Fixed xpath crashes discovered by fuzzing

Added fuzz code for xpath Test: added negative xpath tests
2022-11-04 16:12:22 +01:00 · 2022-11-04 16:12:22 +01:00 · 779fcf5458
commit 779fcf5458
parent 05cdbf5c4f
16 changed files with 197 additions and 29 deletions
--- a/test/config.sh.in
+++ b/test/config.sh.in
@ -76,6 +76,7 @@ CLIXON_AUTOCLI_REV="2022-02-11"
 CLIXON_LIB_REV="2021-12-05"
 CLIXON_CONFIG_REV="2022-03-21"
 CLIXON_RESTCONF_REV="2022-08-01"
+CLIXON_EXAMPLE_REV="2022-11-01"

 # Length of TSL RSA key
 # Problem with small key such as 1024 not allowed in centos8 for example (why is this)
--- a/test/fuzz/xpath/README.md
+++ b/test/fuzz/xpath/README.md
@ -0,0 +1,31 @@
+# Clixon xpath fuzzing
+
+This dir contains code for fuzzing clixon xpaths. 
+
+## Prereqs
+
+Install AFL, see [..](..)
+
+## Build
+
+Build clixon clixon_util_xpath statically with the afl-clang compiler:
+
+```
+  CC=/usr/bin/afl-clang-fast LINKAGE=static INSTALLFLAGS="" ./configure
+  make clean
+  cd lib
+  make
+  sudo make install
+  cd ../util
+  make clixon_util_xpath
+  sudo install clixon_util_xpath /usr/local/bin/ # some utils have complex dependencies
+```
+
+## Run tests
+
+Run the script `runfuzz.sh` to run one test with a yang spec and an input string, eg:
+```
+  ./runfuzz.sh
+```
+
+After (or during) the test, investigate results in the output dir.
--- a/test/fuzz/xpath/input/1.xpath
+++ b/test/fuzz/xpath/input/1.xpath
@ -0,0 +1 @@
+/ex:table[ex:parameter='x']
--- a/test/fuzz/xpath/runfuzz.sh
+++ b/test/fuzz/xpath/runfuzz.sh
@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+# Run a fuzzing test using american fuzzy lop
+set -eux
+
+if [ $# -ne 0 ]; then 
+    echo "usage: $0\n"
+    exit 255
+fi
+
+APPNAME=example
+xml=example.xml
+
+
+cat <<EOF > $xml
+<table xmlns="urn:example:clixon">
+   <parameter>
+      <name>x</name>
+      <value>42</value>
+   </parameter>
+</table>
+EOF
+
+MEGS=500 # memory limit for child process (50 MB)
+
+# remove input and input dirs
+#test ! -d input || rm -rf input
+test ! -d output || rm -rf output
+
+# create if dirs dont exists
+#test -d input || mkdir input
+test -d output || mkdir output
+
+# Run script 
+afl-fuzz -i input -o output -m $MEGS -- clixon_util_xpath -f $xml -n ex:urn:example:clixon -y /usr/local/share/clixon/clixon-example@2022-11-01.yang  -Y /usr/local/share/clixon
--- a/test/test_autocli_extension.sh
+++ b/test/test_autocli_extension.sh
@ -133,10 +133,6 @@ EOF
    new "check datastore using netconf"
    expecteof_netconf "$clixon_netconf -qf $cfg" 0 "$DEFAULTHELLO" "<rpc $DEFAULTNS><get-config><source><candidate/></source><filter type=\"xpath\" select=\"/ex:table/ex:parameter[ex:name='x']\" xmlns:ex=\"urn:example:clixon\" /></get-config></rpc>" "" "<rpc-reply $DEFAULTNS><data>$XML</data></rpc-reply>"

