 69 |     "optgroup": "HTMLOptGroupElement",
 70 |     "option": "HTMLOptionElement",
 71 |     "output": "HTMLOutputElement",
 72 |     "p": "HTMLParagraphElement",
 73 |     "param": "HTMLParamElement",
 74 |     "picture": "HTMLPictureElement",
 75 |     "pre": "HTMLPreElement",
 76 |     "progress": "HTMLProgressElement",
 77 |     "q": "HTMLQuoteElement",
 78 |     "rp": "",
 79 |     "rt": "",
 80 |     "ruby": "",
 81 |     "s": "",
 82 |     "samp": "",
 83 |     "script": "HTMLScriptElement",
 84 |     "section": "",
 85 |     "select": "HTMLSelectElement",
 86 |     "small": "",
 87 |     "source": "HTMLSourceElement",
 88 |     "span": "HTMLSpanElement",
 89 |     "strong": "",
 90 |     "style": "HTMLStyleElement",
 91 |     "sub": "",
 92 |     "summary": "",
 93 |     "sup": "",
 94 |     "svg": "",
 95 |     "table": "HTMLTableElement",
 96 |     "tbody": "",
 97 |     "td": "",
 98 |     "template": "HTMLTemplateElement",
 99 |     "textarea": "HTMLTextAreaElement",
100 |     "tfoot": "",
101 |     "th": "",
102 |     "thead": "",
103 |     "time": "HTMLTimeElement",
104 |     "title": "HTMLTitleElement",
105 |     "tr": "",
106 |     "track": "HTMLTrackElement",
107 |     "u": "",
108 |     "ul": "",
109 |     "var": "",
110 |     "video": "HTMLVideoElement",
111 |     "wbr": ""
112 | }


--------------------------------------------------------------------------------
/chrome_downloader.py:
--------------------------------------------------------------------------------
  1 | import sys
  2 | import os
  3 | import requests
  4 | import zipfile
  5 | 
  6 | class Downloader:
  7 |     def __init__(self, os_type="Linux_x64"):
  8 |         self.position_lookup_url = "https://omahaproxy.appspot.com/deps.json"
  9 |         self.download_url = "https://www.googleapis.com/download/storage/v1/b/chromium-browser-snapshots/o"
 10 |         self.os = os_type
 11 |         self.base = "chrome"
 12 | 
 13 |         if not os.path.exists(self.base):
 14 |             os.makedirs(self.base)
 15 | 
 16 |     def get_position(self, version):
 17 |         url = self.position_lookup_url + f"?version={version}"
 18 |         payload={}
 19 |         headers = {}
 20 |         r = requests.request("GET", url, headers=headers, data=payload)
 21 |         try:
 22 |             return r.json()["chromium_base_position"]
 23 |         except:
 24 |             return None
 25 | 
 26 | 
 27 |     def download(self, url, name):
 28 |         r = requests.request("GET", url)
 29 | 
 30 |         try:
 31 |             r.raise_for_status()
 32 |             with open(name, "wb") as f:
 33 |                 for chunk in r:
 34 |                     f.write(chunk)
 35 |             return True
 36 |         except:
 37 |             return False
 38 | 
 39 |     def unzip_and_rename(self, file_path, name):
 40 |         os.system(f"cd {self.base} && unzip {file_path} > /dev/null")
 41 |         source = "chrome-linux"       
 42 |         os.rename(os.path.join(self.base, source), os.path.join(self.base, name))
 43 | 
 44 |     def driver_unzip_and_rename(self, file_path, name):
 45 |         os.system(f"cd {self.base} && unzip {file_path} > /dev/null")
 46 |         source = "chromedriver_linux64"
 47 |         driver = "chromedriver"
 48 |         
 49 |         os.system(f"cd {self.base} && mv {source}/{driver} {name} && rmdir {source}")
 50 | 
 51 |     def download_binary(self, version):
 52 |         prefix = "Linux_x64"
 53 |         postfix = "chrome-linux.zip"
 54 |         driver = "chromedriver_linux64.zip"
 55 | 
 56 |         print(f"[+] start download chrome binary")
 57 |         print(f"[+] get position - {version}")
 58 |         position = self.get_position(version)
 59 | 
 60 |         if position is None:
 61 |             print(f"[-] fail to get position {version}")
 62 |             return None   
 63 | 
 64 |         print(f"[+] find position - {position}")
 65 | 
 66 |         base_url = f"{self.download_url}/{prefix}%2F"
 67 |         download_flag = False
 68 |         found = 0
 69 | 
 70 |         for i in range(100):
 71 |             url = f"{base_url}{int(position)+i}%2F{postfix}?alt=media"
 72 |             name = f"{version}_{int(position)+i}"
 73 |             zip_name = f"{name}.zip"
 74 |             if self.download(url, os.path.join(self.base, zip_name)):
 75 |                 download_flag = True
 76 |                 found = int(position)+i
 77 |                 break
 78 |         if download_flag:
 79 |             print(f"[+] download success - {os.path.join(self.base, zip_name)}")
 80 |         else:
 81 |             print(f"[-] download fail")
 82 |             return None
 83 | 
 84 |         self.unzip_and_rename(zip_name, name)
 85 | 
 86 |         driver_url = f"{base_url}{found}%2F{driver}?alt=media"
 87 |         driver_name = f"{name}_driver.zip"
 88 |         self.download(driver_url, os.path.join(self.base, driver_name))
 89 | 
 90 |         print(f"[+] download success - {os.path.join(self.base, driver)}")
 91 |         self.driver_unzip_and_rename(driver_name, name)
 92 | 
 93 |         print(f"[+] chrome is ready - {os.path.join(self.base, name)}")
 94 | 
 95 | def main(argv):
 96 |     downloader = Downloader(os_type="Linux_x64")
 97 |     downloader.download_binary(argv[1])
 98 | 
 99 | if __name__ == "__main__":
100 |     main(sys.argv)


--------------------------------------------------------------------------------
/src/js_api/js_object.py:
--------------------------------------------------------------------------------
  1 | import json
  2 | 
  3 | 
  4 | class WebObject():
  5 |     __grammar = None
  6 |     __instance = {}
  7 | 
  8 |     @classmethod
  9 |     def __getInstance(cls, name):
 10 |         return cls.__instance[name]
 11 |     
 12 |     @classmethod
 13 |     def create(cls, name):
 14 |         if not cls.__grammar:
 15 |             with open("src/web_api/grammar.json") as f:
 16 |                 print('[+] load web api grammar')
 17 |                 cls.__grammar = json.load(f)
 18 |                 # print(cls.__grammar)
 19 | 
 20 |         if name in cls.__grammar:
 21 |             if name in cls.__instance:
 22 |                 return cls.__getInstance(name)
 23 |             else:
 24 |                 cls.__instance[name] = cls(name, cls.__grammar[name])
 25 |                 return cls.__getInstance(name)
 26 |         else:
 27 |             return None
 28 | 
 29 |     def __init__(self, name, meta):
 30 |         self.name = name
 31 |         self.inherit = [WebObject.create(name) for name in meta["inherit"]]
 32 |         self.constructors = meta["constructors"]
 33 |         self.properties = meta["properties"]
 34 |         self.methods = meta["methods"]
 35 |         self.events = meta["events"]
 36 |         self.descendant = []
 37 | 
 38 |         try:
 39 |             self.inherit.remove(None)
 40 |         except ValueError as e:
 41 |             pass
 42 | 
 43 |         for i in self.inherit:
 44 |             self.properties = {**i.properties, **self.properties}
 45 |             self.methods = {**i.methods, **self.methods}
 46 |             self.events = self.events + i.events
 47 |             i.set_descendant(self.name)
 48 |         self.events = list(set(self.events))
 49 | 
 50 |     def get_property_candidate(self):
 51 |         return list(self.properties.keys())
 52 | 
 53 |     def get_writable_property_candidate(self):
 54 |         return list(a for a in self.properties.keys() if not self.properties[a]['read_only'])
 55 | 
 56 |     def get_property_return(self, name):
 57 |         return self.properties[name]["ret"]
 58 | 
 59 |     def get_method_candidate(self):
 60 |         return list(self.methods.keys())
 61 | 
 62 |     def get_method_params(self, name):
 63 |         return self.methods[name]["params"]
 64 | 
 65 |     def is_method_static(self, name):
 66 |         return self.methods[name]["static"]
 67 | 
 68 |     def get_method_return(self, name):
 69 |         return self.methods[name]["ret"]
 70 | 
 71 |     def get_event_candidate(self):
 72 |         return self.events
 73 | 
 74 |     def get_constructor_candidate(self):
 75 |         return list(self.constructors.keys())
 76 | 
 77 |     def is_constructor_new(self, name):
 78 |         return self.constructors[name]["new"]
 79 | 
 80 |     def get_constructor_return(self, name):
 81 |         return self.constructors[name]["ret"]
 82 | 
 83 |     def set_descendant(self, name):
 84 |         self.descendant.append(name)
 85 |         for i in self.inherit:
 86 |             i.set_descendant(name)
 87 | 
 88 |     def get_descendant(self):
 89 |         return self.descendant
 90 | 
 91 | def object_test():
 92 |     with open("src/web_api/grammar.json") as f:
 93 |         grammar = json.load(f)
 94 | 
 95 |     done = list(grammar.keys())
 96 |     todo = []
 97 | 
 98 |     for obj in done:
 99 |         instance = WebObject.create(obj)
100 | 
101 |         arr = instance.get_property_candidate()
102 |         for name in arr:
103 |             ret = instance.get_property_return(name)
104 |             
105 |             if ret not in done:
106 |                 todo.append(ret)
107 | 
108 |         arr = instance.get_method_candidate()
109 |         for name in arr:
110 |             ret = instance.get_method_return(name)
111 |             if ret not in done:
112 |                 todo.append(ret)
113 | 
114 |     todo = list(set(todo))
115 |     print(todo)
116 | 
117 | def main():
118 |     object_test()
119 | 
120 | 
121 | if __name__ == "__main__":
122 |     main()


--------------------------------------------------------------------------------
/src/script/statement.py:
--------------------------------------------------------------------------------
  1 | class IfElseStatement:
  2 |     def __init__(self, cond=None, if_inst=[], else_inst=[], keep=True):
  3 |         self.condition = cond
  4 |         self.if_instructions = [x for x in if_inst if x is not None]
  5 |         self.else_instructions = [x for x in else_inst if x is not None]
  6 |         self.keep = keep
  7 | 
  8 |     def lift(self, guard=False, debug=False, indent=0):
  9 |         if self.condition:
 10 |             try:
 11 |                 cond = self.condition.lift()
 12 |             except:
 13 |                 cond = str(self.condition)
 14 |         else:
 15 |             cond = 'true'
 16 | 
 17 |         if guard:
 18 |             indent += 1
 19 |         code = "  " * indent + f"if ({cond}) " + "{\n"
 20 |         
 21 |         for inst in self.if_instructions:
 22 |             if inst is None:
 23 |                 continue
 24 |             code += inst.lift(guard, debug, indent+1) + "\n"
 25 |         code += "  " * indent + "}\n"
 26 |         code += "  " * indent + "else {\n"
 27 |         for inst in self.else_instructions:
 28 |             if inst is None:
 29 |                 continue
 30 |             code += inst.lift(guard, debug, indent+1) + "\n"
 31 |         code += "  " * indent + "}"
 32 |         if guard:
 33 |             indent -= 1
 34 |             code = "  " * indent + "try {\n" + code + "\n" + "  " * indent + "} catch(e) {"
 35 |             if debug:
 36 |                 code += "console.log(e);"
 37 |             code += "}"
 38 |         return code
 39 | 
 40 | class TryCatchStatement:
 41 |     def __init__(self, try_inst=[], catch_inst=[], keep=True):
 42 |         self.try_instructions = [x for x in try_inst if x is not None]
 43 |         self.catch_instructions = [x for x in catch_inst if x is not None]
 44 |         self.keep = keep
 45 | 
 46 |     def lift(self, guard=False, debug=False, indent=0):
 47 |         code = "  " * indent + "try {\n"
 48 |         
 49 |         for inst in self.try_instructions:
 50 |             if inst is None:
 51 |                 continue
 52 |             code += inst.lift(False, debug, indent+1) + "\n"
 53 |         code += "  " * indent + "}\n"
 54 |         code += "  " * indent + "catch (e) {\n"
 55 |         for inst in self.catch_instructions:
 56 |             if inst is None:
 57 |                 continue
 58 |             code += inst.lift(guard, debug, indent+1) + "\n"
 59 |         code += "  " * indent + "}"
 60 |         return code
 61 | 
 62 | class FunctionStatement:
 63 |     def __init__(self, name="f", params=[], ret=None, inst=[], keep=True):
 64 |         self.name = name
 65 |         self.params = params
 66 |         self.ret = ret
 67 |         self.instructions = [x for x in inst if x is not None]
 68 |         self.keep = keep
 69 | 
 70 |     def lift(self, guard=False, debug=False, indent=0):
 71 |         code = "  " * indent + f"function {self.name} ({', '.join(self.params)}) " + "{\n"
 72 |         
 73 |         for inst in self.instructions:
 74 |             if inst is None:
 75 |                 continue
 76 |             code += inst.lift(guard, debug, indent+1) + "\n"
 77 |         code += "  " * indent + "}"
 78 |         return code
 79 | 
 80 | 
 81 | class EventhandlerStatement:
 82 |     def __init__(self, params=[], output=None, inst=[], keep=True):
 83 |         self.params = params
 84 |         self.instructions = [x for x in inst if x is not None]
 85 |         self.output = output
 86 |         self.keep = keep
 87 | 
 88 |     def lift(self, guard=False, debug=False, indent=0):
 89 |         code = f"get handleEvent ({', '.join(self.params)}) " + "{\n"
 90 |         
 91 |         for inst in self.instructions:
 92 |             if inst is None:
 93 |                 continue
 94 |             code += inst.lift(guard, debug, indent+1) + "\n"
 95 |         if self.output is not None:
 96 |             code = self.output + " = {" + code 
 97 |         code = "  " * indent + code
 98 |         code += "  " * indent + "}"
 99 | 
100 |         if self.output is not None:
101 |             code += "};"
102 | 
103 |         return code
104 | 
105 | 
106 | def main():
107 |     inst = EventhandlerStatement(output="v1")
108 |     print(inst.lift(indent=1))
109 | 
110 |     inst = EventhandlerStatement()
111 |     print(inst.lift(indent=1))
112 | 
113 | if __name__ == "__main__":
114 |     main()


--------------------------------------------------------------------------------
/src/script/testcase_generator.py:
--------------------------------------------------------------------------------
  1 | import random
  2 | import os
  3 | 
  4 | from src.script.testcase import Testcase
  5 | from src.script.web_page import WebPage
  6 | from src.script.script import Script
  7 | from src.script.script_builder import ScriptBuilder
  8 | 
  9 | from tools.domato import generator
 10 | 
 11 | 
 12 | class TestcaseGenerator:
 13 |     def __init__(self, origins=2, pages=5, console_log=True,
 14 |             weight_event=0.2, weight_nav=0.2):
 15 |         self.origins = origins
 16 |         self.pages = pages
 17 |         self.console_log = console_log
 18 |         self.weight_event = weight_event
 19 |         self.weight_nav = weight_nav
 20 | 
 21 |     def generate_web_page(self, name, origin, page, origins, pages):
 22 |         html = generator.generate()
 23 | 
 24 |         count = html.count("<body_script>")
 25 |         body_script = []
 26 | 
 27 |         context = {}
 28 |         variable_idx = 0
 29 |         function_idx = 0
 30 | 
 31 |         for i in range(count):
 32 |             sb = ScriptBuilder(origin, page, origins=origins, pages=pages,
 33 |                 name=name, console_log=self.console_log, weight_event=self.weight_event, weight_nav=self.weight_nav)
 34 |             if i != 0:
 35 |                 sb.context = context
 36 |                 sb.variable_idx = variable_idx
 37 |                 sb.function_idx = function_idx
 38 | 
 39 |             sb.generate()
 40 |             body_script.append(sb.script)
 41 |             context = sb.context
 42 |             variable_idx = sb.variable_idx
 43 |             function_idx = sb.function_idx
 44 | 
 45 |         event_handler = []
 46 |         prefix = ["eh1", "eh2", "load1", "load2", "load3", "load4"]
 47 | 
 48 |         for i in range(len(prefix)):
 49 |             sb = ScriptBuilder(origin, page, origins=origins, pages=pages,
 50 |                 name=name, prefix=prefix[i], max_instruction=5, console_log=self.console_log,
 51 |                 weight_event=self.weight_event, weight_nav=self.weight_nav)
 52 |             sb.generate()
 53 |             event_handler.append(sb.script)
 54 | 
 55 |         # foo_bar = self.get_foo_bar(typ)
 56 | 
 57 |         web = WebPage(html=html, event_handlers=event_handler, body_script=body_script,
 58 |                       foo_bar="")
 59 | 
 60 |         return web
 61 | 
 62 |     def get_foo_bar(self, typ):
 63 |         if typ == "main" or "sub":
 64 | 
 65 |             foo_bar = """
 66 |                 Function.foo = function() {
 67 |                     console.log("[foo] [TRUE] http://127.0.0.1:7000 http://127.0.0.1:7000");
 68 |                 };
 69 |                 """
 70 |         else:
 71 |             foo_bar = """
 72 |                 function bar() {
 73 |                     try{
 74 |                         var p = fetch.call(parent);
 75 |                         var f = p.constructor.constructor;
 76 |                         f.foo();
 77 |                     } catch(e) {}
 78 |                 }
 79 |                 """
 80 |         return foo_bar
 81 |         
 82 | 
 83 |     def generate(self, name):
 84 |         tc = Testcase(name, self.origins, self.pages)
 85 |         for origin in range(self.origins):
 86 |             for page in range(self.pages):
 87 |                 html = self.generate_web_page(name, origin, page, self.origins, self.pages)
 88 |                 tc.add(html, origin, page)
 89 |         return tc
 90 | 
 91 | 
 92 | def get_base_url(base_url, origin_idx):
 93 |     if origin_idx < 10:
 94 |         return  f"{base_url}0{origin_idx}"
 95 |     else:
 96 |         return  f"{base_url}{origin_idx}"
 97 | 
 98 | def get_url(name, base_url, origin_idx, page_idx):
 99 |     return f"{get_base_url(base_url, origin_idx)}/{get_name(name, origin_idx, page_idx)}"
100 | 
101 | def get_name(name, origin_idx, page_idx):
102 |     return f"{name}_{origin_idx}_{page_idx}.html"
103 | 
104 | def to_server(tc):
105 |     base = "new_servers/data"
106 |     for origin in range(tc.origins):
107 |         for page in range(tc.pages):
108 |             print(f"[+] write {origin},{page}/{tc.origins},{tc.pages}")
109 |             name = get_name(tc.name, origin, page)
110 |             dest = os.path.join(base, f"idx_{origin}", name)
111 | 
112 |             code = tc.get(origin, page).to_string(debug=True)
113 | 
114 |             with open(dest, "w") as f:
115 |                 f.write(code)
116 | 
117 | def main():
118 |     tg = TestcaseGenerator(5, 10)
119 |     print("[+] generate tc1")
120 |     name = "sample"
121 |     tc = tg.generate(name)
122 |     to_server(tc)
123 | 
124 | if __name__ == "__main__":
125 |     main()
126 | 


--------------------------------------------------------------------------------
/tools/domato/php/generator.py:
--------------------------------------------------------------------------------
  1 | #   Domato - main generator script
  2 | #   -------------------------------
  3 | #
  4 | #   Written and maintained by Ivan Fratric <ifratric@google.com>
  5 | #
  6 | #   Copyright 2017 Google Inc. All Rights Reserved.
  7 | #   Licensed under the Apache License, Version 2.0 (the "License");
  8 | #   you may not use this file except in compliance with the License.
  9 | #   You may obtain a copy of the License at
 10 | #
 11 | #       http://www.apache.org/licenses/LICENSE-2.0
 12 | #
 13 | #   Unless required by applicable law or agreed to in writing, software
 14 | #   distributed under the License is distributed on an "AS IS" BASIS,
 15 | #   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 16 | #   See the License for the specific language governing permissions and
 17 | #   limitations under the License.
 18 | 
 19 | 
 20 | from __future__ import print_function
 21 | import os
 22 | import re
 23 | import random
 24 | import sys
 25 | 
 26 | parent_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), os.pardir))
 27 | sys.path.append(parent_dir)
 28 | from grammar import Grammar
 29 | 
 30 | _N_MAIN_LINES = 1000
 31 | _N_EVENTHANDLER_LINES = 500
 32 | 
 33 | 
 34 | def generate_new_sample(template, phpgrammar):
 35 |     """Parses grammar rules from string.
 36 | 
 37 |     Args:
 38 |       template: A template string.
 39 |       phpgrammar: Grammar for generating PHPcode.
 40 | 
 41 |     Returns:
 42 |       A string containing sample data.
 43 |     """
 44 | 
 45 |     result = template
 46 |     handlers = False
 47 |     while '<phpfuzzer>' in result:
 48 |         numlines = _N_MAIN_LINES
 49 |         if handlers:
 50 |             numlines = _N_EVENTHANDLER_LINES
 51 |         else:
 52 |             handlers = True
 53 |         result = result.replace(
 54 |             '<phpfuzzer>',
 55 |             phpgrammar._generate_code(numlines),
 56 |             1
 57 |         )
 58 | 
 59 |     return result
 60 | 
 61 | 
 62 | def generate_samples(grammar_dir, outfiles):
 63 |     """Generates a set of samples and writes them to the output files.
 64 | 
 65 |     Args:
 66 |       grammar_dir: directory to load grammar files from.
 67 |       outfiles: A list of output filenames.
 68 |     """
 69 | 
 70 |     f = open(os.path.join(grammar_dir, 'template.php'))
 71 |     template = f.read()
 72 |     f.close()
 73 | 
 74 |     phpgrammar = Grammar()
 75 |     err = phpgrammar.parse_from_file(os.path.join(grammar_dir, 'php.txt'))
 76 |     if err > 0:
 77 |         print('There were errors parsing grammar')
 78 |         return
 79 | 
 80 |     for outfile in outfiles:
 81 |         result = generate_new_sample(template, phpgrammar)
 82 | 
 83 |         if result is not None:
 84 |             print('Writing a sample to ' + outfile)
 85 |             try:
 86 |                 f = open(outfile, 'w')
 87 |                 f.write(result)
 88 |                 f.close()
 89 |             except IOError:
 90 |                 print('Error writing to output')
 91 | 
 92 | 
 93 | def get_option(option_name):
 94 |     for i in range(len(sys.argv)):
 95 |         if (sys.argv[i] == option_name) and ((i + 1) < len(sys.argv)):
 96 |             return sys.argv[i + 1]
 97 |         elif sys.argv[i].startswith(option_name + '='):
 98 |             return sys.argv[i][len(option_name) + 1:]
 99 |     return None
100 | 
101 | 
102 | def main():
103 |     fuzzer_dir = os.path.dirname(__file__)
104 | 
105 |     multiple_samples = False
106 | 
107 |     for a in sys.argv:
108 |         if a.startswith('--output_dir='):
109 |             multiple_samples = True
110 | 
111 |     if '--output_dir' in sys.argv:
112 |         multiple_samples = True
113 | 
114 |     if multiple_samples:
115 |         print('Running on ClusterFuzz')
116 |         out_dir = get_option('--output_dir')
117 |         nsamples = int(get_option('--no_of_files'))
118 |         print('Output directory: ' + out_dir)
119 |         print('Number of samples: ' + str(nsamples))
120 | 
121 |         if not os.path.exists(out_dir):
122 |             os.mkdir(out_dir)
123 | 
124 |         outfiles = []
125 |         for i in range(nsamples):
126 |             outfiles.append(os.path.join(out_dir, 'fuzz-' + str(i).zfill(5) + '.php'))
127 | 
128 |         generate_samples(fuzzer_dir, outfiles)
129 | 
130 |     elif len(sys.argv) > 1:
131 |         outfile = sys.argv[1]
132 |         generate_samples(fuzzer_dir, [outfile])
133 | 
134 |     else:
135 |         print('Arguments missing')
136 |         print("Usage:")
137 |         print("\tpython generator.py <output file>")
138 |         print("\tpython generator.py --output_dir <output directory> --no_of_files <number of output files>")
139 | 
140 | 
141 | if __name__ == '__main__':
142 |     main()
143 | 


