feat: Fuzz Testing PythonParser (#3737)

joydeep049 · web-flow · commit 774bb4d9a858 · 2024-02-06T14:17:50.000-08:00
Signed-off-by: Joydeep Tripathy &lt;bntripathy123@gmail.com&gt;
diff --git a/fuzz/fuzz_pkg_info.py b/fuzz/fuzz_pkg_info.py
@@ -0,0 +1,74 @@
+# Copyright (C) 2023 Intel Corporation
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import sys
+import tempfile
+from pathlib import Path
+
+import atheris
+import atheris_libprotobuf_mutator
+from google.protobuf.json_format import MessageToDict
+
+import fuzz.generated.pkg_info_pb2 as pkg_info_pb2
+from cve_bin_tool.cvedb import CVEDB
+from cve_bin_tool.log import LOGGER
+
+with atheris.instrument_imports():
+    from cve_bin_tool.parsers.python import PythonParser
+
+cve_db = CVEDB()
+logger = LOGGER.getChild("Fuzz")
+
+
+def PkgInfoBuilder(data):
+    """Convert the Protobuf message to a dictionary"""
+    json_data = MessageToDict(
+        data, preserving_proto_field_name=True, including_default_value_fields=True
+    )
+
+    with open(file_path, "w") as f:
+        # Writing each field of PKG-INFO
+        f.write(f"Metadata-Version: {json_data.get('metadata_version', '2.1')}\n")
+        f.write(f"Name: {json_data.get('name', '')}\n")
+        f.write(f"Version: {json_data.get('version', '')}\n")
+        f.write(f"Summary: {json_data.get('summary', '')}\n")
+        f.write(f"Home-page: {json_data.get('home_page', '')}\n")
+        f.write(f"Author: {json_data.get('author', '')}\n")
+        f.write(f"Author-email: {json_data.get('author_email', '')}\n")
+        f.write(f"License: {json_data.get('license', '')}\n")
+
+        # Writing keywords
+        if "keywords" in json_data:
+            f.write(f"Keywords: {', '.join(json_data['keywords'])}\n")
+
+        # Writing classifiers
+        for classifier in json_data.get("classifiers", []):
+            f.write(f"Classifier: {classifier}\n")
+
+        f.write(f"Requires-Python: {json_data.get('requires_python', '')}\n")
+        f.write(f"License-File: {json_data.get('license_file', '')}\n")
+
+        # Writing requires-dist
+        for req_dist in json_data.get("requires_dist", []):
+            f.write(f"Requires-Dist: {req_dist}\n")
+
+        # Writing provides-extra
+        for provides in json_data.get("provides_extra", []):
+            f.write(f"Provides-Extra: {provides}\n")
+
+
+def TestParseData(data):
+    try:
+        PkgInfoBuilder(data)
+
+        python_parser = PythonParser(cve_db, logger)
+        python_parser.run_checker(file_path)
+
+    except SystemExit:
+        return
+
+
+file_path = str(Path(tempfile.mkdtemp(prefix="cve-bin-tool-")) / "PKG.INFO")
+
+atheris_libprotobuf_mutator.Setup(sys.argv, TestParseData, proto=pkg_info_pb2.PkgInfo)
+atheris.Fuzz()
diff --git a/fuzz/generated/pkg_info_pb2.py b/fuzz/generated/pkg_info_pb2.py
diff --git a/fuzz/proto_files/pkg_info.proto b/fuzz/proto_files/pkg_info.proto
@@ -0,0 +1,22 @@
+// Copyright(C) 2023 Intel Corporation
+// SPDX-License-Identifier: GPL-3.0-or -later
+
+syntax = "proto3";
+
+// Represents the PKG-INFO file structure for a Python package
+message PkgInfo {
+    string metadata_version = 1;
+    string name = 2;
+    string version = 3;
+    string summary = 4;
+    string home_page = 5;
+    string author = 6;
+    string author_email = 7;
+    string license = 8;
+    repeated string keywords = 9;
+    repeated string classifiers = 10;
+    string requires_python = 11;
+    string license_file = 12;
+    repeated string requires_dist = 13;
+    repeated string provides_extra = 14;
+}