-    # Test not right context but could not find other test where it fits
-    new "negative test"
-    expecteof_netconf "$clixon_netconf -qf $cfg" 0 "$DEFAULTHELLO" "<rpc $DEFAULTNS><get-config><source><candidate/></source><filter type=\"xpath\" select=\"/ex:table[ex:parameter='x']\" xmlns:ex=\"urn:example:clixon\" /></get-config></rpc>" "" "<rpc-reply $DEFAULTNS><data/></rpc-reply>"
-
    new "check datastore direct access"
    expectpart "$($clixon_util_datastore -d candidate -b $dir -y $fyang -Y ${YANG_INSTALLDIR} -Y $dir get /)" 0 "$XML"

--- a/test/test_netconf.sh
+++ b/test/test_netconf.sh
@ -431,9 +431,17 @@ expecteof_netconf "$clixon_netconf -qf $cfg" 0 "$DEFAULTHELLO" "<rpc $DEFAULTNS>
 new "netconf xpath syntax error (api-path not xpath) should fail"
 expecteof_netconf "$clixon_netconf -qf $cfg" 0 "$DEFAULTHELLO" "<rpc $DEFAULTNS><get-config><source><candidate/></source><filter type=\"xpath\" select=\"/if:interfaces/interface=eth2f0,foo/fii\" xmlns:if=\"urn:ietf:params:xml:ns:yang:ietf-interfaces\"/></get-config></rpc>" "" "<rpc-reply $DEFAULTNS><rpc-error><error-type>application</error-type><error-tag>operation-failed</error-tag><error-severity>error</error-severity><error-message>xpath parser on line 1: syntax error at or before: ','</error-message></rpc-error></rpc-reply>"

-new "netconf wrong xpath should fail"
+new "netconf xpath syntax error"
+rpc="<rpc $DEFAULTNS><get-config><source><candidate/></source><filter type=\"xpath\" select=\"/if:interfaces=ex*paramet='x']\" xmlns:if=\"urn:ietf:params:xml:ns:yang:ietf-interfaces\"/></get-config></rpc>"
+expecteof_netconf "$clixon_netconf -qf $cfg" 0 "$DEFAULTHELLO" "$rpc" "" "<rpc-reply $DEFAULTNS><rpc-error><error-type>application</error-type><error-tag>operation-failed</error-tag><error-severity>error</error-severity><error-message>xpath parser on line 1: syntax error at or before: ']'</error-message></rpc-error></rpc-reply>"
+
+new "netconf not found xpath should fail"
 expecteof_netconf "$clixon_netconf -qf $cfg" 0 "$DEFAULTHELLO" "<rpc $DEFAULTNS><get-config><source><candidate/></source><filter type=\"xpath\" select=\"/if:interfaces/interface=eth2f0/fii\" xmlns:if=\"urn:ietf:params:xml:ns:yang:ietf-interfaces\"/></get-config></rpc>" "" "<rpc-reply $DEFAULTNS><data/></rpc-reply>"

+new "netconf xpath mixed types"
+rpc="<rpc $DEFAULTNS><get-config><source><candidate/></source><filter type=\"xpath\" select=\"/if:interfaces[ex*p>@er='x']\" xmlns:if=\"urn:ietf:params:xml:ns:yang:ietf-interfaces\"/></get-config></rpc>"
+expecteof_netconf "$clixon_netconf -qf $cfg" 0 "$DEFAULTHELLO" "$rpc" "" "<rpc-reply $DEFAULTNS><rpc-error><error-type>application</error-type><error-tag>operation-failed</error-tag><error-severity>error</error-severity><error-message>Get candidate datastore: Mixed types not supported, 1 3</error-message></rpc-error></rpc-reply>"
+
 if [ $BE -ne 0 ]; then
    new "Kill backend"
    # Check if premature kill
--- a/test/test_xpath.sh
+++ b/test/test_xpath.sh
@ -120,7 +120,6 @@ cat <<EOF > $xmlfn
 </root>
 EOF

-
 new "xpath not(aaa)"
 expectpart "$($clixon_util_xpath -D $DBG -f $xml -p "not(aaa)")" 0 "bool:false"