--------------------------------------------------------------------------------
/tools/domato/vbscript/generator.py:
--------------------------------------------------------------------------------
  1 | #   Domato - main generator script
  2 | #   -------------------------------
  3 | #
  4 | #   Written and maintained by Ivan Fratric <ifratric@google.com>
  5 | #
  6 | #   Copyright 2017 Google Inc. All Rights Reserved.
  7 | #   Licensed under the Apache License, Version 2.0 (the "License");
  8 | #   you may not use this file except in compliance with the License.
  9 | #   You may obtain a copy of the License at
 10 | #
 11 | #       http://www.apache.org/licenses/LICENSE-2.0
 12 | #
 13 | #   Unless required by applicable law or agreed to in writing, software
 14 | #   distributed under the License is distributed on an "AS IS" BASIS,
 15 | #   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 16 | #   See the License for the specific language governing permissions and
 17 | #   limitations under the License.
 18 | 
 19 | 
 20 | from __future__ import print_function
 21 | import os
 22 | import re
 23 | import random
 24 | import sys
 25 | 
 26 | parent_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), os.pardir))
 27 | sys.path.append(parent_dir)
 28 | from grammar import Grammar
 29 | 
 30 | _N_MAIN_LINES = 1000
 31 | _N_EVENTHANDLER_LINES = 300
 32 | 
 33 | def generate_function_body(jsgrammar, num_lines):
 34 |     js = jsgrammar._generate_code(num_lines)
 35 |     return js
 36 | 
 37 | def GenerateNewSample(template, jsgrammar):
 38 |     """Parses grammar rules from string.
 39 | 
 40 |     Args:
 41 |       template: A template string.
 42 |       htmlgrammar: Grammar for generating HTML code.
 43 |       cssgrammar: Grammar for generating CSS code.
 44 |       jsgrammar: Grammar for generating JS code.
 45 | 
 46 |     Returns:
 47 |       A string containing sample data.
 48 |     """
 49 | 
 50 |     result = template
 51 | 
 52 |     handlers = False
 53 |     while '<vbfuzzer>' in result:
 54 |         numlines = _N_MAIN_LINES
 55 |         if handlers:
 56 |             numlines = _N_EVENTHANDLER_LINES
 57 |         else:
 58 |             handlers = True
 59 |         result = result.replace(
 60 |             '<vbfuzzer>',
 61 |             generate_function_body(jsgrammar, numlines),
 62 |             1
 63 |         )
 64 | 
 65 |     return result
 66 | 
 67 | 
 68 | def generate_samples(grammar_dir, outfiles):
 69 |     """Generates a set of samples and writes them to the output files.
 70 | 
 71 |     Args:
 72 |       grammar_dir: directory to load grammar files from.
 73 |       outfiles: A list of output filenames.
 74 |     """
 75 | 
 76 |     f = open(os.path.join(grammar_dir, 'template.html'))
 77 |     template = f.read()
 78 |     f.close()
 79 | 
 80 |     jsgrammar = Grammar()
 81 |     err = jsgrammar.parse_from_file(os.path.join(grammar_dir, 'vbscript.txt'))
 82 |     if err > 0:
 83 |         print('There were errors parsing grammar')
 84 |         return
 85 | 
 86 |     for outfile in outfiles:
 87 |         result = GenerateNewSample(template, jsgrammar)
 88 | 
 89 |         if result is not None:
 90 |             print('Writing a sample to ' + outfile)
 91 |             try:
 92 |                 f = open(outfile, 'w')
 93 |                 f.write(result)
 94 |                 f.close()
 95 |             except IOError:
 96 |                 print('Error writing to output')
 97 | 
 98 | 
 99 | def get_option(option_name):
100 |     for i in range(len(sys.argv)):
101 |         if (sys.argv[i] == option_name) and ((i + 1) < len(sys.argv)):
102 |             return sys.argv[i + 1]
103 |         elif sys.argv[i].startswith(option_name + '='):
104 |             return sys.argv[i][len(option_name) + 1:]
105 |     return None
106 | 
107 | 
108 | def main():
109 |     fuzzer_dir = os.path.dirname(__file__)
110 | 
111 |     multiple_samples = False
112 | 
113 |     for a in sys.argv:
114 |         if a.startswith('--output_dir='):
115 |             multiple_samples = True
116 |     if '--output_dir' in sys.argv:
117 |         multiple_samples = True
118 | 
119 |     if multiple_samples:
120 |         print('Running on ClusterFuzz')
121 |         out_dir = get_option('--output_dir')
122 |         nsamples = int(get_option('--no_of_files'))
123 |         print('Output directory: ' + out_dir)
124 |         print('Number of samples: ' + str(nsamples))
125 | 
126 |         if not os.path.exists(out_dir):
127 |             os.mkdir(out_dir)
128 | 
129 |         outfiles = []
130 |         for i in range(nsamples):
131 |             outfiles.append(os.path.join(out_dir, 'fuzz-' + str(i).zfill(5) + '.html'))
132 | 
133 |         generate_samples(fuzzer_dir, outfiles)
134 | 
135 |     elif len(sys.argv) > 1:
136 |         outfile = sys.argv[1]
137 |         generate_samples(fuzzer_dir, [outfile])
138 | 
139 |     else:
140 |         print('Arguments missing')
141 |         print("Usage:")
142 |         print("\tpython generator.py <output file>")
143 |         print("\tpython generator.py --output_dir <output directory> --no_of_files <number of output files>")
144 | 
145 | if __name__ == '__main__':
146 |     main()
147 | 


--------------------------------------------------------------------------------
/tools/domato/canvas/generator.py:
--------------------------------------------------------------------------------
  1 | #   Domato - main generator script
  2 | #   -------------------------------
  3 | #
  4 | #   Written and maintained by Ivan Fratric <ifratric@google.com>
  5 | #
  6 | #   Copyright 2017 Google Inc. All Rights Reserved.
  7 | #   Licensed under the Apache License, Version 2.0 (the "License");
  8 | #   you may not use this file except in compliance with the License.
  9 | #   You may obtain a copy of the License at
 10 | #
 11 | #       http://www.apache.org/licenses/LICENSE-2.0
 12 | #
 13 | #   Unless required by applicable law or agreed to in writing, software
 14 | #   distributed under the License is distributed on an "AS IS" BASIS,
 15 | #   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 16 | #   See the License for the specific language governing permissions and
 17 | #   limitations under the License.
 18 | 
 19 | 
 20 | from __future__ import print_function
 21 | import os
 22 | import re
 23 | import random
 24 | import sys
 25 | 
 26 | parent_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), os.pardir))
 27 | sys.path.append(parent_dir)
 28 | from grammar import Grammar
 29 | 
 30 | _N_MAIN_LINES = 1000
 31 | _N_EVENTHANDLER_LINES = 500
 32 | 
 33 | def generate_function_body(jsgrammar, num_lines):
 34 |     js = ''
 35 |     js += jsgrammar._generate_code(num_lines)
 36 | 
 37 |     return js
 38 | 
 39 | def GenerateNewSample(template, jsgrammar):
 40 |     """Parses grammar rules from string.
 41 | 
 42 |     Args:
 43 |       template: A template string.
 44 |       htmlgrammar: Grammar for generating HTML code.
 45 |       cssgrammar: Grammar for generating CSS code.
 46 |       jsgrammar: Grammar for generating JS code.
 47 | 
 48 |     Returns:
 49 |       A string containing sample data.
 50 |     """
 51 | 
 52 |     result = template
 53 |     handlers = False
 54 |     while '<canvasfuzz>' in result:
 55 |         numlines = _N_MAIN_LINES
 56 |         if handlers:
 57 |             numlines = _N_EVENTHANDLER_LINES
 58 |         else:
 59 |             handlers = True
 60 |         result = result.replace(
 61 |             '<canvasfuzz>',
 62 |             generate_function_body(jsgrammar, numlines),
 63 |             1
 64 |         )
 65 | 
 66 |     return result
 67 | 
 68 | 
 69 | def generate_samples(grammar_dir, outfiles):
 70 |     """Generates a set of samples and writes them to the output files.
 71 | 
 72 |     Args:
 73 |       grammar_dir: directory to load grammar files from.
 74 |       outfiles: A list of output filenames.
 75 |     """
 76 | 
 77 |     f = open(os.path.join(grammar_dir, 'template.html'))
 78 |     template = f.read()
 79 |     f.close()
 80 | 
 81 |     jsgrammar = Grammar()
 82 |     err = jsgrammar.parse_from_file(os.path.join(grammar_dir, 'canvas.txt'))
 83 |     if err > 0:
 84 |         print('There were errors parsing grammar')
 85 |         return
 86 | 
 87 |     for outfile in outfiles:
 88 |         result = GenerateNewSample(template, jsgrammar)
 89 | 
 90 |         if result is not None:
 91 |             print('Writing a sample to ' + outfile)
 92 |             try:
 93 |                 f = open(outfile, 'w')
 94 |                 f.write(result)
 95 |                 f.close()
 96 |             except IOError:
 97 |                 print('Error writing to output')
 98 | 
 99 | 
100 | def get_option(option_name):
101 |     for i in range(len(sys.argv)):
102 |         if (sys.argv[i] == option_name) and ((i + 1) < len(sys.argv)):
103 |             return sys.argv[i + 1]
104 |         elif sys.argv[i].startswith(option_name + '='):
105 |             return sys.argv[i][len(option_name) + 1:]
106 |     return None
107 | 
108 | 
109 | def main():
110 |     fuzzer_dir = os.path.dirname(__file__)
111 | 
112 |     multiple_samples = False
113 | 
114 |     for a in sys.argv:
115 |         if a.startswith('--output_dir='):
116 |             multiple_samples = True
117 |     if '--output_dir' in sys.argv:
118 |         multiple_samples = True
119 | 
120 |     if multiple_samples:
121 |         print('Running on ClusterFuzz')
122 |         out_dir = get_option('--output_dir')
123 |         nsamples = int(get_option('--no_of_files'))
124 |         print('Output directory: ' + out_dir)
125 |         print('Number of samples: ' + str(nsamples))
126 | 
127 |         if not os.path.exists(out_dir):
128 |             os.mkdir(out_dir)
129 | 
130 |         outfiles = []
131 |         for i in range(nsamples):
132 |             outfiles.append(os.path.join(out_dir, 'fuzz-' + str(i).zfill(5) + '.html'))
133 | 
134 |         generate_samples(fuzzer_dir, outfiles)
135 | 
136 |     elif len(sys.argv) > 1:
137 |         outfile = sys.argv[1]
138 |         generate_samples(fuzzer_dir, [outfile])
139 | 
140 |     else:
141 |         print('Arguments missing')
142 |         print("Usage:")
143 |         print("\tpython generator.py <output file>")
144 |         print("\tpython generator.py --output_dir <output directory> --no_of_files <number of output files>")
145 | 
146 | if __name__ == '__main__':
147 |     main()
148 | 


--------------------------------------------------------------------------------
/tools/domato/webgl/generator.py:
--------------------------------------------------------------------------------
  1 | #   Domato - main generator script
  2 | #   -------------------------------
  3 | #
  4 | #   Written and maintained by Ivan Fratric <ifratric@google.com>
  5 | #
  6 | #   Copyright 2017 Google Inc. All Rights Reserved.
  7 | #   Licensed under the Apache License, Version 2.0 (the "License");
  8 | #   you may not use this file except in compliance with the License.
  9 | #   You may obtain a copy of the License at
 10 | #
 11 | #       http://www.apache.org/licenses/LICENSE-2.0
 12 | #
 13 | #   Unless required by applicable law or agreed to in writing, software
 14 | #   distributed under the License is distributed on an "AS IS" BASIS,
 15 | #   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 16 | #   See the License for the specific language governing permissions and
 17 | #   limitations under the License.
 18 | 
 19 | 
 20 | from __future__ import print_function
 21 | import os
 22 | import re
 23 | import random
 24 | import sys
 25 | 
 26 | parent_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), os.pardir))
 27 | sys.path.append(parent_dir)
 28 | from grammar import Grammar
 29 | 
 30 | _N_MAIN_LINES = 100
 31 | _N_EVENTHANDLER_LINES = 1
 32 | 
 33 | def generate_function_body(jsgrammar, num_lines):
 34 |     js = ''
 35 |     js += jsgrammar._generate_code(num_lines)
 36 | 
 37 |     return js
 38 | 
 39 | def GenerateNewSample(template, jsgrammar):
 40 |     """Parses grammar rules from string.
 41 | 
 42 |     Args:
 43 |       template: A template string.
 44 |       htmlgrammar: Grammar for generating HTML code.
 45 |       cssgrammar: Grammar for generating CSS code.
 46 |       jsgrammar: Grammar for generating JS code.
 47 | 
 48 |     Returns:
 49 |       A string containing sample data.
 50 |     """
 51 | 
 52 |     result = template
 53 |     handlers = False
 54 |     while '<glfuzz>' in result:
 55 |         numlines = _N_MAIN_LINES
 56 |         if handlers:
 57 |             numlines = _N_EVENTHANDLER_LINES
 58 |         else:
 59 |             handlers = True
 60 |         result = result.replace(
 61 |             '<glfuzz>',
 62 |             generate_function_body(jsgrammar, numlines),
 63 |             1
 64 |         )
 65 | 
 66 |     return result
 67 | 
 68 | 
 69 | def generate_samples(grammar_dir, outfiles):
 70 |     """Generates a set of samples and writes them to the output files.
 71 | 
 72 |     Args:
 73 |       grammar_dir: directory to load grammar files from.
 74 |       outfiles: A list of output filenames.
 75 |     """
 76 | 
 77 |     f = open(os.path.join(grammar_dir, 'template.html'))
 78 |     template = f.read()
 79 |     f.close()
 80 | 
 81 |     jsgrammar = Grammar()
 82 |     err = jsgrammar.parse_from_file(os.path.join(grammar_dir, 'webgl.txt'))
 83 |     if err > 0:
 84 |         print('There were errors parsing grammar')
 85 |         return
 86 | 
 87 |     for outfile in outfiles:
 88 |         
 89 |         result = GenerateNewSample(template, jsgrammar)
 90 | 
 91 |         if result is not None:
 92 |             print('Writing a sample to ' + outfile)
 93 |             try:
 94 |                 f = open(outfile, 'w')
 95 |                 f.write(result)
 96 |                 f.close()
 97 |             except IOError:
 98 |                 print('Error writing to output')
 99 | 
100 | 
101 | def get_option(option_name):
102 |     for i in range(len(sys.argv)):
103 |         if (sys.argv[i] == option_name) and ((i + 1) < len(sys.argv)):
104 |             return sys.argv[i + 1]
105 |         elif sys.argv[i].startswith(option_name + '='):
106 |             return sys.argv[i][len(option_name) + 1:]
107 |     return None
108 | 
109 | 
110 | def main():
111 |     fuzzer_dir = os.path.dirname(__file__)
112 | 
113 |     multiple_samples = False
114 | 
115 |     for a in sys.argv:
116 |         if a.startswith('--output_dir='):
117 |             multiple_samples = True
118 |     if '--output_dir' in sys.argv:
119 |         multiple_samples = True
120 | 
121 |     if multiple_samples:
122 |         print('Running on ClusterFuzz')
123 |         out_dir = get_option('--output_dir')
124 |         nsamples = int(get_option('--no_of_files'))
125 |         print('Output directory: ' + out_dir)
126 |         print('Number of samples: ' + str(nsamples))
127 | 
128 |         if not os.path.exists(out_dir):
129 |             os.mkdir(out_dir)
130 | 
131 |         outfiles = []
132 |         for i in range(nsamples):
133 |             outfiles.append(os.path.join(out_dir, 'fuzz-' + str(i).zfill(5) + '.html'))
134 | 
135 |         generate_samples(fuzzer_dir, outfiles)
136 | 
137 |     elif len(sys.argv) > 1:
138 |         outfile = sys.argv[1]
139 |         generate_samples(fuzzer_dir, [outfile])
140 | 
141 |     else:
142 |         print('Arguments missing')
143 |         print("Usage:")
144 |         print("\tpython generator.py <output file>")
145 |         print("\tpython generator.py --output_dir <output directory> --no_of_files <number of output files>")
146 | 
147 | if __name__ == '__main__':
148 |     main()
149 | 


--------------------------------------------------------------------------------
/tools/domato/jscript/generator.py:
--------------------------------------------------------------------------------
  1 | #   Domato - main generator script
  2 | #   -------------------------------
  3 | #
  4 | #   Written and maintained by Ivan Fratric <ifratric@google.com>
  5 | #
  6 | #   Copyright 2017 Google Inc. All Rights Reserved.
  7 | #   Licensed under the Apache License, Version 2.0 (the "License");
  8 | #   you may not use this file except in compliance with the License.
  9 | #   You may obtain a copy of the License at
 10 | #
 11 | #       http://www.apache.org/licenses/LICENSE-2.0
 12 | #
 13 | #   Unless required by applicable law or agreed to in writing, software
 14 | #   distributed under the License is distributed on an "AS IS" BASIS,
 15 | #   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 16 | #   See the License for the specific language governing permissions and
 17 | #   limitations under the License.
 18 | 
 19 | 
 20 | from __future__ import print_function
 21 | import os
 22 | import re
 23 | import random
 24 | import sys
 25 | 
 26 | parent_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), os.pardir))
 27 | sys.path.append(parent_dir)
 28 | from grammar import Grammar
 29 | 
 30 | _N_MAIN_LINES = 1000
 31 | _N_EVENTHANDLER_LINES = 500
 32 | 
 33 | def generate_function_body(jsgrammar, num_lines):
 34 |     js = ''
 35 |     js += '//beginjs\n'
 36 |     js += jsgrammar._generate_code(num_lines)
 37 |     js += '\n//endjs\n'
 38 |     js += 'CollectGarbage();\n'
 39 |     if random.random() < 0.1:
 40 |       js += 'throw new Error();\n'
 41 |     else:
 42 |       js += 'return vars[' + str(random.randint(0,99)) + '];\n'
 43 |     return js
 44 | 
 45 | def GenerateNewSample(template, jsgrammar):
 46 |     """Parses grammar rules from string.
 47 | 
 48 |     Args:
 49 |       template: A template string.
 50 |       htmlgrammar: Grammar for generating HTML code.
 51 |       cssgrammar: Grammar for generating CSS code.
 52 |       jsgrammar: Grammar for generating JS code.
 53 | 
 54 |     Returns:
 55 |       A string containing sample data.
 56 |     """
 57 | 
 58 |     result = template
 59 | 
 60 |     handlers = False
 61 |     while '<jsfuzzer>' in result:
 62 |         numlines = _N_MAIN_LINES
 63 |         if handlers:
 64 |             numlines = _N_EVENTHANDLER_LINES
 65 |         else:
 66 |             handlers = True
 67 |         result = result.replace(
 68 |             '<jsfuzzer>',
 69 |             generate_function_body(jsgrammar, numlines),
 70 |             1
 71 |         )
 72 | 
 73 |     return result
 74 | 
 75 | 
 76 | def generate_samples(grammar_dir, outfiles):
 77 |     """Generates a set of samples and writes them to the output files.
 78 | 
 79 |     Args:
 80 |       grammar_dir: directory to load grammar files from.
 81 |       outfiles: A list of output filenames.
 82 |     """
 83 | 
 84 |     f = open(os.path.join(grammar_dir, 'template.html'))
 85 |     template = f.read()
 86 |     f.close()
 87 | 
 88 |     jsgrammar = Grammar()
 89 |     err = jsgrammar.parse_from_file(os.path.join(grammar_dir, 'jscript.txt'))
 90 |     if err > 0:
 91 |         print('There were errors parsing grammar')
 92 |         return
 93 | 
 94 |     for outfile in outfiles:
 95 |         result = GenerateNewSample(template, jsgrammar)
 96 | 
 97 |         if result is not None:
 98 |             print('Writing a sample to ' + outfile)
 99 |             try:
100 |                 f = open(outfile, 'w')
101 |                 f.write(result)
102 |                 f.close()
103 |             except IOError:
104 |                 print('Error writing to output')
105 | 
106 | 
107 | def get_option(option_name):
108 |     for i in range(len(sys.argv)):
109 |         if (sys.argv[i] == option_name) and ((i + 1) < len(sys.argv)):
110 |             return sys.argv[i + 1]
111 |         elif sys.argv[i].startswith(option_name + '='):
112 |             return sys.argv[i][len(option_name) + 1:]
113 |     return None
114 | 
115 | 
116 | def main():
117 |     fuzzer_dir = os.path.dirname(__file__)
118 | 
119 |     multiple_samples = False
120 | 
121 |     for a in sys.argv:
122 |         if a.startswith('--output_dir='):
123 |             multiple_samples = True
124 |     if '--output_dir' in sys.argv:
125 |         multiple_samples = True
126 | 
127 |     if multiple_samples:
128 |         print('Running on ClusterFuzz')
129 |         out_dir = get_option('--output_dir')
130 |         nsamples = int(get_option('--no_of_files'))
131 |         print('Output directory: ' + out_dir)
132 |         print('Number of samples: ' + str(nsamples))
133 | 
134 |         if not os.path.exists(out_dir):
135 |             os.mkdir(out_dir)
136 | 
137 |         outfiles = []
138 |         for i in range(nsamples):
139 |             outfiles.append(os.path.join(out_dir, 'fuzz-' + str(i).zfill(5) + '.html'))
140 | 
141 |         generate_samples(fuzzer_dir, outfiles)
142 | 
143 |     elif len(sys.argv) > 1:
144 |         outfile = sys.argv[1]
145 |         generate_samples(fuzzer_dir, [outfile])
146 | 
147 |     else:
148 |         print('Arguments missing')
149 |         print("Usage:")
150 |         print("\tpython generator.py <output file>")
151 |         print("\tpython generator.py --output_dir <output directory> --no_of_files <number of output files>")
152 | 
153 | if __name__ == '__main__':
154 |     main()
155 | 


--------------------------------------------------------------------------------
/src/web_api/web_object.py:
--------------------------------------------------------------------------------
  1 | import json
  2 | 
  3 | 
  4 | class WebObject():
  5 |     __grammar = None
  6 |     __instance = {}
  7 | 
  8 |     @classmethod
  9 |     def __getInstance(cls, name):
 10 |         return cls.__instance[name]
 11 |     
 12 |     @classmethod
 13 |     def create(cls, name):
 14 |         if not cls.__grammar:
 15 |             with open("src/web_api/grammar.json") as f:
 16 |                 print('[+] load web api grammar')
 17 |                 cls.__grammar = json.load(f)
 18 |                 # print(cls.__grammar)
 19 | 
 20 |         if name in cls.__grammar:
 21 |             if name in cls.__instance:
 22 |                 return cls.__getInstance(name)
 23 |             else:
 24 |                 cls.__instance[name] = cls(name, cls.__grammar[name])
 25 |                 return cls.__getInstance(name)
 26 |         else:
 27 |             return None
 28 | 
 29 |     def __init__(self, name, meta):
 30 |         self.name = name
 31 |         self.inherit = [WebObject.create(name) for name in meta["inherit"]]
 32 |         self.constructors = meta["constructors"]
 33 |         self.properties = meta["properties"]
 34 |         self.methods = meta["methods"]
 35 |         self.events = meta["events"]
 36 |         self.descendant = []
 37 | 
 38 |         try:
 39 |             self.inherit.remove(None)
 40 |         except ValueError as e:
 41 |             pass
 42 | 
 43 |         for i in self.inherit:
 44 |             self.properties = {**i.properties, **self.properties}
 45 |             self.methods = {**i.methods, **self.methods}
 46 |             self.events = self.events + i.events
 47 |             i.set_descendant(self.name)
 48 |         self.events = list(set(self.events))
 49 | 
 50 |     def get_property_candidate(self):
 51 |         return list(self.properties.keys())
 52 | 
 53 |     def get_writable_property_candidate(self):
 54 |         prop = list(a for a in self.properties.keys() if not self.properties[a]['read_only'])
 55 |         event = ["on" + sub for sub in self.events]
 56 |         return prop + event
 57 | 
 58 |     def get_property_return(self, name):
 59 |         if name.startswith("on"):
 60 |             return "Function"
 61 |         return self.properties[name]["ret"]
 62 | 
 63 |     def get_method_candidate(self):
 64 |         return list(self.methods.keys())
 65 | 
 66 |     def get_method_params(self, name):
 67 |         return self.methods[name]["params"]
 68 | 
 69 |     def is_method_static(self, name):
 70 |         return self.methods[name]["static"]
 71 | 
 72 |     def get_method_return(self, name):
 73 |         return self.methods[name]["ret"]
 74 | 
 75 |     def get_event_candidate(self):
 76 |         return self.events
 77 | 
 78 |     def get_constructor_candidate(self):
 79 |         return list(self.constructors.keys())
 80 | 
 81 |     def is_constructor_new(self, name):
 82 |         return self.constructors[name]["new"]
 83 | 
 84 |     def get_constructor_return(self, name):
 85 |         return self.constructors[name]["ret"]
 86 | 
 87 |     def set_descendant(self, name):
 88 |         self.descendant.append(name)
 89 |         for i in self.inherit:
 90 |             i.set_descendant(name)
 91 | 
 92 |     def get_descendant(self):
 93 |         return self.descendant
 94 | 
 95 | def object_test():
 96 |     with open("src/web_api/grammar.json") as f:
 97 |         grammar = json.load(f)
 98 | 
 99 |     done = list(grammar.keys())
100 |     todo = []
101 | 
102 |     for obj in done:
103 |         instance = WebObject.create(obj)
104 | 
105 |         arr = instance.get_property_candidate()
106 |         for name in arr:
107 |             ret = instance.get_property_return(name)
108 |             
109 |             if ret not in done:
110 |                 todo.append(ret)
111 | 
112 |         arr = instance.get_method_candidate()
113 |         for name in arr:
114 |             ret = instance.get_method_return(name)
115 |             if ret not in done:
116 |                 todo.append(ret)
117 | 
118 |     todo = list(set(todo))
119 |     print(todo)
120 | 
121 | def main():
122 |     # obj = WebObject.create("aa")
123 |     # obj2 = WebObject.create("bb")
124 | 
125 |     # # Node
126 |     # obj3 = WebObject.create("Node")
127 |     # print(obj3.name)
128 |     # print(obj3.inherit)
129 |     # print(obj3.get_property_candidate())
130 |     # print(obj3.get_writable_property_candidate())
131 |     # print(obj3.get_property_return("baseURI"))
132 |     # print(obj3.get_method_candidate())
133 |     # print(obj3.get_method_params("appendChild"))
134 |     # print(obj3.get_method_return("appendChild"))
135 |     # print(obj3.get_event_candidate())
136 | 
137 |     # # Element
138 |     obj4 = WebObject.create("Element")
139 |     print(obj4.name)
140 |     print(obj4.inherit)
141 |     print(obj4.get_property_candidate())
142 |     print(obj4.get_writable_property_candidate())
143 |     print(obj4.get_property_return("onmousemove"))
144 |     
145 |     # print(obj4.get_property_return("attributes"))
146 |     # print(obj4.get_method_candidate())
147 |     # print(obj4.get_method_params("addEventListener"))
148 |     # print(obj4.get_method_return("addEventListener"))
149 |     # print(obj4.get_event_candidate())
150 | 
151 |     # object_test()
152 | 
153 |     # h = WebObject.create("HTMLElement")
154 |     # print(h.descendant)
155 |     # # print([i.name for i in obj.inherit])
156 | 
157 |     # n = WebObject.create("Node")
158 |     # print(n.descendant)
159 | 
160 |     # e = WebObject.create("Element")
161 |     # print(e.descendant)
162 | 
163 |     # d = WebObject.create("Document")
164 |     # print(d.descendant)
165 | 
166 |     # a = WebObject.create("DocumentFragment")
167 |     # print(a.descendant)
168 | 
169 |     # a = WebObject.create("GlobalEventHandlers")
170 |     # print(a.descendant)
171 | 
172 |     # print(n.descendant)
173 |     # print(e.descendant)
174 | 
175 | 
176 | if __name__ == "__main__":
177 |     main()


--------------------------------------------------------------------------------
/tools/domato/php/php.txt:
--------------------------------------------------------------------------------
  1 | <root root=true> = <lines count=1024>
  2 | 
  3 | !lineguard try { <line> } catch (Throwable $e) { }
  4 | 
  5 | <fuzzvoid> = 
  6 | 
  7 | <fuzzbool> = true
  8 | <fuzzbool> = false
  9 | 
 10 | <interestingint> = 32768
 11 | <interestingint> = 65535
 12 | <interestingint> = 65536
 13 | <interestingint> = 1073741824
 14 | <interestingint> = 536870912
 15 | <interestingint> = 268435456
 16 | <interestingint> = 4294967295
 17 | <interestingint> = 2147483648
 18 | <interestingint> = 2147483647
 19 | <interestingint> = -2147483648
 20 | <interestingint> = -1073741824
 21 | <interestingint> = -32769
 22 | 
 23 | <largeint> = 536870911
 24 | <largeint> = 536870912
 25 | <largeint> = 1073741823
 26 | <largeint> = 1073741824
 27 | <largeint> = 2147483647
 28 | <largeint> = 2147483648
 29 | <largeint> = 4294967295
 30 | <largeint> = 4294967296
 31 | <largeint> = 18446744073709551615
 32 | <largeint> = 18446744073709551616
 33 | 
 34 | 
 35 | <fuzzint> = 0
 36 | <fuzzint> = 1
 37 | <fuzzint> = -1
 38 | <fuzzint> = 2
 39 | <fuzzint> = 3
 40 | <fuzzint> = 4
 41 | <fuzzint> = 5
 42 | <fuzzint> = 10
 43 | <fuzzint> = 100
 44 | <fuzzint> = 1000
 45 | <fuzzint> = 1000000
 46 | <fuzzint> = <int>
 47 | <fuzzint> = <largeint>
 48 | <fuzzint> = -<largeint>
 49 | <fuzzint> = <interestingint>
 50 | 
 51 | <fuzznumber> = <fuzzint>
 52 | <fuzznumber> = <float>
 53 | <fuzznumber> = <double>
 54 | 
 55 | <fuzzstring> = str_repeat("A", 0x100)
 56 | <fuzzstring> = implode(array_map(function($c) {return "\\x" . str_pad(dechex($c), 2, "0");}, range(0, 255)))
 57 | <fuzzstring> = str_repeat("%s%x%n", 0x100)
 58 | <fuzzstring> = <fuzzstringpart>
 59 | <fuzzstring> = <fuzzstringpart> . <fuzzstringpart>
 60 | <fuzzstring> = <fuzzstringpart> . <fuzzstringpart> . <fuzzstringpart>
 61 | #<fuzzstring> = "<htmlsafestring>"
 62 | <fuzzstringpart> = str_repeat(chr(<int min=0 max=256>), <repeatcount>)
 63 | <repeatcount> = 17
 64 | <repeatcount> = 65
 65 | <repeatcount> = 257
 66 | <repeatcount> = 1025
 67 | <repeatcount> = 4097
 68 | <repeatcount> = 65537
 69 | 
 70 | <fuzzpath> = <fuzzstring>
 71 | <fuzzpath> = "/dev/null"
 72 | <fuzzpath> = "/../../../../../../../../../etc/passwd"
 73 | 
 74 | <fuzzarray> = range(0, 10)
 75 | <fuzzarray> = array("a" => 1, "b" => "2", "c" => 3.0)
 76 | 
 77 | <fuzzfunction> = phpinfo
 78 | 
 79 | <fuzzobject> = $vars[array_rand($vars)]
 80 | 
 81 | <fuzzarray|object> = <fuzzobject>
 82 | <fuzzarray|object> = <fuzzarray>
 83 | 
 84 | <fuzzclass> = array_rand($vars)
 85 | 
 86 | <fuzzclass|obj> = <fuzzclass>
 87 | <fuzzclass|obj> = <fuzzclass>()
 88 | 
 89 | <fuzzstring|obj> = <fuzzstring>
 90 | <fuzzstring|obj> = <fuzzobject>
 91 | 
 92 | <fuzzstring|array> = <fuzzstring>
 93 | <fuzzstring|array> = <fuzzarray>
 94 | 
 95 | <fuzzstring|number> = <fuzzstring>
 96 | <fuzzstring|number> = <fuzznumber>
 97 | 
 98 | <fuzzmixed> = <fuzznumber>
 99 | <fuzzmixed> = <fuzzbool>
100 | <fuzzmixed> = <fuzzstring>
101 | <fuzzmixed> = <fuzzarray>
102 | 
103 | <fuzzvariadic> = <fuzzmixed>
104 | <fuzzvariadic> = <fuzzmixed>, <fuzzmixed>
105 | <fuzzvariadic> = <fuzzmixed>, <fuzzmixed>, <fuzzmixed>
106 | <fuzzvariadic> = <fuzzmixed>, <fuzzmixed>, <fuzzmixed>, <fuzzmixed>
107 | <fuzzvariadic> = <fuzzmixed>, <fuzzmixed>, <fuzzmixed>, <fuzzmixed>, <fuzzmixed>
108 | 
109 | <fuzzboolreference> = $ref_bool
110 | <fuzzintreference> = $ref_int
111 | <fuzzstringreference> = $ref_string
112 | <fuzzarrayreference> = $ref_array
113 | <fuzzobjectreference> = $ref_object
114 | <fuzzresourcereference> = $ref_resource
115 | <fuzzpathreference> = $ref_path
116 | 
117 | <fuzzref> = <fuzzboolreference>
118 | <fuzzref> = <fuzzintreference>
119 | <fuzzref> = <fuzzstringreference>
120 | <fuzzref> = <fuzzarrayreference>
121 | <fuzzref> = <fuzzobjectreference>
122 | <fuzzref> = <fuzzresourcereference>
123 | <fuzzref> = <fuzzpathreference>
124 | 
125 | <fuzzstring|array> = <fuzzstring>
126 | <fuzzstring|array> = <fuzzarray>
127 | 
128 | <fuzzfunction|int> = <fuzzfunction>
129 | <fuzzfunction|int> = <fuzzint>
130 | 
131 | <fuzzIterator> = new ArrayIterator(array(0))
132 | 
133 | <fuzzresource> = fopen("/dev/null", "r")
134 | <fuzzresource> = fopen("/etc/passwd", "r")
135 | <fuzzresource> = fopen("/tmp/doesntexist", "w")
136 | 
137 | <fuzzDateTime> = new DateTime()
138 | <fuzzDateTimeZone> = new DateTimeZone("America/Chicago")
139 | <fuzzDateTimeImmutable> = new DateTimeImmutable()
140 | <fuzzDateInterval> = new DateInterval("P2Y4DT6H8M")
141 | <fuzzDateTimeInterface> = new DateTime()
142 | 
143 | <fuzzDOMNode> = new DOMNode()
144 | <fuzzDOMAttr> = new DOMAttr("attr")
145 | <fuzzDOMDocument> = new DOMDocument()
146 | <fuzzDOMDocumentType> = new DOMDocumentType()
147 | <fuzzDOMElement> = new DOMElement("root")
148 | <fuzzDOMNodeList> = new DOMNodeList()
149 | <fuzzDOMDocumentFragment> = new DOMDocumentFragment()
150 | <fuzzDOMText> = new DOMText()
151 | <fuzzDOMCDATASection> = new DOMCDATASection("root value")
152 | <fuzzDOMProcessingInstruction> = new DOMProcessingInstruction("php", "phpinfo()")
153 | <fuzzDOMEntityReference> = new DOMEntityReference("nbsp")
154 | <fuzzDOMComment> = new DOMComment()
155 | 
156 | <fuzzRecursiveIterator> = new RecursiveIterator()
157 | 
158 | <fuzzSplObjectStorage> = new SplObjectStorage()
159 | <fuzzSplFixedArray> = new SplFixedArray()
160 | 
161 | <fuzzReflector> = new ReflectionClass("ZipArchive")
162 | <fuzzReflectionClass> = new ReflectionClass($vars[array_rand($vars)])
163 | <fuzzReflectionClassConstant> = new ReflectionClassConstant("ZipArchive", "ZIP_ER_OK")
164 | <fuzzReflectionType> = new ReflectionType()
165 | <fuzzReflectionFunctionAbstract> = new ReflectionFunctionAbstract()
166 | <fuzzReflectionExtension> = new ReflectionExtension("Reflection")
167 | <fuzzReflectionProperty> = new ReflectionProperty("ZipArchive", "filename")
168 | <fuzzReflectionMethod> = new ReflectionMethod("ZipArchive", "getStatusString")
169 | 
170 | <fuzzTraversable> = new ArrayIterator(array(0))
171 | 
172 | <fuzzThrowable> = new Exception()
173 | 
174 | <fuzzHashContext> = hash_init("md5")
175 | 
176 | <fuzzSimpleXMLElement> = new SimpleXMLElement("<lt>a<gt>a<lt>/a<gt>")
177 | <fuzzSimpleXMLIterator> = new SimpleXMLIterator("<lt>a<gt>a<lt>/a<gt>")
178 | 
179 | <fuzzPhar> = new Phar("/tmp/fuzz.phar")
180 | <fuzzPharData> = new PharData("/tmp/fuzz.tar"))
181 | 
182 | <fuzzRecursiveFilterIterator> = new RecursiveFilterIterator(new RecursiveIterator())
183 | 
184 | <fuzzDirectory> = dir("/tmp")
185 | 
186 | <fuzzClosure> = function () { return 0; }
187 | 
188 | <fuzzGenerator> = (function () { yield 0; })()
189 | 
190 | !include ./php_generated.txt
191 | 
192 | ### OTHER
193 | 
194 | <fuzzline> = <methodcall>;
195 | <fuzzline> = <functioncall>;
196 | 
197 | ### LINES
198 | 
199 | !begin lines
200 | 
201 | <fuzzline>
202 | 
203 | !end lines
204 | 


--------------------------------------------------------------------------------
/src/fuzzer/minimizer.py:
--------------------------------------------------------------------------------
  1 | import sys
  2 | import os
  3 | import signal
  4 | import shutil
  5 | import secrets
  6 | import random
  7 | 
  8 | from bs4 import BeautifulSoup
  9 | 
 10 | from src.fuzzer.exception import TestcaseTimeout
 11 | from src.fuzzer.reproducer import Fuzzer
 12 | 
 13 | from tools.lithium.src.lithium.testcases import TestcaseLine
 14 | from tools.lithium.src.lithium.strategies import Minimize
 15 | 
 16 | fuzzer = None
 17 | 
 18 | class Minimizer:
 19 |     def __init__(self, target, binary, testcase):
 20 |         self.target = target
 21 |         self.binary = binary
 22 |         self.testcase = testcase
 23 |         self.testcase_name = ""
 24 |         self.sub_name = ""
 25 |         self.child_name = ""
 26 |         self.child_sub_name = ""
 27 | 
 28 |         self.limit_try = 30
 29 |         self.max_try = 0
 30 |         self.best_try = self.limit_try
 31 |         
 32 | 
 33 |         self.base_url = "http://127.0.0.1:70"
 34 |         self.base_data = "new_servers/data"
 35 | 
 36 |         self.idx = secrets.token_hex(4)
 37 |         self.working_dir = os.path.join("minimize", self.idx)
 38 |         self.original_dir = os.path.join(self.working_dir, "original")
 39 |         self.best_dir = os.path.join(self.working_dir, "best")
 40 |         self.cur_dir = os.path.join(self.working_dir, "cur")
 41 |         self.raw_dir = os.path.join(self.working_dir, "raw")
 42 |         
 43 |         if not os.path.exists(self.working_dir):
 44 |             os.makedirs(self.working_dir)
 45 | 
 46 |         if not os.path.exists(self.original_dir):
 47 |             os.makedirs(self.original_dir)
 48 | 
 49 |         if not os.path.exists(self.best_dir):
 50 |             os.makedirs(self.best_dir)
 51 | 
 52 |         if not os.path.exists(self.cur_dir):
 53 |             os.makedirs(self.cur_dir)
 54 | 
 55 |         if not os.path.exists(self.raw_dir):
 56 |             os.makedirs(self.raw_dir)
 57 | 
 58 |         self.origins = 0
 59 |         self.pages = 0
 60 | 
 61 |         self.get_origins_pages(self.testcase)
 62 | 
 63 |         self.testcase_copy(self.testcase, self.original_dir)
 64 |         self.testcase_copy(self.testcase, self.best_dir)
 65 | 
 66 |     def get_origins_pages(self, src):
 67 |         arr = os.listdir(src)
 68 |         self.testcase_name = arr[0].split("_")[0]
 69 | 
 70 |         for item in arr:
 71 |             origin = int(item.split("_")[1])
 72 |             page = int(item.split("_")[2].split(".")[0])
 73 | 
 74 |             if origin > self.origins:
 75 |                 self.origins = origin
 76 |             if page > self.pages:
 77 |                 self.pages = page
 78 | 
 79 | 
 80 |     def testcase_copy(self, src, dest):
 81 |         arr = os.listdir(src)
 82 | 
 83 |         for item in arr:
 84 |             shutil.copyfile(os.path.join(src, item), os.path.join(dest, item))
 85 | 
 86 |     def testcase_to_server(self):
 87 |         arr = os.listdir(self.cur_dir)
 88 | 
 89 |         for item in arr:
 90 |             origin = item.split("_")[1]
 91 | 
 92 |             src = os.path.join(self.cur_dir, item)
 93 |             dest = os.path.join(self.base_data, f"idx_{origin}", item)
 94 |             print(f'[+] copy {src} -> {dest}')
 95 |             shutil.copyfile(src, dest)
 96 | 
 97 | 
 98 |     def fuzzer_run(self, init=False, count=0):
 99 |         global fuzzer
100 | 
101 |         self.testcase_to_server()
102 | 
103 |         print('debug')
104 |         print(f'init:{init}, count:{count}')
105 | 
106 |         fuzzer = Fuzzer(self.target, self.binary, fuzzer_idx=999)
107 |         fuzzer.initialize()
108 |         fuzzer.testcase_name = f"{self.testcase_name}_0_0.html"
109 |         ret = fuzzer.run(count=count)
110 |         fuzzer.finalize()
111 | 
112 |         if init and (ret == -1):
113 |             print("[-] reproduce fail :(")
114 |             exit(-1)
115 | 
116 |         if ret >= 0:
117 |             if ret > self.max_try:
118 |                 self.max_try = ret
119 |             if ret < self.best_try:
120 |                 self.best_try = ret
121 | 
122 |         if ret == -1:
123 |             print('[-] fuzzer_run: FAIL')
124 |             return False
125 |         else:
126 |             print('[+] fuzzer_run: SUCCESS')
127 |             return True
128 | 
129 |     def dry_run(self):
130 |         self.testcase_copy(self.best_dir, self.cur_dir)
131 |         self.fuzzer_run(init=True, count=self.limit_try)
132 | 
133 |     def fuzzer_test(self, idx, name, count=0):
134 |         if count > self.limit_try:
135 |             count = self.limit_try
136 |         count = 1
137 |         ret = self.fuzzer_run(count=count)
138 |         src = os.path.join(self.cur_dir, name)
139 |         dest = os.path.join(self.raw_dir, f"{idx}_{name}_{ret}")
140 |         shutil.copyfile(src, dest)
141 |         return ret
142 | 
143 |     def run(self):
144 |         print("[+] start reproduce dry run")
145 |         self.dry_run()
146 |         print("[+] finish reproduce dry run")
147 | 
148 |         round = 1
149 |         for i in range(round):
150 |             print(f"[+] {i+1} round")
151 |             for origin in range(self.origins+1):
152 |                 for page in range(self.pages+1):
153 |                     self.minimize_html(origin, page)
154 | 
155 |         print("[+] finish minimize")
156 |         print('[+] done')
157 | 
158 |     def minimize_html(self, origin, page):
159 |         name = f"{self.testcase_name}_{origin}_{page}.html"
160 | 
161 |         self.testcase_copy(self.best_dir, self.cur_dir)
162 |         src = os.path.join(self.best_dir, name)
163 |         dest = os.path.join(self.cur_dir, name)
164 | 
165 |         tc = TestcaseLine()
166 |         tc.load(src)
167 | 
168 |         st = Minimize()
169 |         reduction = st.reduce(tc)
170 | 
171 |         for i, attempt in enumerate(reduction):
172 |             if i > 1000:
173 |                 break
174 |             attempt.dump(dest)
175 |             ret = self.fuzzer_test(i, name, count=self.max_try * 2)
176 | 
177 |             if ret:
178 |                 attempt.dump(src)
179 |             reduction.feedback(ret)
180 | 
181 |         testcase = reduction.testcase
182 |         testcase.dump(src)
183 | 
184 | 
185 | 
186 | 
187 | 
188 | def handler(signum, frame):
189 |     if signum == signal.SIGALRM:
190 |         print('[-] Signal handler called with signal', signum)
191 |         raise TestcaseTimeout("testcase timeout")
192 | 
193 |     else:
194 |         print('\n\n[-] Signal handler called with signal', signum)
195 |         print("[+] Fuzzer will be terminated")
196 |         if fuzzer:
197 |             fuzzer.finalize()
198 |         print("[+] Fuzzer terminated")
199 |         os._exit(1)
200 | 
201 | 
202 | def main():
203 | 
204 |     target = sys.argv[1]
205 |     binary = sys.argv[2]
206 |     testcase = sys.argv[3]
207 |     idx = 999
208 | 
209 |     signal.signal(signal.SIGINT, handler)
210 |     signal.signal(signal.SIGALRM, handler)
211 | 
212 |     mininizer = Minimizer(target, binary, testcase)
213 |     mininizer.run()
214 | 
215 | 
216 | if __name__ == "__main__":
217 |     main()
218 | 


--------------------------------------------------------------------------------
/tools/domato/php/parse_types.py:
--------------------------------------------------------------------------------
  1 | import glob
  2 | import re
  3 | import sys
  4 | 
  5 | fun = re.compile(r"PHP_FUNCTION\((.+)\)")
  6 | met = re.compile(r"PHP_METHOD\(([^,]+), (.+)\)")
  7 | ftype = re.compile(r'zend_parse_parameters\([^,]+, "(.+)"')
  8 | 
  9 | in_func = False
 10 | in_meth = False
 11 | func = meth = obj = None
 12 | objs = set()
 13 | 
 14 | 
 15 | if len(sys.argv) != 2:
 16 |     print('Usage: %s /path/to/php/source/code' % sys.argv[0])
 17 |     sys.exit(1)
 18 | 
 19 | def l2f(fun, params):
 20 |     in_or = False
 21 |     p = []
 22 |     for param in params:
 23 |         if param in ['i', 'I']:
 24 |             p.append('<fuzzint>')
 25 |         if param in ['l', 'L', 'n', 'd']:
 26 |             p.append('<fuzznumber>')
 27 |         elif param in ['z', 'Z']:
 28 |             p.append('<fuzzref>')
 29 |         elif param in ['s', 'v', 'S']:
 30 |             p.append('<fuzzstring>')
 31 |         elif param in ['|']:
 32 |             in_or = True
 33 |             continue
 34 |         elif param in ['p', 'P']:
 35 |             p.append('<fuzzpath>')
 36 |         elif param in ['!', '/']:
 37 |             continue
 38 |         elif param in ['a', 'A', 'h', 'H']:
 39 |             p.append('<fuzzarray>')
 40 |         elif param in ['b']:
 41 |             p.append('<fuzzbool>')
 42 |         elif param in ['C']:
 43 |             p.append('<fuzzclass>')
 44 |         elif param in ['f']:
 45 |             p.append('<fuzzfunction>')
 46 |         elif param in ['o', 'O']:
 47 |             p.append('<fuzzobject>')
 48 |         elif param in ['r']:
 49 |             p.append('<fuzzresource>')
 50 |         if in_or is True:
 51 |             if in_func:
 52 |                 print("<functioncall> = %s(%s)" % (func, ', '.join(p)))
 53 |             elif in_meth:
 54 |                 print("<methodcall> = <obj_%s>->%s(%s)" % (obj, meth, ', '.join(p)))
 55 |     if in_or is False:
 56 |         if in_func:
 57 |             print("<functioncall> = %s(%s)" % (func, ', '.join(p)))
 58 |         elif in_meth:
 59 |             print("<methodcall> = <obj_%s>->%s(%s)" % (obj, meth, ', '.join(p)))
 60 | 
 61 | for fname in glob.glob(sys.argv[1] + '*/*/*.c'):
 62 |     with open(fname) as f:
 63 |         in_params = False
 64 |         in_or = False
 65 |         params = []
 66 | 
 67 |         for line in f.readlines():
 68 |             if in_func is False and in_meth is False:
 69 |                 func = fun.search(line)
 70 |                 if func:
 71 |                     in_func = True
 72 |                     func = func.group(1)
 73 |                     continue
 74 |                 r = met.search(line)
 75 |                 if r:
 76 |                     in_meth = True
 77 |                     obj = r.group(1)
 78 |                     objs.add(obj)
 79 |                     meth = r.group(2)
 80 |                 continue
 81 | 
 82 |             if 'ZEND_PARSE_PARAMETERS_NONE' in line:
 83 |                 print("<functioncall> = %s()" % (func if func else meth))
 84 |             elif 'ZEND_PARSE_PARAMETERS_END' in line:
 85 |                 if in_func:
 86 |                     print("<functioncall> = %s(%s)" % (func, ', '.join(params)))
 87 |                     params = []
 88 |                     in_params = False
 89 |                     in_or = False
 90 |                 elif in_meth:
 91 |                     print("<methodcall> = <obj_%s>->%s(%s)" % (obj, meth, ', '.join(params)))
 92 |                     params = []
 93 |                     in_params = False
 94 |                     in_or = False
 95 |                 continue
 96 |             elif 'ZEND_PARSE_PARAMETERS_START' in line:
 97 |                 in_params = True
 98 |                 params = []
 99 |                 continue
100 | 
101 |             if in_or is True:
102 |                 if in_func:
103 |                     print("<functioncall> = %s(%s)" % (func, ', '.join(params)))
104 |                 elif in_meth:
105 |                     print("<methodcall> = <obj_%s>->%s(%s)" % (obj, meth, ', '.join(params)))
106 | 
107 |             if in_params is True:
108 |                 if 'Z_PARAM_OPTIONAL' in line:
109 |                     in_or = True
110 |                 elif 'Z_PARAM_OBJECT_OF_CLASS' in line:
111 |                     params.append('<fuzzobject>')
112 |                 elif 'Z_PARAM_STR_OR_OBJ' in line:
113 |                     params.append('<fuzzstring|obj>')
114 |                 elif 'Z_PARAM_STR_OR_ARRAY' in line:
115 |                     params.append('<fuzzstring|array>')
116 |                 elif 'Z_PARAM_STR_OR_LONG' in line:
117 |                     params.append('<fuzzstring|number>')
118 |                 elif 'Z_PARAM_OPTIONAL' in line:
119 |                     in_or = True
120 |                     continue
121 |                 elif 'Z_PARAM_LONG' in line or 'Z_PARAM_LONG_OR_NULL' in line:
122 |                     params.append("<fuzznumber>")
123 |                 elif 'Z_PARAM_ARRAY_OR_OBJECT' in line:
124 |                     params.append("<fuzzarray|object>")
125 |                 elif 'Z_PARAM_ARRAY' in line:
126 |                     params.append("<fuzzarray>")
127 |                 elif 'Z_PARAM_OBJ' in line:
128 |                     params.append("<fuzzobject>")
129 |                 elif 'Z_PARAM_ZVAL' in line:
130 |                     params.append('<fuzzmixed>')
131 |                 elif 'Z_PARAM_BOOL' in line:
132 |                     params.append('<fuzzbool>')
133 |                 elif 'Z_PARAM_CLASS' in line:
134 |                     params.append('<fuzzclass>')
135 |                 elif 'Z_PARAM_CLASS_OR_OBJ' in line:
136 |                     params.append('<fuzzclass|obj>')
137 |                 elif 'Z_PARAM_RESOURCE' in line:
138 |                     params.append('<fuzzresource>')
139 |                 elif 'Z_PARAM_PATH' in line:
140 |                     params.append('<fuzzpath>')
141 |                 elif 'Z_PARAM_NUMBER' in line:
142 |                     params.append('<fuzznumber>')
143 |                 elif 'Z_PARAM_FUNC' in line:
144 |                     params.append('<fuzzfunction>')
145 |                 elif 'Z_PARAM_DOUBLE' in line:
146 |                     params.append('<fuzznumber>')
147 |                 elif 'Z_PARAM_PATH' in line:
148 |                     params.append('<fuzzstring>')
149 |                 elif 'Z_PARAM_VARIADIC' in line:
150 |                     params.append('<fuzzvariadic>')
151 |                 elif 'Z_PARAM_STR' in line:
152 |                     params.append('<fuzzstring>')
153 |                 elif '_OR_' in line:
154 |                     params.append('<fuzzmixed>')
155 |                 else:
156 |                     print('err:' + line)
157 | 
158 | 
159 |             p = ftype.search(line)
160 |             if p:
161 |                 l2f(func, p.group(1))
162 |                 in_func = False
163 |                 in_meth = False
164 |                 in_params = False
165 |                 in_or = False
166 |             elif line.startswith('}') or "/* }}} */" in line:
167 |                 in_func = False
168 |                 in_meth = False
169 |                 in_params = False
170 |                 in_or = False
171 | 
172 | print("\n")
173 | for obj in objs:
174 |     print('<obj_%s> = $vars["%s"]' % (obj, obj))
175 | 
176 | 


--------------------------------------------------------------------------------
/src/script/pattern_builder.py:
--------------------------------------------------------------------------------
  1 | import random
  2 | 
  3 | from src.js_api.js_api_type import JsApiType
  4 | from src.script.web_instruction import WebInstruction
  5 | from src.script.statement import *
  6 | from src.web_api.web_object import WebObject
  7 | from src.web_api.web_api_type import WebApiType
  8 | 
  9 | 
 10 | class PatternBuilder:
 11 |     def __init__(self, script_builder):
 12 |         self.script_builder = script_builder
 13 | 
 14 |     def generate_create_iframe(self):
 15 |         i = self.script_builder.get_new_variable_name()
 16 |         de = self.script_builder.get_new_variable_name()
 17 |         
 18 |         inst = self.script_builder.generate_web_instruction("document", ["'iframe'"], i, "Document", WebApiType.call_method, "createElement")
 19 |         self.script_builder.add_instruction(inst)
 20 | 
 21 |         inst = self.script_builder.generate_web_instruction("document", [], de, "Document", WebApiType.read_property, "documentElement")
 22 |         self.script_builder.add_instruction(inst)
 23 | 
 24 |         inst = self.script_builder.generate_web_instruction(de, [i], None, "Element", WebApiType.call_method, "appendChild")
 25 |         self.script_builder.add_instruction(inst)
 26 | 
 27 |         cd = self.script_builder.get_new_variable_name()
 28 |         inst = self.script_builder.generate_web_instruction(i, [], cd, "HTMLIFrameElement", WebApiType.read_property, "contentDocument")
 29 |         self.script_builder.add_instruction(inst)
 30 | 
 31 |         inst = self.script_builder.generate_web_instruction(cd, [], None, "Document", WebApiType.call_method, "open")
 32 |         self.script_builder.add_instruction(inst)
 33 | 
 34 |         cw = self.script_builder.get_new_variable_name()
 35 |         inst = self.script_builder.generate_web_instruction(i, [], cw, "HTMLIFrameElement", WebApiType.read_property, "contentWindow")
 36 |         self.script_builder.add_instruction(inst)
 37 | 
 38 |     def generate_create_iframe_src(self, ret=False):
 39 |         insts = []
 40 | 
 41 |         i = self.script_builder.get_new_variable_name()
 42 |         de = self.script_builder.get_new_variable_name()
 43 | 
 44 |         inst = self.script_builder.generate_web_instruction("document", ["'iframe'"], i, "Document", WebApiType.call_method, "createElement")
 45 |         if not ret:
 46 |             self.script_builder.add_instruction(inst)
 47 |         else:
 48 |             insts.append(inst)
 49 | 
 50 |         inst = self.script_builder.generate_web_instruction("document", [], de, "Document", WebApiType.read_property, "documentElement")
 51 |         if not ret:
 52 |             self.script_builder.add_instruction(inst)
 53 |         else:
 54 |             insts.append(inst)
 55 | 
 56 |         inst = self.script_builder.generate_web_instruction(de, [i], None, "Element", WebApiType.call_method, "appendChild")
 57 |         if not ret:
 58 |             self.script_builder.add_instruction(inst)
 59 |         else:
 60 |             insts.append(inst)
 61 | 
 62 |         src = self.script_builder.get_random_url()
 63 |         inst = self.script_builder.generate_web_instruction(i, [], f"'{src}'", "HTMLIFrameElement", WebApiType.write_property, "src")
 64 |         if not ret:
 65 |             self.script_builder.add_instruction(inst)
 66 |         else:
 67 |             insts.append(inst)
 68 | 
 69 |         if ret:
 70 |             return insts
 71 | 
 72 |     def generate_set_iframe_src(self, ret=False):
 73 |         insts = []
 74 |         try:
 75 |             i = random.choice(self.script_builder.context["HTMLIFrameElement"])
 76 |         except:
 77 |             return insts
 78 |         
 79 |         src = self.script_builder.get_random_url()
 80 |         inst = self.script_builder.generate_web_instruction(i, [], f"'{src}'", "HTMLIFrameElement", WebApiType.write_property, "src")
 81 |         if not ret:
 82 |             self.script_builder.add_instruction(inst)
 83 |         else:
 84 |             insts.append(inst)
 85 | 
 86 |         if ret:
 87 |             return insts
 88 | 
 89 |     def generate_create_form_action(self, i):
 90 |         i_onload = self.script_builder.get_new_function_name()
 91 |         i_onload_inst = []
 92 | 
 93 |         d = self.script_builder.get_new_variable_name()
 94 |         inst = self.script_builder.generate_web_instruction(i, [], d, "HTMLIFrameElement", WebApiType.read_property, "contentDocument")
 95 |         self.script_builder.add_instruction(inst)
 96 | 
 97 |         inst = self.script_builder.generate_web_instruction(d, [], None, "Document", WebApiType.call_method, "open")
 98 |         self.script_builder.add_instruction(inst)
 99 | 
100 |         inst = self.script_builder.generate_web_instruction(i, [], i_onload, "HTMLIFrameElement", WebApiType.write_property, "onload")
101 |         self.script_builder.add_instruction(inst)
102 | 
103 |         x = self.script_builder.get_new_variable_name()
104 |         inst = self.script_builder.generate_web_instruction(d, ["'form'"], x, "Document", WebApiType.call_method, "createElement")
105 |         i_onload_inst.append(inst)
106 | 
107 |         action = self.script_builder.get_javascript_console_log()
108 |         inst = self.script_builder.generate_web_instruction(x, [], f"'{action}'", "HTMLFormElement", WebApiType.write_property, "action")
109 |         i_onload_inst.append(inst)
110 | 
111 |         inst = self.script_builder.generate_web_instruction(x, [], None, "HTMLFormElement", WebApiType.call_method, "submit")
112 |         i_onload_inst.append(inst)
113 | 
114 |         inst = self.script_builder.generate_function(i_onload, [], None, i_onload_inst)
115 |         self.script_builder.add_instruction(inst)
116 | 
117 |         src = self.script_builder.get_random_url()
118 |         inst = self.script_builder.generate_web_instruction(i, [], f"'{src}'", "HTMLIFrameElement", WebApiType.write_property, "src")
119 |         self.script_builder.add_instruction(inst)
120 | 
121 |     def generate_location_replace(self, ret=False):
122 |         insts = []
123 |         src = self.script_builder.get_random_url()
124 |         inst = self.script_builder.generate_web_instruction("location", [f"'{src}'"], None, "Location", WebApiType.call_method, "replace")
125 |         if not ret:
126 |             self.script_builder.add_instruction(inst)
127 |         else:
128 |             insts.append(inst)
129 |             return insts
130 | 
131 |     def generate_history_replace(self, ret=False):
132 |         insts = []
133 |         src = self.script_builder.get_random_url()
134 |         inst = self.script_builder.generate_web_instruction("history", ["''", "''", f"'{src}'"], None, "History", WebApiType.call_method, "replaceState")
135 |         if not ret:
136 |             self.script_builder.add_instruction(inst)
137 |         else:
138 |             insts.append(inst)
139 |             return insts
140 |     
141 |     def generate_create_a_click(self, ret=False):
142 |         insts = []
143 |         a = self.script_builder.get_new_variable_name()
144 |         de = self.script_builder.get_new_variable_name()
145 |         
146 |         inst = self.script_builder.generate_web_instruction("document", ["'a'"], a, "Document", WebApiType.call_method, "createElement")
147 |         if not ret:
148 |             self.script_builder.add_instruction(inst)
149 |         else:
150 |             insts.append(inst)
151 | 
152 |         inst = self.script_builder.generate_web_instruction("document", [], de, "Document", WebApiType.read_property, "documentElement")
153 |         if not ret:
154 |             self.script_builder.add_instruction(inst)
155 |         else:
156 |             insts.append(inst)
157 | 
158 |         inst = self.script_builder.generate_web_instruction(de, [a], None, "Element", WebApiType.call_method, "appendChild")
159 |         if not ret:
160 |             self.script_builder.add_instruction(inst)
161 |         else:
162 |             insts.append(inst)
163 | 
164 |         src = self.script_builder.get_random_url()
165 |         inst = self.script_builder.generate_web_instruction(a, [], f"'{src}'", "HTMLAnchorElement", WebApiType.write_property, "href")
166 |         if not ret:
167 |             self.script_builder.add_instruction(inst)
168 |         else:
169 |             insts.append(inst)
170 | 
171 |         target = random.choice(['_blank', '_self', '_parent', '_top'])
172 |         inst = self.script_builder.generate_web_instruction(a, [], f"'{target}'", "HTMLAnchorElement", WebApiType.write_property, "target")
173 |         if not ret:
174 |             self.script_builder.add_instruction(inst)
175 |         else:
176 |             insts.append(inst)
177 | 
178 |         inst = self.script_builder.generate_web_instruction(a, [], None, "HTMLAnchorElement", WebApiType.call_method, "click")
179 |         if not ret:
180 |             self.script_builder.add_instruction(inst)
181 |         else:
182 |             insts.append(inst)
183 | 
184 |         if ret:
185 |             return insts
186 | 
187 | 
188 | def main():
189 |     from src.script.script_builder import ScriptBuilder
190 |     sb = ScriptBuilder(1, 1)
191 |     pb = PatternBuilder(sb)
192 | 
193 |     pb.generate_create_iframe_src()
194 |     pb.generate_set_iframe_src()
195 | 
196 |     print(sb.script.lift())
197 | 
198 | 
199 | if __name__ == "__main__":
200 |     main()
201 | 


--------------------------------------------------------------------------------
/tools/domato/webgl/template.html:
--------------------------------------------------------------------------------
 1 | <!-- saved from url=(0014)about:internet -->
 2 | <html>
 3 | <head>
 4 | <script id='2d-vertex-shader' type='x-shader/x-vertex'>
 5 | void main() {}
 6 | </script>
 7 | 
 8 | <script id='2d-fragment-shader' type='x-shader/x-fragment'>
 9 | void main() {}
10 | </script>
11 | <script type="text/javascript">
12 | function trigger(img) {
13 | 
14 |   var canvas = document.getElementById('canvas');
15 |   var gl = canvas.getContext('experimental-webgl');
16 |   var gl1 = canvas.getContext('experimental-webgl');
17 |   var gl2 = canvas.getContext('experimental-webgl');
18 | 
19 | 
20 |  var vShader3 = gl1.createShader(gl1.VERTEX_SHADER);
21 |  var vShaderScript3 = document.getElementById('2d-vertex-shader');
22 |  var vShaderSource3 = vShaderScript3.text;
23 |  gl1.shaderSource(vShader3, vShaderSource3);
24 |  gl1.compileShader(vShader3);
25 |  var vShader4 = gl2.createShader(gl2.VERTEX_SHADER);
26 |  var vShaderScript4 = document.getElementById('2d-vertex-shader');
27 |  var vShaderSource4 = vShaderScript4.text;
28 |  gl2.shaderSource(vShader4, vShaderSource4);
29 |  gl2.compileShader(vShader4);
30 | 
31 |  var fShader3 = gl1.createShader(gl1.FRAGMENT_SHADER);
32 |  var fShaderScript3 = document.getElementById('2d-fragment-shader');
33 |  var fShaderSource3 = fShaderScript3.text;
34 |  gl1.shaderSource(fShader3, fShaderSource3);
35 |  gl1.compileShader(fShader3);
36 |  program1 = gl1.createProgram();
37 |  gl1.attachShader(program1,vShader3);
38 |  gl1.attachShader(program1,fShader3);
39 |  gl1.linkProgram(program1);
40 |  gl1.useProgram(program1);
41 |  var fShader4 = gl2.createShader(gl2.FRAGMENT_SHADER);
42 |  var fShaderScript4 = document.getElementById('2d-fragment-shader');
43 |  var fShaderSource4 = fShaderScript4.text;
44 |  gl2.shaderSource(fShader4, fShaderSource4);
45 |  gl2.compileShader(fShader4);
46 |  program2 = gl2.createProgram();
47 |  gl2.attachShader(program2,vShader4);
48 |  gl2.attachShader(program2,fShader4);
49 |  gl2.linkProgram(program2);
50 |  gl2.useProgram(program2);
51 |   
52 |  var tex1 = gl1.createTexture();
53 |  var tex2 = gl2.createTexture();
54 |   
55 |   
56 |   <glfuzz>
57 | 
58 | }
59 | 
60 | function start() {
61 |   var ImageData = "data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAUDBAgIBggICAgICAgGBwgIBwcHBwcICAkICAgIBwgGBgYHChANCAgOCQgGDRYNDxERExUTCAsWGBYSGBASExIBBQUFBwYHBQgIBRIIBQgSEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEv/AABEIAWgB4AMBIgACEQEDEQH/xAAcAAEBAQEBAQEBAQAAAAAAAAAACAcGBQEEAwL/xABSEAEAAgIBAgMDBwUICxEBAAAAAgMBBAUGERITIQcIMQkUIjJBQlFSYXF1tBUjNDZidIGyJjU3OFNygoOTtcEYJCUnM0NUVZGUoqSxs8PR0hb/xAAUAQEAAAAAAAAAAAAAAAAAAAAA/8QAFBEBAAAAAAAAAAAAAAAAAAAAAP/aAAwDAQACEQMRAD8AjPL4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANr1/YT4/Zt//Y/up2+hZLHF/Mf8Hvz4/wDh/wA4+3weP/k/t7fnYrlafG/3tn+Z2f8AX1yLZA/y+9n3GO/9Pwx+LdfZ97s3Mchx0OT5Lb0eA4+2OJV3cpPw2yhL6WJxo9MQjmPrjxSjnP4AwgUZzHup789Kza4LmuK6gxRjOZUadka7pdsfCr98nXKX5szx3+xPm9qWUXTpurnVbTOVdtVkcwnCcM+GULIS9cSxn7AfmfezXq/d656ziuC39fOnsx6qtqr0dai6/wCcV+ZTZs+bu+dRGuqqNdVmZZxKXb0+L0vbb7vOx0vwdXJX8tp7k57dWrdqatdneqyyuyzxYulL6UceXnHrGPxwDDhqnsZ9hvMdTws2dfNGlxuvnOLuU35yr18Zj9eFOI472yx9vwxj7c4d5yPup7V2pdbwfP8AEc7bqxzm3U1bMV2enxhCUbLI+L44x4sx7gm8fr5LQt1tizXvrnVfROVdtVkfDOE458OYSj+U2ba92PqOGeMxCXH3Q5rWltYurvujTpa0Kq7s7HKX30RxTHtZXj6OZd898Y7gw4UvD3Tdna0bbOJ6j4XltvWj3t09Wz08WP8Amo7cZy7S+zHjjHH6HD+zX2Bcvy3zq7bs1+D0ONvnrbXIcvPyq47FefDZr0Q9PNnHPfvnviP5wZAKD6+913kdLhreW4rlNDn9TVhKzY+Yd8WxrhHxWW0xjOcbcRj65xiXi7fZlPgCmfZf7snGdQcbHa0+sNaVterRfyGpTxWL56U768z8i+UeQx9LHgtx37Y7+DPomfCwPk5/4L1b/N+O/qcmCc/a50jocNycNTj+Z1+colRGyW7q0xqhGzM5xlryrjdZ9LHhx9v2/BxT0oactjkcURziMtnb8qGZd/DiVlvgjmXbGc+H1x9jYuT91/qSnnK+L8WhbnOpHb2eQr2LsaOrR481+Lbv2KIZjP6Eu0cRznOP6QYWKYp906zaptxxXVPCcnu0RzmenRP074+MPPrsnmPr6d8xxj8eyfuquA2+L39jQ3qJ6+1p2Zruqnj1xnH3oy+9HOO2cZx6ZxkHkDYvZL7v/L8/o55Kd2pxPFYzntyXJ2ZrjZjHpmWvV9+Hf72cxx+fL2+t/dyjpcLucpodTcNy1XF0Sv2adWfa3wQ+PleVZZiUv09gYENE9insm5Dq3b2tbjr9KmzQ1o7Fmd+y+uEoZs8vw1yopnnxd8/bjH6XDcnpy19m7XnnGZ611lM/DnvHxVyzDOYy/DvjIPyDRfZX7I+R6j47lt7Su06qenqMX7Udu2+Fk4eVsX+HWjVTLEpeHXs+tmOO+cerluienLuX5XT43WlXG/ktiGvTK7Mo14nP4ZtlHGc4j+jGQeGN3q92Hm6+T2tbf3eL0NLjcVfOea2NmyGh47oeZijWlfXXK63EfjjtjGPxfo9ovuw8jx3DT5fjOS0ee0devNuxLQxnFka4/XtphGc43RjjPfPaXfGPXsDAH3s3foX3bt3b0Nfd5fluN6dq5CMZaVXJWY+dXQl9WfzaU4eCOceuO8u/5sPG9t/sE5XpfXq3bLtfkeM2JYhDkNLM/BCefqQvrl9TxevbOMyxntn1BkAAAAAAAAAAAAAAAAAAAAAAAAAAAALV4r+9t/zG3/r65FmfitXha8y927tGMpZzRt9sRxmWc/8AD132RRr+52z/ANHv/wBDZ/8AQNS90PpSnmOu+O19mGLKNXzd26ueO8Z/NYeOuEo/k+Z5b0ffG682eW6y3tXNk8aPCXZ0tTWxLtXjNX0bb/B8PMlPxev4Rjh/L3Nuoa+J6/4+W13qr367tHxWfQxGWzD96zLxY+rm2NeP6X8Pe86L2eJ625Ky2uWNbl9me9pX+HPgnC7PjsrjZ9s4TlLGcfo/EHMewvrbZ4Hqbj93WnKMfndNW3ViWcQv1rJ4rtqtj976Ms5x+GWrfKBdMUafVuvvURxDHOaOLrsRx4cZ2KZ+VO388pQ8nv8AnY97HOktnm+peP4/WrlOVu1VO6UcZzGvXrnGdt0/yYYhjPr+hsHygXUtG51br6NE8Txwejii7Mc4ziN90/NnTn+VGGKu/wDjA1TrzrG3hfYdwFurLy9ve0NHR1tiPpOnz9ezz7apfdnnXhfHv9njRZx0LdvcqozbZKW9s1V5zOeZeKdlmIYnPxZ+lLvLv6qj94b+4h0X+e7j/wDV+6lngNz5tvauz2741dmi/MfhnPlWws8P/hBcfvN+zrqS7g+H6b6W46c+I0dbHz2VW1pa/mWwxiFdVsb7o5njP77ZL0zjOZsj9insW694Hqbj+RhxFtNVG1XjbzHkOMzGepOWI3wsrr2u84+DxZ7ds+sYu/8Afa5LmY6fDdQ8HyXI08Zu6eIbE+N3tqmmMrPBfr3Wx154x9KM5475+2PZLdftL6mlnEcc/wA5KWc4xiOOW5CWc5/DEfN9Qar7/XA06fXXnUwxD91eO19y3EcdsZu8y7WnP/Gz5Ec5/O0/30eqNnU6D6Z4+icq6+X1Nf534M5jmdWtqa8sUS8Pxhmdkc5x/IwkjrTd5W3d8HMX7t25rRjXLHI3327FcM/TjTL5xnOYR+n38P8ALUv79mf7G+iv1fLP/lNEGSe6Rzexp9fcNiiycI7u1jW2IRz2jbTbCUZVzj978cfnxh33ygXVezf1XDiMSzDS4rVptxTHPaM9nbj59mzZH70vBOuOO/w7Z/Fl3uxZ/s/6f/WdX/pJ13v2/wB0ff8A5px37JUDuvk5eVtzzPMcbLOZauzxkdmdWc94eZXdCjxeD88L5Yz+hNHW2lDW5nkdeGMYhrcht1V4x8MQrvnCOP8AsjhRHycX8buS/Udn7ZqJ/wDaZ/GPl/1tv/tVoOfwsD5Of+CdW/zfjv6nKI/wsD5Of+CdW/zfjv6nKAl3p7+MOr+taP2qCtPlD+t9rX/c/hNaeaat6mW3v5rz4ZXRhZ5Wvr2Sx9avHazPb8eyS+nM9+oNT9a6/b/vUFRfKN9LbWdziuYhVOepHWnpX2xxLMar8Wytrxb+RGcZy7Zz8cwyCWejOoNniuU1d/TtnTsad8LIThLw5zjEsd6pdvrQlHxYzj7cZUx8oJxtNsenOcjDEL+U0ZV34xj62IQp2K/FL7e3n2Y/QmjojpzZ5bltTjtSudt+7fXVCMY984xKWPHbL8mEY+LOc/hhSfygPL013dP8FXONlnDaPmbHbPrHNsKqKoTj+MoUSl+jOPxB2vtA6Wv609l3AQ6atpslxNOvjb4zzoVZnZTrQosol4s9oWwniUsYlnGM4n6Z+CN+qOneS4jZnrchqbWjdnGcSq2Kp1ZlD+T9k4foznD9XS/VHMcDt+bobe3x2xHw5lGuc6/FiWPFjzqJelsc4zjOPFjOOywPZp1Xn2h9B89T1DqUefwdEs08pCrEI5t+b3X131/4K2Gao+LEc9s4nj4dwcN8nD/b/mfw/cqnv/p4pt68/t5yf6y3f2mxRPydW7XDqfk9eUsYnt8V+94+GZeTdDxeH/Jl3YJ7V+Ju0upeW1tiGYW1cltZlGWO30Z3TnCf9MZRBR3uQ/xP66/Vkf2LlWH+7P8Ax96e/WtH+1RPuc9NbWr7Peq9++Eq6eX0NmOpmUZRzZDV0tyM9iHi+tXmV/bGe33Mp292f+PvT361o/2g0/5QDqrZ2OrY8X5ksafF6lM404znEJX348dl844+M/D4I9/wi975Obl788ty3HZnKWpdow2M0Sz3hi2FvleOMfu94T7Z/Hs4L36Mf8Ym/wDzTS/9mLrPk5f41cl+qv8A54Axv2+dW7XMdV8ns7M5ZxVuX62tVmXeFOvr2Sqrpqx8Ix8MO/p9ucqH9kW1LkfYL1Dr7PeyHF43vm2ZZ8WY4phTvUxj4vqxjb8Eqdd/285P9Zbv7TYqb3ef7iHV/wCeHKfsNQI+AAAAAAAAAAAAAAAAAAAAAAAAAAABQfsk96Lkunen9ThqOL0NinQ8/wAu66exGyXn7N21PzIwl2+tdLHp9mHVf7trmP8AqXjP9Lt//tKQDv8A22e03Z6p5qHKbGvRp3V61WviGrKzMe1M5zhZ4rM5z4vp/Z+DSelPeg28cXXxvUPEaHUevrxxGqe7iMb/AAxx4cebOUJxsl2x28Xhxn8c5TuAo7kvef8AmmlbrdMdO8X09nYxnFm1rwrsvx3+Oa/BTDHi/DMsZ7fgnnd2rL7p3XTlbbdOU7bbJZlOc55zKc7Jy9ZSznPxy/OA0/rn2xbfLdIcT03bp61evwMqJU7Ncrs32Zoou18eZiWfDjvG6WfTH2Mxzl8Abb7GPeI5Pp/Q/cvY1tfl+Jz3xHR3vjVHP0pV0W5xnHlZl6+CWM4/Ds6iPvKcRp2Z2OI6H4bR3fXw7c/JslGX5cfK14Z7/wCUmvu+A9vrPqXa5fldrk9zMJbXIXZuvzXDEIZn6Y+jXH6uPSLtPbH7YdvqbQ4nT2dTW1ocDRmmmdErZStx5VNXit8zPbHpVH4fizAB0Ps86ns4XmtHlKa4W28ZsRvrqt74hKUe/aNmY+vb1+x6ftl6/v6m567l9mirWt2KqK800ZnKvGKKo1YlGVme/r27uLAaN7BvattdI8nsb2rq6+1Zt6edSVezKyMMQzbVf44+VnGe/euLieoORlub21tzjGEt3Zu2Jwh38MZXWStlGHf7uMy7PPAFG9B+9Zu8Pxuvpa3A8R219anXnsYxdXbsYph4MW7Uq848cs/Sz6/lZ/FOQDTesPaBLqPqvjN6Whp8dKGxpU+Rx8Mwqz4drE/NljP38+PPfKnvez9re90z1VqVRo1+Q4zkeI/39xO/Hx610sbFuMWx8WM+CzH0fXtnv9uMom6a2IU8jqXWZ8NdG3r2WS7Zz2hC2Epy8MfWXaOPhhtfvqe0HiOoue0Nrh9v53Rr8f5Ns/m+zR4bfPnPw+HZrjmX0cx9cYB7dPvQafHVW56e6Q4niNu+GYz24eXPOM57d5RhTRDxR/NnPb4fFPnU3O7XJ71+9vXT2NrcszZddZnvKUs/1Y4x6Yxj0x2eXl8BSHHe8nx93HamrzfR/FcrPj9WjWq2LMwxOUKKoUwlPz6LM9+0I+mM9vX7Hg+0X3iNzf4efDcRxmj0/wAVfjMdjX46MfMthL412WxhHEI5+3tHGc/Dv2Ya+9we50R1Ru8NymtyXH25p2tKfjrn27xzjt4Z1W1/frlHMsZxn44yoDmPef43ksQu5fovieQ5CrGMR27ZwzDvj4ZxG6iU/D6R9PEmJ97goCPvSc1mPL1z1NOWvzGnHS19SvFlWvx+tCq+rytGqGe3ri/Oc5z8fDj4enbHegOpLOH5rR5OmuFtnGbNexXVb3xCcofcszH18Lwe74DtPbF1/f1Lzt3LbNFWvbsV1V5pozOVeMUw8EfD5nq9T2D+1ja6R5HY3dXU19ue3r415Q2ZWxjGPjxZ4o+VnHr9Fm4D9vM72dnb2NmUcRltbFt8ox+riV1krMxj/Jx3aR0N7Z9viukOT6bq0ta3X5uOzi7asndi6v5zTGjPlxjnw+mId8d8MqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAf/Z";
62 | 
63 |   var img = document.createElement('img');
64 |   img.src = ImageData;
65 |   img.onload = function() { 
66 |                  document.body.appendChild(img);
67 |                  trigger(img); 
68 |                };
69 | }
70 | </script>
71 | </head>
72 | <body onload="start();">
73 | <canvas id="canvas" width="100" height="100"></canvas>
74 | </body>
75 | </html>
76 | 


--------------------------------------------------------------------------------
/tools/domato/php/template.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | function templateFunction($templateParameter) {
  4 | 	return 0;
  5 | }
  6 | 
  7 | function templateGenerator() {
  8 | 	yield 0;
  9 | }
 10 | 
 11 | class TemplateClass {
 12 | 	var $templateProperty;
 13 | 	const TEMPLATE_CONSTANT = 0;
 14 | 	function templateMethod() {
 15 | 		return 0;
 16 | 	}
 17 | }
 18 | 
 19 | $vars = array(
 20 | 	"stdClass"                       => new stdClass(),
 21 | 	"Exception"                      => new Exception(),
 22 | 	"ErrorException"                 => new ErrorException(),
 23 | 	"Error"                          => new Error(),
 24 | 	"CompileError"                   => new CompileError(),
 25 | 	"ParseError"                     => new ParseError(),
 26 | 	"TypeError"                      => new TypeError(),
 27 | 	"ArgumentCountError"             => new ArgumentCountError(),
 28 | 	"ArithmeticError"                => new ArithmeticError(),
 29 | 	"DivisionByZeroError"            => new DivisionByZeroError(),
 30 | 	"ClosedGeneratorException"       => new ClosedGeneratorException(),
 31 | 	"DateTime"                       => new DateTime(),
 32 | 	"DateTimeImmutable"              => new DateTimeImmutable(),
 33 | 	"DateTimeZone"                   => new DateTimeZone("America/Chicago"),
 34 | 	"DateInterval"                   => new DateInterval("P2Y4DT6H8M"),
 35 | 	"DatePeriod"                     => new DatePeriod("R4/2012-07-01T00:00:00Z/P7D"),
 36 | 	"LibXMLError"                    => new LibXMLError(),
 37 | 	"DOMException"                   => new DOMException(),
 38 | 	"DOMStringList"                  => new DOMStringList(),
 39 | 	"DOMNameList"                    => new DOMNameList(),
 40 | 	"DOMImplementationList"          => new DOMImplementationList(),
 41 | 	"DOMImplementationSource"        => new DOMImplementationSource(),
 42 | 	"DOMImplementation"              => new DOMImplementation(),
 43 | 	"DOMNode"                        => new DOMNode(),
 44 | 	"DOMNameSpaceNode"               => new DOMNameSpaceNode(),
 45 | 	"DOMDocumentFragment"            => new DOMDocumentFragment(),
 46 | 	"DOMDocument"                    => new DOMDocument(),
 47 | 	"DOMNodeList"                    => new DOMNodeList(),
 48 | 	"DOMNamedNodeMap"                => new DOMNamedNodeMap(),
 49 | 	"DOMCharacterData"               => new DOMCharacterData(),
 50 | 	"DOMAttr"                        => new DOMAttr("artr"),
 51 | 	"DOMElement"                     => new DOMElement("root"),
 52 | 	"DOMText"                        => new DOMText(),
 53 | 	"DOMComment"                     => new DOMComment(),
 54 | 	"DOMTypeinfo"                    => new DOMTypeinfo(),
 55 | 	"DOMUserDataHandler"             => new DOMUserDataHandler(),
 56 | 	"DOMDomError"                    => new DOMDomError(),
 57 | 	"DOMErrorHandler"                => new DOMErrorHandler(),
 58 | 	"DOMLocator"                     => new DOMLocator(),
 59 | 	"DOMConfiguration"               => new DOMConfiguration(),
 60 | 	"DOMCdataSection"                => new DOMCdataSection("root value"),
 61 | 	"DOMDocumentType"                => new DOMDocumentType(),
 62 | 	"DOMNotation"                    => new DOMNotation(),
 63 | 	"DOMEntity"                      => new DOMEntity(),
 64 | 	"DOMEntityReference"             => new DOMEntityReference("nbsp"),
 65 | 	"DOMProcessingInstruction"       => new DOMProcessingInstruction("php"),
 66 | 	"DOMStringExtend"                => new DOMStringExtend(),
 67 | 	"DOMXPath"                       => new DOMXPath(new DOMDocument()),
 68 | 	"finfo"                          => new finfo(),
 69 | 	"JsonException"                  => new JsonException(),
 70 | 	"LogicException"                 => new LogicException(),
 71 | 	"BadFunctionCallException"       => new BadFunctionCallException(),
 72 | 	"BadMethodCallException"         => new BadMethodCallException(),
 73 | 	"DomainException"                => new DomainException(),
 74 | 	"InvalidArgumentException"       => new InvalidArgumentException(),
 75 | 	"LengthException"                => new LengthException(),
 76 | 	"OutOfRangeException"            => new OutOfRangeException(),
 77 | 	"RuntimeException"               => new RuntimeException(),
 78 | 	"OutOfBoundsException"           => new OutOfBoundsException(),
 79 | 	"OverflowException"              => new OverflowException(),
 80 | 	"RangeException"                 => new RangeException(),
 81 | 	"UnderflowException"             => new UnderflowException(),
 82 | 	"UnexpectedValueException"       => new UnexpectedValueException(),
 83 | 	"SplFileObject"                  => new SplFileObject(__FILE__),
 84 | 	"SplTempFileObject"              => new SplTempFileObject(),
 85 | 	"SplDoublyLinkedList"            => new SplDoublyLinkedList(),
 86 | 	"SplQueue"                       => new SplQueue(),
 87 | 	"SplStack"                       => new SplStack(),
 88 | 	"SplMinHeap"                     => new SplMinHeap(),
 89 | 	"SplMaxHeap"                     => new SplMaxHeap(),
 90 | 	"SplPriorityQueue"               => new SplPriorityQueue(),
 91 | 	"SplFixedArray"                  => new SplFixedArray(),
 92 | 	"SplObjectStorage"               => new SplObjectStorage(),
 93 | 	"MultipleIterator"               => new MultipleIterator(),
 94 | 	"SessionHandler"                 => new SessionHandler(),
 95 | 	"ReflectionException"            => new ReflectionException(),
 96 | 	"Reflection"                     => new Reflection(),
 97 | 	"ReflectionFunction"             => new ReflectionFunction("templateFunction"),
 98 | 	"ReflectionGenerator"            => new ReflectionGenerator(templateGenerator()),
 99 | 	"ReflectionParameter"            => new ReflectionParameter("templateFunction", "templateParameter"),
100 | 	"ReflectionType"                 => (new ReflectionClass("ZipArchive"))->getMethod("getCommentName")->getReturnType(),
101 | 	"ReflectionNamedType"            => new ReflectionNamedType(),
102 | 	"ReflectionMethod"               => new ReflectionMethod("TemplateClass", "templateMethod"),
103 | 	"ReflectionClass"                => new ReflectionClass("TemplateClass"),
104 | 	"ReflectionObject"               => new ReflectionObject(new TemplateClass()),
105 | 	"ReflectionProperty"             => new ReflectionProperty("TemplateClass", "templateProperty"),
106 | 	"ReflectionClassConstant"        => new ReflectionClassConstant("TemplateClass", "TEMPLATE_CONSTANT"),
107 | 	"ReflectionExtension"            => new ReflectionExtension("Reflection"),
108 | 	"__PHP_Incomplete_Class"         => new __PHP_Incomplete_Class(),
109 | 	"php_user_filter"                => new php_user_filter(),
110 | 	"Directory"                      => new Directory(),
111 | 	"AssertionError"                 => new AssertionError(),
112 | 	"SimpleXMLElement"               => new SimpleXMLElement("<a>a</a>"),
113 | 	"SimpleXMLIterator"              => new SimpleXMLIterator("<a>a</a>"),
114 | 	"PharException"                  => new PharException(),
115 | 	"Phar"                           => new Phar("/tmp/fuzz.phar"),
116 | 	"PharData"                       => new PharData("/tmp/fuzz.tar"),
117 | 	"PharFileInfo"                   => new PharFileInfo("phar:///tmp/fuzz.phar/fuzz.txt"),
118 | 	"XMLReader"                      => new XMLReader(),
119 | 	"XMLWriter"                      => new XMLWriter(),
120 | 	"CURLFile"                       => new CURLFile("/tmp/fuzz"),
121 | 	"ZipArchive"                     => new ZipArchive(),
122 | 	
123 | 	/* - Instantiation not allowed -
124 | 	"ReflectionZendExtension"        => new ReflectionZendExtension(),
125 | 	"ReflectionFunctionAbstract"     => new ReflectionFunctionAbstract(),
126 | 	"PDOException"                   => new PDOException(),
127 | 	"PDO"                            => new PDO(),
128 | 	"PDOStatement"                   => new PDOStatement(),
129 | 	"SplHeap"                        => new SplHeap(),
130 | 	"PDORow"                         => new PDORow(),
131 | 	"RecursiveIteratorIterator"      => new RecursiveIteratorIterator(),
132 | 	"IteratorIterator"               => new IteratorIterator(),
133 | 	"FilterIterator"                 => new FilterIterator(),
134 | 	"RecursiveFilterIterator"        => new RecursiveFilterIterator(),
135 | 	"CallbackFilterIterator"         => new CallbackFilterIterator(),
136 | 	"RecursiveCallbackFilterIterator" => new RecursiveCallbackFilterIterator(),
137 | 	"ParentIterator"                 => new ParentIterator(),
138 | 	"LimitIterator"                  => new LimitIterator(),
139 | 	"CachingIterator"                => new CachingIterator(),
140 | 	"RecursiveCachingIterator"       => new RecursiveCachingIterator(),
141 | 	"NoRewindIterator"               => new NoRewindIterator(),
142 | 	"AppendIterator"                 => new AppendIterator(),
143 | 	"InfiniteIterator"               => new InfiniteIterator(),
144 | 	"RegexIterator"                  => new RegexIterator(),
145 | 	"RecursiveRegexIterator"         => new RecursiveRegexIterator(),
146 | 	"EmptyIterator"                  => new EmptyIterator(),
147 | 	"RecursiveTreeIterator"          => new RecursiveTreeIterator(),
148 | 	"ArrayObject"                    => new ArrayObject(),
149 | 	"ArrayIterator"                  => new ArrayIterator(),
150 | 	"RecursiveArrayIterator"         => new RecursiveArrayIterator(),
151 | 	"SplFileInfo"                    => new SplFileInfo(),
152 | 	"DirectoryIterator"              => new DirectoryIterator(),
153 | 	"FilesystemIterator"             => new FilesystemIterator(),
154 | 	"RecursiveDirectoryIterator"     => new RecursiveDirectoryIterator(),
155 | 	"GlobIterator"                   => new GlobIterator(),
156 | 	"HashContext"                    => new HashContext(),
157 | 	"Closure"                        => new Closure(),
158 | 	"Generator"                      => new Generator(),
159 | 	 */
160 | );
161 | 
162 | // TODO randomize those as well
163 | $ref_bool = true;
164 | $ref_int = 1337;
165 | $ref_string= "bla";
166 | $ref_array = array(1.0, 2, -3e3);
167 | $ref_object = new StdClass();
168 | $ref_resource = fopen("/dev/null", "r");
169 | $ref_path = "/dev/null";
170 | 
171 | <phpfuzzer>
172 | 
173 | ?>
174 | 


--------------------------------------------------------------------------------
/tools/domato/mathml/mathattrvalues.txt:
--------------------------------------------------------------------------------
  1 | #   Copyright 2017 Google Inc. All Rights Reserved.
  2 | #   Licensed under the Apache License, Version 2.0 (the "License");
  3 | #   you may not use this file except in compliance with the License.
  4 | #   You may obtain a copy of the License at
  5 | #
  6 | #       http://www.apache.org/licenses/LICENSE-2.0
  7 | #
  8 | #   Unless required by applicable law or agreed to in writing, software
  9 | #   distributed under the License is distributed on an "AS IS" BASIS,
 10 | #   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 11 | #   See the License for the specific language governing permissions and
 12 | #   limitations under the License.
 13 | 
 14 | <mathattr_id_value> = <fuzzint>
 15 | <mathattr_class_value> = <class>
 16 | 
 17 | 
 18 | <mathattr_style_value> = <import from=cssgrammar symbol=declaration5>
 19 | <mathattr_href_value> = x
 20 | <mathattr_mathbackground_value> = <color>
 21 | <mathattr_mathcolor_value> = <color>
 22 | <mathattr_selection_value> = <fuzzint>
 23 | <mathattr_dir_value> = ltr
 24 | <mathattr_dir_value> = rtl
 25 | <mathattr_actiontype_value> = toggle
 26 | <mathattr_actiontype_value> = statusline
 27 | <mathattr_actiontype_value> = tooltip
 28 | <mathattr_actiontype_value> = input
 29 | <mathattr_display_value> = none
 30 | <mathattr_display_value> = block
 31 | <mathattr_display_value> = inline
 32 | <mathattr_display_value> = inherit
 33 | 
 34 | <mathattr_overflow_value> = linebreak
 35 | <mathattr_overflow_value> = scroll
 36 | <mathattr_overflow_value> = elide
 37 | <mathattr_overflow_value> = truncate
 38 | <mathattr_overflow_value> = scale
 39 | 
 40 | <mathattr_decimalpoint_value> = x
 41 | <mathattr_displaystyle_value> =  true
 42 | <mathattr_displaystyle_value> =  false
 43 | <mathattr_infixlinebreakstyle_value> = before
 44 | <mathattr_infixlinebreakstyle_value> = after
 45 | <mathattr_infixlinebreakstyle_value> = duplicate
 46 | <mathattr_scriptlevel_value> = <fuzzint>
 47 | <mathattr_scriptlevel_value> = <float>
 48 | <mathattr_scriptlevel_value> = 15
 49 | <mathattr_scriptlevel_value> = +15
 50 | <mathattr_scriptlevel_value> = -5
 51 | <mathattr_scriptlevel_value> = -1
 52 | <mathattr_scriptminsize_value> = <fuzzint>
 53 | <mathattr_scriptminsize_value> = <float>
 54 | <mathattr_scriptminsize_value> = <percentage>%
 55 | <mathattr_scriptsizemultiplier_value> = <fuzzint>
 56 | <mathattr_scriptsizemultiplier_value> = <float>
 57 | <mathattr_scriptsizemultiplier_value> = <percentage>%
 58 | <mathattr_notation_value> = longdiv
 59 | <mathattr_notation_value> = actuarial
 60 | <mathattr_notation_value> = radical
 61 | <mathattr_notation_value> = box
 62 | <mathattr_notation_value> = roundedbox
 63 | <mathattr_notation_value> = circle
 64 | <mathattr_notation_value> = left
 65 | <mathattr_notation_value> = right
 66 | <mathattr_notation_value> = top
 67 | <mathattr_notation_value> = bottom
 68 | <mathattr_notation_value> = updiagonalstrike
 69 | <mathattr_notation_value> = downdiagonalstrike
 70 | <mathattr_notation_value> = verticalstrike
 71 | <mathattr_notation_value> = horizontalstrike
 72 | <mathattr_notation_value> = madruwb
 73 | <mathattr_notation_value> = updiagonalnarrow
 74 | <mathattr_notation_value> = phasorangle
 75 | 
 76 | <mathattr_close_value> = >
 77 | <mathattr_close_value> = )
 78 | <mathattr_close_value> = ]
 79 | <mathattr_close_value> = }
 80 | <mathattr_open_value> = <
 81 | <mathattr_open_value> = (
 82 | <mathattr_open_value> = [
 83 | <mathattr_open_value> = {
 84 | <mathattr_separators_value> = ,
 85 | <mathattr_separators_value> = .
 86 | <mathattr_separators_value> = ;
 87 | <mathattr_separators_value> = ;;,
 88 | <mathattr_separators_value> = :
 89 | <mathattr_separators_value> = ||||,
 90 | 
 91 | 
 92 | <mathattr_bevelled_value> = true
 93 | <mathattr_bevelled_value> = false
 94 | 
 95 | <mathattr_denomalign_value> = left
 96 | <mathattr_denomalign_value> = right
 97 | <mathattr_denomalign_value> = center
 98 | 
 99 | 
100 | <mathattr_linethickness_value> = <fuzzint>
101 | <mathattr_linethickness_value> = <float>
102 | <mathattr_linethickness_value> = thin
103 | <mathattr_linethickness_value> = medium
104 | <mathattr_linethickness_value> = thick
105 | <mathattr_numalign_value> = left
106 | <mathattr_numalign_value> = right
107 | <mathattr_numalign_value> = center
108 | <mathattr_src_value> = http://localhost/image.png
109 | <mathattr_valign_value> = middle
110 | <mathattr_valign_value> = bottom
111 | <mathattr_valign_value> = baseline
112 | <mathattr_width_value> = <fuzzint>
113 | <mathattr_width_value> = <float>
114 | <mathattr_width_value> = <fuzzint>%
115 | <mathattr_width_value> = <fuzzint>px
116 | <mathattr_width_value> = inherit
117 | <mathattr_mathsize_value> = <fuzzint>
118 | <mathattr_mathsize_value> = <float>
119 | <mathattr_mathsize_value> = <fuzzint>%
120 | <mathattr_mathsize_value> = <fuzzint>px
121 | <mathattr_mathsize_value> = small
122 | <mathattr_mathsize_value> = normal
123 | <mathattr_mathsize_value> = big
124 | <mathattr_mathvariant_value> = normal
125 | <mathattr_mathvariant_value> = bold
126 | <mathattr_mathvariant_value> = italic
127 | <mathattr_mathvariant_value> = bold-italic
128 | <mathattr_mathvariant_value> = double-struck
129 | <mathattr_mathvariant_value> = bold-fraktur
130 | <mathattr_mathvariant_value> = sans-serif
131 | <mathattr_rowalign_value> = axis
132 | <mathattr_rowalign_value> = baseline
133 | <mathattr_rowalign_value> = bottom
134 | <mathattr_rowalign_value> = center
135 | <mathattr_rowalign_value> = top
136 | <mathattr_subscriptshift_value> = <fuzzint>
137 | <mathattr_subscriptshift_value> = <float>
138 | <mathattr_subscriptshift_value> = <fuzzint>%
139 | <mathattr_subscriptshift_value> = <fuzzint>px
140 | <mathattr_maxsize_value> = infinity
141 | <mathattr_maxsize_value> = <fuzzint>
142 | <mathattr_maxsize_value> = <float>
143 | <mathattr_movablelimits_value> = true
144 | <mathattr_movablelimits_value> = false
145 | <mathattr_rspace_value> = <fuzzint>
146 | <mathattr_rspace_value> = <float>
147 | <mathattr_rspace_value> = <fuzzint>%
148 | <mathattr_rspace_value> = <fuzzint>px
149 | <mathattr_stretchy_value> = true
150 | <mathattr_stretchy_value> = false
151 | <mathattr_symmetric_value> = true
152 | <mathattr_symmetric_value> = false
153 | <mathattr_accent_value> = true
154 | <mathattr_accent_value> = false
155 | <mathattr_align_value> = left
156 | <mathattr_align_value> = center
157 | <mathattr_align_value> = right
158 | <mathattr_depth_value> = <fuzzint>
159 | <mathattr_depth_value> = <float>
160 | <mathattr_depth_value> = <fuzzint>%
161 | <mathattr_depth_value> = <fuzzint>px
162 | <mathattr_height_value> = <fuzzint>
163 | <mathattr_height_value> = <float>
164 | <mathattr_height_value> = <fuzzint>px
165 | <mathattr_height_value> = <fuzzint>%
166 | <mathattr_lspace_value> = <fuzzint>
167 | <mathattr_lspace_value> = <fuzzint>%
168 | <mathattr_lspace_value> = <fuzzint>px
169 | <mathattr_lspace_value> = <float>
170 | <mathattr_voffset_value> = <fuzzint>
171 | <mathattr_lspace_value> = <fuzzint>px
172 | <mathattr_lspace_value> = <fuzzint>%
173 | <mathattr_lspace_value> = <float>
174 | <mathattr_lquote_value> = &quot;
175 | <mathattr_lquote_value> = "
176 | <mathattr_lquote_value> = '
177 | <mathattr_rquote_value> = &quot;
178 | <mathattr_rquote_value> = "
179 | <mathattr_rquote_value> = '
180 | <mathattr_linebreak_value> = auto
181 | <mathattr_linebreak_value> = newline
182 | <mathattr_linebreak_value> = nobreak
183 | <mathattr_linebreak_value> = goodbreak
184 | <mathattr_linebreak_value> = badbreak
185 | <mathattr_alignmentscope_value> = <fuzzint>
186 | <mathattr_alignmentscope_value> = <fuzzint>px
187 | <mathattr_alignmentscope_value> = <fuzzint>%
188 | <mathattr_alignmentscope_value> = <float>
189 | <mathattr_columnlines_value> = <fuzzint>
190 | <mathattr_columnspacing_value> = <fuzzint>
191 | <mathattr_columnspan_value> = <fuzzint>
192 | <mathattr_columnspacing_value> = <fuzzint>%
193 | <mathattr_columnspacing_value> = <fuzzint>px
194 | <mathattr_columnspacing_value> = <float>
195 | <mathattr_columnwidth_value> = <fuzzint>
196 | <mathattr_columnwidth_value> = <fuzzint>px
197 | <mathattr_columnwidth_value> = <fuzzint>%
198 | <mathattr_columnwidth_value> = <float>
199 | <mathattr_equalrows_value> = true
200 | <mathattr_equalrows_value> = false
201 | <mathattr_qeualcolumns_value> = true
202 | <mathattr_qeualcolumns_value> = false
203 | <mathattr_frame_value> = none
204 | <mathattr_frame_value> = solid
205 | <mathattr_frame_value> = dashed
206 | <mathattr_framespacing_value> = <fuzzint>
207 | <mathattr_framespacing_value> = <fuzzint>%
208 | <mathattr_framespacing_value> = <fuzzint>px
209 | <mathattr_framespacing_value> = <float>
210 | <mathattr_minlabelspacing_value> = <fuzzint>
211 | <mathattr_minlabelspacing_value> = <fuzzint>px
212 | <mathattr_minlabelspacing_value> = <fuzzint>%
213 | <mathattr_minlabelspacing_value> = <float>
214 | <mathattr_rowlines_value> = none
215 | <mathattr_rowlines_value> = solid
216 | <mathattr_rowlines_value> = dashed
217 | <mathattr_rowspacing_value> = <fuzzint>
218 | <mathattr_rowspacing_value> = <fuzzint>%
219 | <mathattr_rowspacing_value> = <fuzzint>px
220 | <mathattr_rowspacing_value> = <float>
221 | <mathattr_side_value> = left
222 | <mathattr_side_value> = leftoverlap
223 | <mathattr_side_value> = right
224 | <mathattr_side_value> = rightoverlap
225 | <mathattr_rowspan_value> = <fuzzint>
226 | <mathattr_rowspan_value> = <fuzzint>px
227 | <mathattr_rowspan_value> = <fuzzint>%
228 | <mathattr_rowspan_value> = <float>
229 | <mathattr_columnalign_value> = left
230 | <mathattr_columnalign_value> = center
231 | <mathattr_columnalign_value> = right
232 | <mathattr_groupalign_value> = left
233 | <mathattr_groupalign_value> = center
234 | <mathattr_groupalign_value> = right
235 | <mathattr_accentunder_value> = true
236 | <mathattr_accentunder_value> = false
237 | <mathattr_definitionURL_value> = none
238 | <mathattr_encoding_value> = MathML-Presentation
239 | <mathattr_encoding_value> = Mathematica
240 | <mathattr_encoding_value> = Maple
241 | <mathattr_encoding_value> = TeX
242 | <mathattr_encoding_value> = ASCII
243 | <mathattr_encoding_value> = MathMLType
244 | <mathattr_encoding_value> = OpenMath
245 | <mathattr_encoding_value> = content-MathML
246 | <mathattr_name_value> = x
247 | <mathattr_minsize_value> = <fuzzint>
248 | <mathattr_minsize_value> = <fuzzint>%
249 | <mathattr_minsize_value> = <fuzzint>px
250 | <mathattr_minsize_value> = infinity
251 | <mathattr_alt_value> = altvalue
252 | 


--------------------------------------------------------------------------------
/tools/domato/LICENSE:
--------------------------------------------------------------------------------
  1 | 
  2 |                                  Apache License
  3 |                            Version 2.0, January 2004
  4 |                         http://www.apache.org/licenses/
  5 | 
  6 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  7 | 
  8 |    1. Definitions.
  9 | 
 10 |       "License" shall mean the terms and conditions for use, reproduction,
 11 |       and distribution as defined by Sections 1 through 9 of this document.
 12 | 
 13 |       "Licensor" shall mean the copyright owner or entity authorized by
 14 |       the copyright owner that is granting the License.
 15 | 
 16 |       "Legal Entity" shall mean the union of the acting entity and all
 17 |       other entities that control, are controlled by, or are under common
 18 |       control with that entity. For the purposes of this definition,
 19 |       "control" means (i) the power, direct or indirect, to cause the
 20 |       direction or management of such entity, whether by contract or
 21 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 22 |       outstanding shares, or (iii) beneficial ownership of such entity.
 23 | 
 24 |       "You" (or "Your") shall mean an individual or Legal Entity
 25 |       exercising permissions granted by this License.
 26 | 
 27 |       "Source" form shall mean the preferred form for making modifications,
 28 |       including but not limited to software source code, documentation
 29 |       source, and configuration files.
 30 | 
 31 |       "Object" form shall mean any form resulting from mechanical
 32 |       transformation or translation of a Source form, including but
 33 |       not limited to compiled object code, generated documentation,
 34 |       and conversions to other media types.
 35 | 
 36 |       "Work" shall mean the work of authorship, whether in Source or
 37 |       Object form, made available under the License, as indicated by a
 38 |       copyright notice that is included in or attached to the work
 39 |       (an example is provided in the Appendix below).
 40 | 
 41 |       "Derivative Works" shall mean any work, whether in Source or Object
 42 |       form, that is based on (or derived from) the Work and for which the
 43 |       editorial revisions, annotations, elaborations, or other modifications
 44 |       represent, as a whole, an original work of authorship. For the purposes
 45 |       of this License, Derivative Works shall not include works that remain
 46 |       separable from, or merely link (or bind by name) to the interfaces of,
 47 |       the Work and Derivative Works thereof.
 48 | 
 49 |       "Contribution" shall mean any work of authorship, including
 50 |       the original version of the Work and any modifications or additions
 51 |       to that Work or Derivative Works thereof, that is intentionally
 52 |       submitted to Licensor for inclusion in the Work by the copyright owner
 53 |       or by an individual or Legal Entity authorized to submit on behalf of
 54 |       the copyright owner. For the purposes of this definition, "submitted"
 55 |       means any form of electronic, verbal, or written communication sent
 56 |       to the Licensor or its representatives, including but not limited to
 57 |       communication on electronic mailing lists, source code control systems,
 58 |       and issue tracking systems that are managed by, or on behalf of, the
 59 |       Licensor for the purpose of discussing and improving the Work, but
 60 |       excluding communication that is conspicuously marked or otherwise
 61 |       designated in writing by the copyright owner as "Not a Contribution."
 62 | 
 63 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 64 |       on behalf of whom a Contribution has been received by Licensor and
 65 |       subsequently incorporated within the Work.
 66 | 
 67 |    2. Grant of Copyright License. Subject to the terms and conditions of
 68 |       this License, each Contributor hereby grants to You a perpetual,
 69 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 70 |       copyright license to reproduce, prepare Derivative Works of,
 71 |       publicly display, publicly perform, sublicense, and distribute the
 72 |       Work and such Derivative Works in Source or Object form.
 73 | 
 74 |    3. Grant of Patent License. Subject to the terms and conditions of
 75 |       this License, each Contributor hereby grants to You a perpetual,
 76 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 77 |       (except as stated in this section) patent license to make, have made,
 78 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 79 |       where such license applies only to those patent claims licensable
 80 |       by such Contributor that are necessarily infringed by their
 81 |       Contribution(s) alone or by combination of their Contribution(s)
 82 |       with the Work to which such Contribution(s) was submitted. If You
 83 |       institute patent litigation against any entity (including a
 84 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 85 |       or a Contribution incorporated within the Work constitutes direct
 86 |       or contributory patent infringement, then any patent licenses
 87 |       granted to You under this License for that Work shall terminate
 88 |       as of the date such litigation is filed.
 89 | 
 90 |    4. Redistribution. You may reproduce and distribute copies of the
 91 |       Work or Derivative Works thereof in any medium, with or without
 92 |       modifications, and in Source or Object form, provided that You
 93 |       meet the following conditions:
 94 | 
 95 |       (a) You must give any other recipients of the Work or
 96 |           Derivative Works a copy of this License; and
 97 | 
 98 |       (b) You must cause any modified files to carry prominent notices
 99 |           stating that You changed the files; and
100 | 
101 |       (c) You must retain, in the Source form of any Derivative Works
102 |           that You distribute, all copyright, patent, trademark, and
103 |           attribution notices from the Source form of the Work,
104 |           excluding those notices that do not pertain to any part of
105 |           the Derivative Works; and
106 | 
107 |       (d) If the Work includes a "NOTICE" text file as part of its
108 |           distribution, then any Derivative Works that You distribute must
109 |           include a readable copy of the attribution notices contained
110 |           within such NOTICE file, excluding those notices that do not
111 |           pertain to any part of the Derivative Works, in at least one
112 |           of the following places: within a NOTICE text file distributed
113 |           as part of the Derivative Works; within the Source form or
114 |           documentation, if provided along with the Derivative Works; or,
115 |           within a display generated by the Derivative Works, if and
116 |           wherever such third-party notices normally appear. The contents
117 |           of the NOTICE file are for informational purposes only and
118 |           do not modify the License. You may add Your own attribution
119 |           notices within Derivative Works that You distribute, alongside
120 |           or as an addendum to the NOTICE text from the Work, provided
121 |           that such additional attribution notices cannot be construed
122 |           as modifying the License.
123 | 
124 |       You may add Your own copyright statement to Your modifications and
125 |       may provide additional or different license terms and conditions
126 |       for use, reproduction, or distribution of Your modifications, or
127 |       for any such Derivative Works as a whole, provided Your use,
128 |       reproduction, and distribution of the Work otherwise complies with
129 |       the conditions stated in this License.
130 | 
131 |    5. Submission of Contributions. Unless You explicitly state otherwise,
132 |       any Contribution intentionally submitted for inclusion in the Work
133 |       by You to the Licensor shall be under the terms and conditions of
134 |       this License, without any additional terms or conditions.
135 |       Notwithstanding the above, nothing herein shall supersede or modify
136 |       the terms of any separate license agreement you may have executed
137 |       with Licensor regarding such Contributions.
138 | 
139 |    6. Trademarks. This License does not grant permission to use the trade
140 |       names, trademarks, service marks, or product names of the Licensor,
141 |       except as required for reasonable and customary use in describing the
142 |       origin of the Work and reproducing the content of the NOTICE file.
143 | 
144 |    7. Disclaimer of Warranty. Unless required by applicable law or
145 |       agreed to in writing, Licensor provides the Work (and each
146 |       Contributor provides its Contributions) on an "AS IS" BASIS,
147 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
148 |       implied, including, without limitation, any warranties or conditions
149 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
150 |       PARTICULAR PURPOSE. You are solely responsible for determining the
151 |       appropriateness of using or redistributing the Work and assume any
152 |       risks associated with Your exercise of permissions under this License.
153 | 
154 |    8. Limitation of Liability. In no event and under no legal theory,
155 |       whether in tort (including negligence), contract, or otherwise,
156 |       unless required by applicable law (such as deliberate and grossly
157 |       negligent acts) or agreed to in writing, shall any Contributor be
158 |       liable to You for damages, including any direct, indirect, special,
159 |       incidental, or consequential damages of any character arising as a
160 |       result of this License or out of the use or inability to use the
161 |       Work (including but not limited to damages for loss of goodwill,
162 |       work stoppage, computer failure or malfunction, or any and all
163 |       other commercial damages or losses), even if such Contributor
164 |       has been advised of the possibility of such damages.
165 | 
166 |    9. Accepting Warranty or Additional Liability. While redistributing
167 |       the Work or Derivative Works thereof, You may choose to offer,
168 |       and charge a fee for, acceptance of support, warranty, indemnity,
169 |       or other liability obligations and/or rights consistent with this
170 |       License. However, in accepting such obligations, You may act only
171 |       on Your own behalf and on Your sole responsibility, not on behalf
172 |       of any other Contributor, and only if You agree to indemnify,
173 |       defend, and hold each Contributor harmless for any liability
174 |       incurred by, or claims asserted against, such Contributor by reason
175 |       of your accepting any such warranty or additional liability.
176 | 
177 |    END OF TERMS AND CONDITIONS
178 | 
179 |    APPENDIX: How to apply the Apache License to your work.
180 | 
181 |       To apply the Apache License to your work, attach the following
182 |       boilerplate notice, with the fields enclosed by brackets "[]"
183 |       replaced with your own identifying information. (Don't include
184 |       the brackets!)  The text should be enclosed in the appropriate
185 |       comment syntax for the file format. We also recommend that a
186 |       file or class name and description of purpose be included on the
187 |       same "printed page" as the copyright notice for easier
188 |       identification within third-party archives.
189 | 
190 |    Copyright 2017 Google Inc.
191 | 
192 |    Licensed under the Apache License, Version 2.0 (the "License");
193 |    you may not use this file except in compliance with the License.
194 |    You may obtain a copy of the License at
195 | 
196 |        http://www.apache.org/licenses/LICENSE-2.0
197 | 
198 |    Unless required by applicable law or agreed to in writing, software
199 |    distributed under the License is distributed on an "AS IS" BASIS,
200 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
201 |    See the License for the specific language governing permissions and
202 |    limitations under the License.
203 | 


--------------------------------------------------------------------------------
/tools/domato/common.txt:
--------------------------------------------------------------------------------
  1 | #   Copyright 2017 Google Inc. All Rights Reserved.
  2 | #   Licensed under the Apache License, Version 2.0 (the "License");
  3 | #   you may not use this file except in compliance with the License.
  4 | #   You may obtain a copy of the License at
  5 | #
  6 | #       http://www.apache.org/licenses/LICENSE-2.0
  7 | #
  8 | #   Unless required by applicable law or agreed to in writing, software
  9 | #   distributed under the License is distributed on an "AS IS" BASIS,
 10 | #   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 11 | #   See the License for the specific language governing permissions and
 12 | #   limitations under the License.
 13 | 
 14 | 
 15 | <newline> = <cr><lf>
 16 | 
 17 | <interestingint> = 32768
 18 | <interestingint> = 65535
 19 | <interestingint> = 65536
 20 | <interestingint> = 1073741824
 21 | <interestingint> = 536870912
 22 | <interestingint> = 268435456
 23 | <interestingint> = 4294967295
 24 | <interestingint> = 2147483648
 25 | <interestingint> = 2147483647
 26 | <interestingint> = -2147483648
 27 | <interestingint> = -1073741824
 28 | <interestingint> = -32769
 29 | 
 30 | <fuzzint> = 0
 31 | <fuzzint> = 0
 32 | <fuzzint> = 0
 33 | <fuzzint> = 1
 34 | <fuzzint> = 1
 35 | <fuzzint> = -1
 36 | <fuzzint> = <int min=0 max=10>
 37 | <fuzzint> = <int min=0 max=100>
 38 | <short p=0.05> = <interestingint>
 39 | 
 40 | <boolean> = true
 41 | <boolean> = false
 42 | 
 43 | <percentage> = <int min=0 max=100>
 44 | 
 45 | <elementid> = htmlvar0000<int min=1 max=9>
 46 | <svgelementid> = svgvar0000<int min=1 max=9>
 47 | <class> = class<int min=0 max=9>
 48 | 
 49 | <color> = red
 50 | <color> = green
 51 | <color> = white
 52 | <color> = black
 53 | <color> = #<hex><hex><hex><hex><hex><hex>
 54 | <color> = rgb(<int min=0 max=255>,<int min=0 max=255>,<int min=0 max=255>)
 55 | 
 56 | <tagname> = a
 57 | <tagname> = abbr
 58 | <tagname> = acronym
 59 | <tagname> = address
 60 | <tagname> = applet
 61 | <tagname> = area
 62 | <tagname> = article
 63 | <tagname> = aside
 64 | <tagname> = audio
 65 | <tagname> = b
 66 | <tagname> = base
 67 | <tagname> = basefont
 68 | <tagname> = bdi
 69 | <tagname> = bdo
 70 | <tagname> = bgsound
 71 | <tagname> = big
 72 | <tagname> = blink
 73 | <tagname> = blockquote
 74 | <tagname> = body
 75 | <tagname> = br
 76 | <tagname> = button
 77 | <tagname> = canvas
 78 | <tagname> = caption
 79 | <tagname> = center
 80 | <tagname> = cite
 81 | <tagname> = code
 82 | <tagname> = col
 83 | <tagname> = colgroup
 84 | <tagname> = command
 85 | <tagname> = content
 86 | <tagname> = data
 87 | <tagname> = datalist
 88 | <tagname> = dd
 89 | <tagname> = del
 90 | <tagname> = details
 91 | <tagname> = dfn
 92 | <tagname> = dialog
 93 | <tagname> = dir
 94 | <tagname> = div
 95 | <tagname> = dl
 96 | <tagname> = dt
 97 | <tagname> = element
 98 | <tagname> = em
 99 | <tagname> = embed
100 | <tagname> = fieldset
101 | <tagname> = figcaption
102 | <tagname> = figure
103 | <tagname> = font
104 | <tagname> = footer
105 | <tagname> = form
106 | <tagname> = frame
107 | <tagname> = frameset
108 | <tagname> = h1
109 | <tagname> = h2
110 | <tagname> = h3
111 | <tagname> = h4
112 | <tagname> = h5
113 | <tagname> = h6
114 | <tagname> = head
115 | <tagname> = header
116 | <tagname> = hgroup
117 | <tagname> = hr
118 | <tagname> = html
119 | <tagname> = i
120 | <tagname> = iframe
121 | <tagname> = image
122 | <tagname> = img
123 | <tagname> = input
124 | <tagname> = ins
125 | <tagname> = isindex
126 | <tagname> = kbd
127 | <tagname> = keygen
128 | <tagname> = label
129 | <tagname> = layer
130 | <tagname> = legend
131 | <tagname> = li
132 | <tagname> = link
133 | <tagname> = listing
134 | <tagname> = main
135 | <tagname> = map
136 | <tagname> = mark
137 | <tagname> = marquee
138 | <tagname> = menu
139 | <tagname> = menuitem
140 | <tagname> = meta
141 | <tagname> = meter
142 | <tagname> = multicol
143 | <tagname> = nav
144 | <tagname> = nobr
145 | <tagname> = noembed
146 | <tagname> = noframes
147 | <tagname> = nolayer
148 | <tagname> = noscript
149 | <tagname> = object
150 | <tagname> = ol
151 | <tagname> = optgroup
152 | <tagname> = option
153 | <tagname> = output
154 | <tagname> = p
155 | <tagname> = param
156 | <tagname> = picture
157 | <tagname> = plaintext
158 | <tagname> = pre
159 | <tagname> = progress
160 | <tagname> = q
161 | <tagname> = rp
162 | <tagname> = rt
163 | <tagname> = rtc
164 | <tagname> = ruby
165 | <tagname> = s
166 | <tagname> = samp
167 | <tagname> = script
168 | <tagname> = section
169 | <tagname> = select
170 | <tagname> = shadow
171 | <tagname> = small
172 | <tagname> = source
173 | <tagname> = spacer
174 | <tagname> = span
175 | <tagname> = strike
176 | <tagname> = strong
177 | <tagname> = style
178 | <tagname> = sub
179 | <tagname> = summary
180 | <tagname> = sup
181 | <tagname> = table
182 | <tagname> = tbody
183 | <tagname> = td
184 | <tagname> = template
185 | <tagname> = textarea
186 | <tagname> = tfoot
187 | <tagname> = th
188 | <tagname> = thead
189 | <tagname> = time
190 | <tagname> = title
191 | <tagname> = tr
192 | <tagname> = track
193 | <tagname> = tt
194 | <tagname> = u
195 | <tagname> = ul
196 | <tagname> = var
197 | <tagname> = video
198 | <tagname> = wbr
199 | <tagname> = xmp
200 | 
201 | <svgtagname> = a
202 | <svgtagname> = altGlyph
203 | <svgtagname> = altGlyphDef
204 | <svgtagname> = altGlyphItem
205 | <svgtagname> = animate
206 | <svgtagname> = animateColor
207 | <svgtagname> = animateMotion
208 | <svgtagname> = animateTransform
209 | <svgtagname> = circle
210 | <svgtagname> = clipPath
211 | <svgtagname> = cursor
212 | <svgtagname> = defs
213 | <svgtagname> = desc
214 | <svgtagname> = ellipse
215 | <svgtagname> = feBlend
216 | <svgtagname> = feColorMatrix
217 | <svgtagname> = feComponentTransfer
218 | <svgtagname> = feComposite
219 | <svgtagname> = feConvolveMatrix
220 | <svgtagname> = feDiffuseLighting
221 | <svgtagname> = feDisplacementMap
222 | <svgtagname> = feDistantLight
223 | <svgtagname> = feDropShadow
224 | <svgtagname> = feFlood
225 | <svgtagname> = feFuncA
226 | <svgtagname> = feFuncB
227 | <svgtagname> = feFuncG
228 | <svgtagname> = feFuncR
229 | <svgtagname> = feGaussianBlur
230 | <svgtagname> = feImage
231 | <svgtagname> = feMerge
232 | <svgtagname> = feMergeNode
233 | <svgtagname> = feMorphology
234 | <svgtagname> = feOffset
235 | <svgtagname> = fePointLight
236 | <svgtagname> = feSpecularLighting
237 | <svgtagname> = feSpotLight
238 | <svgtagname> = feTile
239 | <svgtagname> = feTurbulence
240 | <svgtagname> = filter
241 | <svgtagname> = font
242 | <svgtagname> = font_face
243 | <svgtagname> = font_face_format
244 | <svgtagname> = font_face_name
245 | <svgtagname> = font_face_src
246 | <svgtagname> = font_face_uri
247 | <svgtagname> = foreignObject
248 | <svgtagname> = g
249 | <svgtagname> = glyph
250 | <svgtagname> = glyphRef
251 | <svgtagname> = hkern
252 | <svgtagname> = image
253 | <svgtagname> = line
254 | <svgtagname> = linearGradient
255 | <svgtagname> = marker
256 | <svgtagname> = mask
257 | <svgtagname> = metadata
258 | <svgtagname> = missing_glyph
259 | <svgtagname> = mpath
260 | <svgtagname> = path
261 | <svgtagname> = pattern
262 | <svgtagname> = polygon
263 | <svgtagname> = polyline
264 | <svgtagname> = radialGradient
265 | <svgtagname> = rect
266 | <svgtagname> = script
267 | <svgtagname> = set
268 | <svgtagname> = stop
269 | <svgtagname> = style
270 | <svgtagname> = svg
271 | <svgtagname> = switch
272 | <svgtagname> = symbol
273 | <svgtagname> = text
274 | <svgtagname> = textPath
275 | <svgtagname> = title
276 | <svgtagname> = tref
277 | <svgtagname> = tspan
278 | <svgtagname> = use
279 | <svgtagname> = view
280 | <svgtagname> = vkern
281 | 
282 | <imgsrc> = x
283 | <imgsrc> = data:image/gif;base64,R0lGODlhIAAgAPIBAGbMzP///wAAADOZZpn/zAAAAAAAAAAAACH5BAAAAAAALAAAAAAgACAAAAOLGLrc/k7ISau9S5DNu/8fICgaYJ5oqqbDGJRrLAMtScw468J5Xr+3nm8XFM5+PGMMWYwxcMyZ40iULQaDhSzqDGBNisGyuhUDrmNb72pWcaXhtpsM/27pVi8UX96rcQpDf3V+QD12d4NKK2+Lc4qOKI2RJ5OUNHyXSDRYnZ6foKAuLxelphMQqaoPCQA7
284 | 
285 | <videosrc> = x
286 | <videosrc> = data:video/mp4;base64,AAAAIGZ0eXBpc29tAAACAGlzb21pc28yYXZjMW1wNDEAAAAIZnJlZQAAA5NtZGF0AAACrgYF//+q3EXpvebZSLeWLNgg2SPu73gyNjQgLSBjb3JlIDE0OCByMjY0MyA1YzY1NzA0IC0gSC4yNjQvTVBFRy00IEFWQyBjb2RlYyAtIENvcHlsZWZ0IDIwMDMtMjAxNSAtIGh0dHA6Ly93d3cudmlkZW9sYW4ub3JnL3gyNjQuaHRtbCAtIG9wdGlvbnM6IGNhYmFjPTEgcmVmPTMgZGVibG9jaz0xOjA6MCBhbmFseXNlPTB4MzoweDExMyBtZT1oZXggc3VibWU9NyBwc3k9MSBwc3lfcmQ9MS4wMDowLjAwIG1peGVkX3JlZj0xIG1lX3JhbmdlPTE2IGNocm9tYV9tZT0xIHRyZWxsaXM9MSA4eDhkY3Q9MSBjcW09MCBkZWFkem9uZT0yMSwxMSBmYXN0X3Bza2lwPTEgY2hyb21hX3FwX29mZnNldD0tMiB0aHJlYWRzPTEgbG9va2FoZWFkX3RocmVhZHM9MSBzbGljZWRfdGhyZWFkcz0wIG5yPTAgZGVjaW1hdGU9MSBpbnRlcmxhY2VkPTAgYmx1cmF5X2NvbXBhdD0wIGNvbnN0cmFpbmVkX2ludHJhPTAgYmZyYW1lcz0zIGJfcHlyYW1pZD0yIGJfYWRhcHQ9MSBiX2JpYXM9MCBkaXJlY3Q9MSB3ZWlnaHRiPTEgb3Blbl9nb3A9MCB3ZWlnaHRwPTIga2V5aW50PTI1MCBrZXlpbnRfbWluPTI1IHNjZW5lY3V0PTQwIGludHJhX3JlZnJlc2g9MCByY19sb29rYWhlYWQ9NDAgcmM9Y3JmIG1idHJlZT0xIGNyZj0yMy4wIHFjb21wPTAuNjAgcXBtaW49MCBxcG1heD02OSBxcHN0ZXA9NCBpcF9yYXRpbz0xLjQwIGFxPTE6MS4wMACAAAAAvWWIhAAh/9PWYQ7q+jvvWOfBgvpv0eIYkqWiQW6SsLQx8ByoouBLEC9HBQTAXOJh/wFnteOP+NH5Er2DeHrP4kxvjj4nXKG9Zm/FycSAdlzoMDOFc4CmXmCL51Dj+zekurxKazOLwXVd7f/rOQpa9+iPXYTZsRw+WFFNokI8saLT7Mt03UvGxwdAYkwe7UmwPZacue5goP6rQhBgGMjgK21nSHZWUcz5Y6Ec/wdCPp0Sxx/h6UsSneF9hINuvwAAAAhBmiJsQx92QAAAAAgBnkF5DH/EgQAAAzRtb292AAAAbG12aGQAAAAAAAAAAAAAAAAAAAPoAAAAZAABAAABAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAACXnRyYWsAAABcdGtoZAAAAAMAAAAAAAAAAAAAAAEAAAAAAAAAZAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAEAAAAAAIAAAACAAAAAAACRlZHRzAAAAHGVsc3QAAAAAAAAAAQAAAGQAAAQAAAEAAAAAAdZtZGlhAAAAIG1kaGQAAAAAAAAAAAAAAAAAADwAAAAGAFXEAAAAAAAtaGRscgAAAAAAAAAAdmlkZQAAAAAAAAAAAAAAAFZpZGVvSGFuZGxlcgAAAAGBbWluZgAAABR2bWhkAAAAAQAAAAAAAAAAAAAAJGRpbmYAAAAcZHJlZgAAAAAAAAABAAAADHVybCAAAAABAAABQXN0YmwAAACVc3RzZAAAAAAAAAABAAAAhWF2YzEAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAIAAgAEgAAABIAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAY//8AAAAvYXZjQwFkAAr/4QAWZ2QACqzZSWhAAAADAEAAAA8DxIllgAEABmjr48siwAAAABhzdHRzAAAAAAAAAAEAAAADAAACAAAAABRzdHNzAAAAAAAAAAEAAAABAAAAKGN0dHMAAAAAAAAAAwAAAAEAAAQAAAAAAQAABgAAAAABAAACAAAAABxzdHNjAAAAAAAAAAEAAAABAAAAAwAAAAEAAAAgc3RzegAAAAAAAAAAAAAAAwAAA3MAAAAMAAAADAAAABRzdGNvAAAAAAAAAAEAAAAwAAAAYnVkdGEAAABabWV0YQAAAAAAAAAhaGRscgAAAAAAAAAAbWRpcmFwcGwAAAAAAAAAAAAAAAAtaWxzdAAAACWpdG9vAAAAHWRhdGEAAAABAAAAAExhdmY1Ni40MC4xMDE=
287 | 
288 | <audiosrc> = x
289 | <audiosrc> = data:audio/mp3;base64,//uQxAAAAAAAAAAAAAAAAAAAAAAASW5mbwAAAA8AAAADAAAGhgBVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVWqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqr///////////////////////////////////////////8AAAA5TEFNRTMuOTlyAc0AAAAAAAAAABSAJAKjQgAAgAAABoaLLYLcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//uQxAAAVHoO86Ch/wKrQh+UIz/YShKDZqEIAAE3kQFg+NSyUDm5f/yB+D/GP8hjmzG6Jy7lvFu8Iif7i7vApIeVfN/DkGIKGInCaJxNu9wifzeiTfJlaJX/Np//9wKClWWDcG4vBiIYwcB4NHigohguDcBcIxSiAaB4JAgT6jf2YDkQi5/mmabkya6nTRBy5uRyKB48TiFogeguDih66JwykEQBKzjbzTdl3FjUCgfnYZFWM01W3xx4g/qtMn//v/////9+j9oeZe+G35O3ZKZ9f+8N1LCTyD5/hhewsfDj0TDUzpMMkhzaPS6TS172Po89nnJ1mln9/pod31/j4jYgPWx7Aq5MUFns3tUmlSzP2fSvZYbOVT9OP3yLJ4kTEQacS6PSzeXtGQ2It0A5GhIiGn0WMgS8ajcLgZ5bBbhuIFSj0FuHwJQsY9yIPgmZ0C5kpLKpyAaBMiOBSC9Lmcypf2WJKVNItoAE2UDUo2XGvl3+5Sn5///efkKpqSl6nNZq7mRvk4LTEpFJ8EAuIIcxAhRdGejHgAcDIOpMMVju//uSxB6AVKYRAYCN/sKXwiAoFL/gDcjA/qGXMzOkX/l6QcZi6hvb6Y4WczOL93AnkfJl7CVqfnbUQ0Ho3KpwmVbcT59DQkvrEhSnUC6Vj6U8DvLevkCV5hs+WMupZKsylEjyvcT0cEcY7S2P0YSlVGAubM6oKYf5cj6jZk1KwsxdIeZzRc/S4vzv5eR9ur/9Leh0fZPPeV5uvbrzTv1SuTy5NxTyW3CF0vrF1tLFsuFa7336yxlTi7cnKcof3kvPKu5/1fyqy/lVf2b1DpDDpE7RIhSOJDZQicyQqsmKYEpKJ2M6IbchCvO84TjUCHIWP411MmlAd6cVrAhDUf5xJU/mJkJihqdI4dY9D5RrxBi+sQeEacRPSTBouAj48i+Lh04Z/8v/mf/f////+8V7RiRllObiOvpaJWu06xcyGP0pkpaptJDnnhj0eWiixyiewi5rebgxesayRHMuP+27WN/HfdbJvEP4fQXk7++VdHVMZm+0Oe2aU4o1xHQ5iSKepDeM60sIchLEqmFqep1TE9OEwxKtsdOtj1EFMyJsxcoWMv/7ksQ/gFTqEPwAmf7CYEId8BM/4JpLqWw6TTWAcxNS6msRk0RbhJT6D+FfP4lBBVSsgOJvhmkkOEjSBhUgSJQIpiTyc1V/nL+i/8UK//upf/4Sf9vjfy8+nynnTUTkjVVv7VZGEnfN9PLHSckai1d/TotT5X/9PLV2rznavW+ZYltU8yxyRqTkUTkjcaTlgpiU0XVgsUcmATAkqN8xYUZh3lOsCilexWJqjvXq8hR+qluTrIW5pOUyTCLESFHH6dLVGP5Li2qxlP1UD1JclJkro0lDNtVMQU1FMy45OS41VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVU=
290 | 
291 | 
292 | 


--------------------------------------------------------------------------------
/tools/domato/canvas/canvas.txt:
--------------------------------------------------------------------------------
  1 | #   Copyright 2017 Google Inc. All Rights Reserved.
  2 | #   Licensed under the Apache License, Version 2.0 (the "License");
  3 | #   you may not use this file except in compliance with the License.
  4 | #   You may obtain a copy of the License at
  5 | #
  6 | #       http://www.apache.org/licenses/LICENSE-2.0
  7 | #
  8 | #   Unless required by applicable law or agreed to in writing, software
  9 | #   distributed under the License is distributed on an "AS IS" BASIS,
 10 | #   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 11 | #   See the License for the specific language governing permissions and
 12 | #   limitations under the License.
 13 | 
 14 | <canvasint> = <interestingint>
 15 | <canvasint> = <fuzzint>
 16 | <canvasint> = <largeint>
 17 | 
 18 | <largeint> = 536870911
 19 | <largeint> = 536870912
 20 | <largeint> = 1073741823
 21 | <largeint> = 1073741824
 22 | <largeint> = 2147483647
 23 | <largeint> = 2147483648
 24 | <largeint> = 4294967295
 25 | <largeint> = 4294967296
 26 | 
 27 | <fuzzstring> = <fuzzstringpart>
 28 | <fuzzstring> = <fuzzstringpart> + <fuzzstringpart>
 29 | <fuzzstring> = <fuzzstringpart> + <fuzzstringpart> + <fuzzstringpart>
 30 | <fuzzstringpart> = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 31 | <repeatcount> = 17
 32 | <repeatcount> = 65
 33 | <repeatcount> = 257
 34 | <repeatcount> = 1025
 35 | <repeatcount> = 4097
 36 | <repeatcount> = 65537
 37 | <repeatstr> = String.fromCharCode(<int min=0 max=127>)
 38 | <repeatstr> = String.fromCharCode(<int min=0 max=127>).repeat(<repeatcount>)
 39 | 
 40 | <fillRule> = "nonzero"
 41 | <fillRule> = "evenodd"
 42 | 
 43 | <lineCap> = "butt"
 44 | <lineCap> = "round"
 45 | <lineCap> = "square"
 46 | <lineJoin> = "bevel"
 47 | <lineJoin> = "round"
 48 | <lineJoin> = "miter"
 49 | 
 50 | <textAlign> = "left"
 51 | <textAlign> = "right"
 52 | <textAlign> = "center"
 53 | <textAlign> = "start"
 54 | <textAlign> = "end"
 55 | 
 56 | <textBaseline> = "top" 
 57 | <textBaseline> = "hanging"
 58 | <textBaseline> = "middle"
 59 | <textBaseline> = "alphabetic"
 60 | <textBaseline> = "ideographic"
 61 | <textBaseline> = "bottom"
 62 | 
 63 | <txtDirection> = "ltr"
 64 | <txtDirection> = "rtl"
 65 | <txtDirection> = "inherit"
 66 | 
 67 | <repetition> = "repeat" 
 68 | <repetition> = "repeat-x" 
 69 | <repetition> = "repeat-y" 
 70 | <repetition> = "no-repeat"
 71 | 
 72 | <imageFormat> = "image/png"
 73 | <imageFormat> = "image/webp"
 74 | 
 75 | <mathOperation> = +
 76 | <mathOperation> = -
 77 | <mathOperation> = /
 78 | <mathOperation> = *
 79 | 
 80 | <globalCompositeOperation> = "source-over"
 81 | <globalCompositeOperation> = "source-in"
 82 | <globalCompositeOperation> = "source-out"
 83 | <globalCompositeOperation> = "source-atop"
 84 | <globalCompositeOperation> = "destination-over"
 85 | <globalCompositeOperation> = "destination-in"
 86 | <globalCompositeOperation> = "destination-out"
 87 | <globalCompositeOperation> = "destination-atop"
 88 | <globalCompositeOperation> = "lighter"
 89 | <globalCompositeOperation> = "copy"
 90 | <globalCompositeOperation> = "xor"
 91 | <globalCompositeOperation> = "multiply"
 92 | <globalCompositeOperation> = "screen"
 93 | <globalCompositeOperation> = "overlay"
 94 | <globalCompositeOperation> = "darken"
 95 | <globalCompositeOperation> = "lighten"
 96 | <globalCompositeOperation> = "color-dodge"
 97 | <globalCompositeOperation> = "hard-light"
 98 | <globalCompositeOperation> = "soft-light"
 99 | <globalCompositeOperation> = "difference"
100 | <globalCompositeOperation> = "exclusion"
101 | <globalCompositeOperation> = "hue"
102 | <globalCompositeOperation> = "saturation"
103 | <globalCompositeOperation> = "color"
104 | <globalCompositeOperation> = "luminosity"
105 | 
106 | <this> = this
107 | 
108 | <root root=true> = <lines count=50>
109 | 
110 | !include ../common.txt
111 | !include ../cssproperties.txt
112 | 
113 | !lineguard try { <line> } catch(e) { console.log(e.message) }
114 | !varformat fuzzvar%05d
115 | !begin lines
116 | 
117 | # Image
118 | <new img> = new Image();
119 | <new img> = new Image(<canvasint>, <canvasint>);
120 | <img>.src = "data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///ywAAAAAAQABAAACAUwAOw==";
121 | 
122 | # Uint8ClampedArray
123 | <new uintc8> = new Uint8ClampedArray(<canvasint>);
124 | <new uintc8> = new Uint8ClampedArray([<canvasint>,<canvasint>]);
125 | 
126 | # ImageData
127 | <new imgData> = new ImageData(<uintc8>, <canvasint>, <canvasint>);
128 | <new imgData> = new ImageData(<canvasint>, <canvasint>);
129 | 
130 | # The button
131 | <new button> = document.getElementById('button');
132 | <button>.focus();
133 | 
134 | # Only for addPath method
135 | <new path2daddpath> = new Path2D();
136 | <path2daddpath>.addPath(<path2daddpath>,<m>);
137 | 
138 | # HTMLCanvasElement
139 | <new canvas> = document.getElementById('canvas');
140 | <canvas>.height = <canvasint>;
141 | <canvas>.width = <canvasint>;
142 | <canvas>.toDataURL(<imageFormat>, <float min=0 max=1>);
143 | <canvas>.transferControlToOffscreen();
144 | 
145 | # Capture stream
146 | <new canvasElt> = document.querySelector('canvas');
147 | <new stream> = <canvasElt>.captureStream(<canvasint>);
148 | 
149 | # Path2d stuff
150 | <new path2d> = new Path2D();
151 | <new path2d> = new Path2D(<path2d>);
152 | <new path2d> = new Path2D('<canvasint> <canvasint> C <canvasint> <canvasint>, <canvasint> <canvasint>, <canvasint> <canvasint>');
153 | <new path2d> = new Path2D('<canvasint> <canvasint> h <canvasint> v <canvasint> h <canvasint> Z');
154 | <new path2d> = new Path2D('M<canvasint> <canvasint> H <canvasint> V <canvasint> H <canvasint> L <canvasint> <canvasint>');
155 | <new path2d> = new Path2D('M<canvasint> <canvasint> A <canvasint> <canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint> <canvasint> L <canvasint> <canvasint> Z" fill="<color>"');
156 | <new path2d> = new Path2D('M<canvasint> <canvasint> A <canvasint> <canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint> <canvasint> L <canvasint> <canvasint> Z" fill="<cssproperty_border-right-color>" stroke="<color>"');
157 | 
158 | # Button
159 | ctx.drawFocusIfNeeded(<button>);
160 | 
161 | # Paths
162 | ctx.beginPath();
163 | ctx.closePath();
164 | ctx.moveTo(<canvasint>, <canvasint>);
165 | ctx.lineTo(<canvasint>, <canvasint>);
166 | ctx.lineTo(<canvasint>, <canvasint>);
167 | ctx.bezierCurveTo(<canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint>);
168 | ctx.quadraticCurveTo(<canvasint>, <canvasint>, <canvasint>, <canvasint>);
169 | ctx.rect(<canvasint>, <canvasint>, <canvasint>, <canvasint>);
170 | ctx.arc(<int min=0 max=255>, <int min=0 max=255>, <int min=0 max=255>, <int min=0 max=255>, <int min=0 max=255>);
171 | ctx.arc(<canvasint>, <canvasint>, <canvasint>, <canvasint>, <float> <mathOperation> Math.PI);
172 | ctx.arc(<float>, <float>, <float>, <float>,<float> - Math.PI );
173 | ctx.arc(<canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint>, <boolean>);
174 | ctx.arcTo(<int min=0 max=255>, <int min=0 max=255>, <int min=0 max=255>, <int min=0 max=255>, <int min=0 max=255>);
175 | ctx.arcTo(<canvasint>, <canvasint>, <canvasint>, <canvasint>, <float> <mathOperation> Math.PI);
176 | ctx.arcTo(<float>, <float>, <float>, <float>, <float> - Math.PI );
177 | ctx.quadraticCurveTo(<canvasint>, <canvasint>, <canvasint>, <canvasint>);
178 | ctx.bezierCurveTo(<canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint>);
179 | ctx.ellipse(<int min=0 max=255>, <int min=0 max=255>, <int min=0 max=255>, <int min=0 max=255>, <int min=0 max=255>, <int min=0 max=255>, <int min=0 max=255>, <boolean>);
180 | ctx.ellipse(<canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint>, <boolean>);
181 | ctx.ellipse(<canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint>, <boolean>);
182 | ctx.rect(<canvasint>, <canvasint>, <canvasint>, <canvasint>);
183 | 
184 | ctx.fillStyle = '<color>';
185 | ctx.fillStyle = <pattern>
186 | ctx.strokeStyle = '<color>';
187 | 
188 | # Drawing paths 
189 | # Fill and stroke styles
190 | # TODO: This section needs also to be expanded
191 | ctx.fill();
192 | ctx.fill(<fillRule>);
193 | ctx.fill(<path2d>, <fillRule>);
194 | ctx.stroke();
195 | ctx.stroke(<path2d>);
196 | ctx.clip();
197 | ctx.clip(<fillRule>);
198 | ctx.clip(<path2d>, <fillRule>);
199 | console.log(ctx.isPointInPath(<canvasint>, <canvasint>));
200 | console.log(ctx.isPointInPath(<path2d>, <canvasint>, <canvasint>, <fillRule>));
201 | console.log(ctx.isPointInStroke(<canvasint>, <canvasint>));
202 | console.log(ctx.isPointInStroke(<path2d>, <canvasint>, <canvasint>));
203 | 
204 | # Transformations
205 | <new matrix> = ctx.currentTransform;
206 | <matrix>.a = <canvasint>;
207 | <matrix>.b = <canvasint>;
208 | <matrix>.c = <canvasint>;
209 | <matrix>.d = <canvasint>;
210 | <matrix>.e = <canvasint>;
211 | <matrix>.f = <canvasint>;
212 | ctx.currentTransform = <matrix>;
213 | ctx.rotate(<canvasint> <mathOperation> Math.PI <mathOperation> <canvasint>);
214 | ctx.scale(<canvasint>, <canvasint>);
215 | ctx.translate(<canvasint>, <canvasint>);
216 | ctx.transform(<canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint>);
217 | ctx.transform(<float min=0 max=1>, <float min=0 max=1>, <float min=0 max=1>, <float min=0 max=1>, <float min=0 max=1>, <float min=0 max=1>);
218 | ctx.setTransform(<canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint>,  <canvasint>);
219 | ctx.resetTransform();
220 | 
221 | # Compositing
222 | ctx.globalAlpha = <float min=0 max=1>;
223 | ctx.globalCompositeOperation = <globalCompositeOperation>;
224 | 
225 | # Drawing images
226 | ctx.drawImage(<img>, <canvasint>, <canvasint>);
227 | ctx.drawImage(<img>, <canvasint>, <canvasint>, <canvasint>, <canvasint>);
228 | ctx.drawImage(<img>, <canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint>);
229 | 
230 | # Pixel manipulation
231 | # Expand on ImageData object
232 | ctx.createImageData(<canvasint>, <canvasint>);
233 | console.log(<imgData>.data);
234 | 
235 | ctx.getImageData(<canvasint>, <canvasint>, <canvasint>, <canvasint>);
236 | ctx.putImageData(<img>, <canvasint>, <canvasint>);
237 | ctx.putImageData(<img>, <canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint>);
238 | 
239 | # Image Smoothing
240 | ctx.imageSmoothingEnabled = <boolean>;
241 | 
242 | # The canvas state
243 | ctx.save();
244 | ctx.restore();
245 | console.log(ctx.canvas);
246 | 
247 | # Hit regions
248 | ctx.addHitRegion({id: <fuzzstring>});
249 | ctx.removeHitRegion('<fuzzstring>');
250 | ctx.clearHitRegions();
251 | 
252 | # Gradients and patterns
253 | <new grd> = ctx.createLinearGradient(<canvasint>, <canvasint>, <canvasint>, <canvasint>);
254 | <new grd> = ctx.createRadialGradient(<canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint>, <canvasint>);
255 | # color offset: A number between 0 and 1.
256 | <grd>.addColorStop(<float min=0 max=1>, "<color>");
257 | 
258 | <new pattern> = ctx.createPattern(<img>, <repetition>);
259 | 
260 | # Shadows
261 | ctx.shadowBlur = <canvasint>;
262 | ctx.shadowColor = "<color>";
263 | ctx.shadowOffsetX = <canvasint>;
264 | ctx.shadowOffsetY = <canvasint>;
265 | 
266 | # Drawing rectangles
267 | ctx.clearRect(<canvasint>, <canvasint>, <canvasint>, <canvasint>);
268 | ctx.clearRect(<canvasint>, <canvasint>, <canvasint>, <canvasint>);
269 | ctx.clearRect(<canvasint>, <canvasint>, canvas.width, canvas.height);
270 | 
271 | ctx.fillRect(<canvasint>, <canvasint>, <canvasint>, <canvasint>);
272 | ctx.strokeRect(<canvasint>, <canvasint>, <canvasint>, <canvasint>);
273 | 
274 | # Drawing text
275 | ctx.fillText(<fuzzstring>,  <canvasint>, <canvasint>);
276 | ctx.strokeText(<fuzzstring>, <canvasint>, <canvasint>);
277 | <new text> = ctx.measureText(<fuzzstring>);
278 | console.log((<text>.width));
279 | 
280 | # Line styles
281 | ctx.lineWidth = <canvasint>;
282 | ctx.lineCap = <lineCap>;
283 | ctx.lineJoin = <lineJoin>;
284 | ctx.miterLimit = <canvasint>;
285 | ctx.setLineDash([<canvasint>, <canvasint>]);
286 | ctx.setLineDash([]);
287 | ctx.lineDashOffset = <canvasint>;
288 | console.log(ctx.getLineDash());
289 | 
290 | # Text styles
291 | # TODO: Expand on font
292 | ctx.font = '<canvasint>px serif';
293 | ctx.textAlign = <textAlign>;
294 | ctx.textBaseline = <textBaseline>;
295 | ctx.direction = <txtDirection>;
296 | 
297 | <new m> = document.createElementNS('http://www.w3.org/2000/svg', 'svg').createSVGMatrix();
298 | <m>.a = <canvasint>; <m>.b = <canvasint>;
299 | <m>.c = <canvasint>; <m>.d = <canvasint>;
300 | <m>.e = <canvasint>; <m>.f = <canvasint>;
301 | 
302 | !end lines


--------------------------------------------------------------------------------
/src/fuzzer/reproducer.py:
--------------------------------------------------------------------------------
  1 | import sys
  2 | import os
  3 | import random
  4 | import signal
  5 | import shutil
  6 | import time
  7 | 
  8 | from contextlib import contextmanager
  9 | 
 10 | from src.script.testcase_generator import TestcaseGenerator
 11 | from src.script.testcase import Testcase
 12 | from src.executor.chrome_handler import ChromeHandler
 13 | from src.executor.firefox_handler import FirefoxHandler
 14 | from src.executor.edge_handler import EdgeHandler
 15 | from src.executor.safari_handler import SafariHandler
 16 | from src.fuzzer.exception import TestcaseTimeout
 17 | 
 18 | fuzzer = None
 19 | 
 20 | @contextmanager
 21 | def timeout(time):
 22 |     # Register a function to raise a TimeoutError on the signal.
 23 |     signal.signal(signal.SIGALRM, raise_timeout)
 24 |     # Schedule the signal to be sent after ``time``.
 25 |     signal.alarm(time)
 26 | 
 27 |     try:
 28 |         yield
 29 |     except TimeoutError:
 30 |         pass
 31 |     finally:
 32 |         # Unregister the signal so it won't be triggered
 33 |         # if the timeout is not reached.
 34 |         signal.signal(signal.SIGALRM, signal.SIG_IGN)
 35 | 
 36 | class Fuzzer:
 37 |     def __init__(self, target, binary, fuzzer_idx=0):
 38 |         self.idx = 0
 39 |         self.fuzzer_idx = fuzzer_idx
 40 |         self.binary = binary
 41 |         self.target = target
 42 |         self.cur_input = None
 43 |         self.src1 = None
 44 |         self.src2 = None
 45 |         self.op = None
 46 |         self.queue_idx = 0
 47 | 
 48 |         self.parent_path = "servers/data/parent/"
 49 |         self.child_path = "servers/data/child/"
 50 | 
 51 |         self.base_url = "http://127.0.0.1:7000"
 52 | 
 53 |         self.report_path = f"tests/output_{self.fuzzer_idx}"
 54 | 
 55 |         if self.target == "chrome":
 56 |             self.execute_handler = ChromeHandler(self.binary, output=self.report_path)
 57 |             self.console_log = True
 58 |         elif self.target == "firefox":
 59 |             self.execute_handler = FirefoxHandler(self.binary, output=self.report_path)
 60 |             self.console_log = True
 61 |         elif self.target == "edge":
 62 |             self.execute_handler = EdgeHandler(self.binary, output=self.report_path)
 63 |             self.console_log = True
 64 |         elif self.target == "safari":
 65 |             self.execute_handler = SafariHandler(self.binary, output=self.report_path)
 66 |             self.console_log = False
 67 | 
 68 |         self.testcase_generator = TestcaseGenerator()
 69 | 
 70 |         self.start_time = time.time()
 71 | 
 72 |         self.crash_path = os.path.join(self.report_path, "crash")
 73 |         self.queue_path = os.path.join(self.report_path, "queue")
 74 |         
 75 |         if not os.path.exists(self.crash_path):
 76 |             os.makedirs(self.crash_path)
 77 | 
 78 |         if not os.path.exists(self.queue_path):
 79 |             os.makedirs(self.queue_path)
 80 | 
 81 |         self.crash_flag = False
 82 | 
 83 |         self.timeout = 3
 84 | 
 85 |         self.exec_count = 0
 86 |         self.timeout_count = 0
 87 |         self.crash_count = 0
 88 |         self.total_exec_time = 0
 89 |         self.reset_count = 0
 90 |         self.reset_signal = 0
 91 |         self.testcase_name = ""
 92 |         self.cross_origin = 0
 93 | 
 94 |     def setup_shm(self, shm_id):
 95 |         if os.environ.get("__AFL_SHM_ID") is None:
 96 |             os.environ["__AFL_SHM_ID"] = str(shm_id) 
 97 |             print('> shm_id is set as {}'.format(shm_id))
 98 | 
 99 |     def unset_shm(self):
100 |         del os.environ["__AFL_SHM_ID"]
101 | 
102 |     def initialize(self):
103 |         print("[+] FUZZER initialize")
104 |         self.execute_handler.open(cur_time=int(time.time()-self.start_time))
105 | 
106 |     def reset(self):
107 |         print("[+] FUZZER reset")
108 |         
109 |         signal.alarm(self.timeout)
110 |         try:
111 |             print("[+] try to quit chrome driver ...")
112 |             self.execute_handler.quit(remove=(not self.crash_flag))
113 |             
114 |         except TestcaseTimeout as e:
115 |             print("[-] reset timeout, retry quit force")
116 |             self.execute_handler.quit_force(remove=(not self.crash_flag))
117 |             # self.execute_handler.quit(remove=(not self.crash_flag))
118 |         signal.alarm(0)
119 |         self.execute_handler.open(cur_time=int(time.time()-self.start_time))
120 |         self.reset_count += 1
121 |         self.reset_signal = 0
122 |         self.crash_flag = False
123 |         print("[+] FUZZER reset done")
124 | 
125 |     def print_summary(self):
126 |         execute_time = int(time.time() - self.start_time)
127 |         print("+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++")
128 |         print(f"[exec count]       {self.exec_count}  ({self.exec_count/self.idx * 100}%)")
129 |         print(f"[exec time]        {execute_time}")
130 |         print(f"[exec/sec]         {self.exec_count/execute_time}")
131 |         print(f"[avg exec time]    {self.total_exec_time/self.idx}")
132 |         print(f"[crash count]      {self.crash_count}  ({self.crash_count/self.idx * 100}%)")
133 |         print(f"[timeout count]    {self.timeout_count}  ({self.timeout_count/self.idx * 100}%)")
134 |         print(f"[reset count]      {self.reset_count}")
135 |         print(f"[origin count]     {self.cross_origin}")
136 |         print("+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++")
137 | 
138 |         summary_path = os.path.join(self.report_path, "summary.txt")
139 | 
140 |         with open(summary_path, "w") as f:
141 |             f.write("+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n")
142 |             f.write(f"[exec count]       {self.exec_count}  ({self.exec_count/self.idx * 100}%)" + "\n")
143 |             f.write(f"[exec time]        {execute_time}" + "\n")
144 |             f.write(f"[exec/sec]         {self.exec_count/execute_time}" + "\n")
145 |             f.write(f"[avg exec time]    {self.total_exec_time/self.idx}" + "\n")
146 |             f.write(f"[crash count]      {self.crash_count}  ({self.crash_count/self.idx * 100}%)" + "\n")
147 |             f.write(f"[timeout count]    {self.timeout_count}  ({self.timeout_count/self.idx * 100}%)" + "\n")
148 |             f.write(f"[reset count]      {self.reset_count}" + "\n")
149 |             f.write(f"[origin count]     {self.cross_origin}" + "\n")
150 |             f.write("+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n")
151 | 
152 |     def load_queue(self):
153 |         files = os.listdir(self.queue_path)
154 | 
155 |         try:
156 |             items = random.choices(files, k=2)
157 |             self.src1 = items[0]
158 |             self.src2 = items[1]
159 | 
160 |         except:
161 |             self.src1 = None
162 |             self.src2 = None
163 | 
164 | 
165 |     def get_html_name(self, idx):
166 |         return f"fuzz-{self.fuzzer_idx}-{idx}"
167 | 
168 |     def to_server(self):
169 |         html_name = self.to_server_target(self.cur_input.main, "main")
170 |         self.to_server_target(self.cur_input.sub, "sub")
171 |         self.to_server_target(self.cur_input.iframe, "iframe")
172 |         return html_name
173 | 
174 |     def to_server_target(self, web_page, target):
175 |         if target == "main":
176 |             html_name = f"{self.get_html_name(self.idx)}.html"
177 |             dest = os.path.join(self.parent_path, html_name)
178 |         elif target == "sub":
179 |             html_name = f"{self.get_html_name(self.idx)}-sub.html"
180 |             dest = os.path.join(self.parent_path, html_name)
181 |         else:
182 |             html_name = f"{self.get_html_name(self.idx)}.html"
183 |             dest = os.path.join(self.child_path, html_name)
184 | 
185 |         code = web_page.to_string()
186 | 
187 |         with open(dest, "w") as f:
188 |             f.write(code)
189 | 
190 |         return html_name
191 | 
192 |     def remove_server(self, idx):
193 |         html_name = f"{self.get_html_name(self.idx)}.html"
194 |         dest = os.path.join(self.parent_path, html_name)
195 |         os.remove(dest)
196 | 
197 |         html_name = f"{self.get_html_name(self.idx)}-sub.html"
198 |         dest = os.path.join(self.parent_path, html_name)
199 |         os.remove(dest)
200 | 
201 |         html_name = f"{self.get_html_name(self.idx)}.html"
202 |         dest = os.path.join(self.child_path, html_name)
203 |         os.remove(dest)
204 | 
205 |     def run(self, count=0):
206 |         self.reset_signal = 0
207 |         testcase_name = self.testcase_name
208 | 
209 |         while True:
210 |             self.idx = self.idx + 1
211 |             if count > 0 and self.idx > count:
212 |                 return -1
213 | 
214 |             print(f"[+] run {testcase_name}")
215 |             
216 |             url = f"{self.base_url}/{testcase_name}"
217 | 
218 |             start = time.time()
219 | 
220 |             signal.alarm(self.timeout)
221 |             
222 |             self.execute_handler.run(url, idx=testcase_name)
223 |             signal.alarm(0)
224 | 
225 |             ret, reset, origin, origin_change, poc_idx = self.execute_handler.ret()
226 |             end = time.time()
227 |             exec_time = end - start
228 | 
229 |             print(f"[ret] {ret, reset, origin, origin_change, poc_idx}")
230 |             print(f"[+] elapsed time is {exec_time}")
231 | 
232 |             if reset == 2:
233 |                 self.reset()
234 | 
235 |             elif reset == 1:
236 |                 self.reset_signal += 1
237 |                 if self.reset_signal > 100:
238 |                     self.reset()
239 | 
240 |             self.exec_count += 1
241 |             self.total_exec_time += exec_time
242 | 
243 |             if origin > 1:
244 |                 self.cross_origin += 1
245 | 
246 |             if ret == 1:
247 |                 print(f"[+] crash")
248 |                 break
249 | 
250 |             if self.idx % 100 == 0:
251 |                 self.reset()
252 | 
253 |             if self.idx % 10 == 0:
254 |                 self.print_summary()
255 |         return self.idx
256 | 
257 |     def parse_seed_name(self, name):
258 |         splited = name.split(",")
259 |         idx = int(splited[0][3:])
260 |         tmp = splited[1][4:].split("+")
261 |         src = []
262 |         for item in tmp:
263 |             try:
264 |                 src.append(int(item))
265 |             except:
266 |                 src.append(None)
267 |         time = splited[2][5:]
268 |         reason = splited[3]
269 |         return (idx, src, time, reason)
270 | 
271 |     def make_seed_name(self, idx, src1, src2, time, reason):
272 |         return "id:{:05d},src:{:05d}+{:05d},time:{},{}".format(idx, src1, src2, time, reason)
273 | 
274 |     def save_crash(self):
275 |         html_name = f"{self.get_html_name(self.idx)}.html"
276 |         src = os.path.join(self.parent_path, html_name)
277 |         dest = os.path.join(self.crash_path, html_name)
278 |         shutil.copyfile(src, dest)
279 | 
280 |         html_name = f"{self.get_html_name(self.idx)}-sub.html"
281 |         src = os.path.join(self.parent_path, html_name)
282 |         dest = os.path.join(self.crash_path, html_name)
283 |         shutil.copyfile(src, dest)
284 | 
285 |         src = os.path.join(self.child_path, f"{self.get_html_name(self.idx)}.html")
286 |         dest = os.path.join(self.crash_path, f"{self.get_html_name(self.idx)}-child.html")
287 |         shutil.copyfile(src, dest)
288 | 
289 | 
290 |     def finalize(self):
291 |         print("[+] FUZZER finalize")
292 |         self.execute_handler.quit()
293 | 
294 | 
295 | def handler(signum, frame):
296 |     if signum == signal.SIGALRM:
297 |         print('[-] Signal handler called with signal', signum)
298 |         raise TestcaseTimeout("testcase timeout")
299 | 
300 |     else:
301 |         print('\n\n[-] Signal handler called with signal', signum)
302 |         print("[+] Fuzzer will be terminated")
303 |         if fuzzer:
304 |             fuzzer.finalize()
305 |         print("[+] Fuzzer terminated")
306 |         os._exit(1)
307 | 
308 | 
309 | def main():
310 |     global fuzzer
311 | 
312 |     target = sys.argv[1]
313 |     binary = sys.argv[2]
314 |     testcase_name = sys.argv[3]
315 |     idx = 999
316 | 
317 |     signal.signal(signal.SIGINT, handler)
318 |     signal.signal(signal.SIGALRM, handler)
319 | 
320 |     fuzzer = Fuzzer(target, binary, fuzzer_idx=idx)
321 |     fuzzer.initialize()
322 |     fuzzer.testcase_name = testcase_name
323 |     fuzzer.run(count=100)
324 | 
325 |     fuzzer.finalize()
326 | 
327 | 
328 | if __name__ == "__main__":
329 |     main()
330 | 


--------------------------------------------------------------------------------