@ -170,6 +169,9 @@ expectpart "$($clixon_util_xpath -D $DBG -f $xml -p //bbb[0])" 0 "^nodeset:0:<bb
 new "xpath //bbb[ccc=99]"
 expectpart "$($clixon_util_xpath -D $DBG -f $xml -p //bbb[ccc=99])" 0 "^nodeset:0:<bbb x=\"bye\"><ccc>99</ccc></bbb>$"

+new "Negative: xpath [x=] on a variable that has no body"
+expectpart "$($clixon_util_xpath -D $DBG -f $xml -p "/aaa[bbb='a']")" 0 "nodeset:"
+
 new "xpath ../connection-type = 'responder-only'"
 expectpart "$($clixon_util_xpath -D $DBG -f $xml2 -p "../connection-type='responder-only'" -i /aaa/bbb/here)" 0 "^bool:true$"

@ -323,6 +325,72 @@ expectpart "$($clixon_util_xpath -D $DBG -f $xmlfn -p "root/count/node[99=ancest
 new "xpath functions as ncname: functioname:count"
 expectpart "$($clixon_util_xpath -D $DBG -f $xmlfn -p "root/node/ancestor[73=count]")" 0 "<ancestor><count>73</count></ancestor>"

+# Negative tests from fuzz crashes
+cat <<EOF > $dir/1.xml
+<table xmlns="urn:example:clixon">
+   <parameter>
+      <name>x</name>
+      <value>42</value>
+   </parameter>
+</table>
+EOF
+
+cat <<EOF > $dir/1.xpath
+/ex:table=ex*paramet
+EOF
+
+new "negative xpath 1"
+expectpart "$($clixon_util_xpath -D $DBG -f $dir/1.xml -n ex:urn:example:clixon -y /usr/local/share/clixon/clixon-example@${CLIXON_EXAMPLE_REV}.yang  -Y /usr/local/share/clixon < $dir/1.xpath)" 0 "bool:false"
+
+cat <<EOF > $dir/1.xpath
+ter='x'/ex:table[exmeter='x']
+EOF
+
+new "negative xpath 2"
+expectpart "$($clixon_util_xpath -D $DBG -f $dir/1.xml -n ex:urn:example:clixon -y /usr/local/share/clixon/clixon-example@${CLIXON_EXAMPLE_REV}.yang  -Y /usr/local/share/clixon < $dir/1.xpath)" 0 "bool:false"
+
+cat <<EOF > $dir/1.xpath
+/ex:table<ex*ptramble
+EOF
+
+new "negative xpath 3"
+expectpart "$($clixon_util_xpath -D $DBG -f $dir/1.xml -n ex:urn:example:clixon -y /usr/local/share/clixon/clixon-example@${CLIXON_EXAMPLE_REV}.yang  -Y /usr/local/share/clixon < $dir/1.xpath)" 0 "bool:false"
+
+cat <<EOF > $dir/1.xpath
+7/ex:table['x']
+EOF
+
+new "negative xpath 4"
+expectpart "$($clixon_util_xpath -D $DBG -f $dir/1.xml -n ex:urn:example:clixon -y /usr/local/share/clixon/clixon-example@${CLIXON_EXAMPLE_REV}.yang  -Y /usr/local/share/clixon < $dir/1.xpath)" 0 "number:7"
+
+cat <<EOF > $dir/1.xpath
+/>meter*//ter
+EOF
+
+new "negative xpath 5"
+expectpart "$($clixon_util_xpath -D $DBG -f $dir/1.xml -n ex:urn:example:clixon -y /usr/local/share/clixon/clixon-example@${CLIXON_EXAMPLE_REV}.yang  -Y /usr/local/share/clixon < $dir/1.xpath)" 0 "bool:false"
+
+cat <<EOF > $dir/1.xpath
+7=/ ter
+EOF
+
+new "negative xpath 6"
+expectpart "$($clixon_util_xpath -D $DBG -f $dir/1.xml -n ex:urn:example:clixon -y /usr/local/share/clixon/clixon-example@${CLIXON_EXAMPLE_REV}.yang  -Y /usr/local/share/clixon < $dir/1.xpath)" 0 "bool:false"
+
+cat <<EOF > $dir/1.xpath
+/=7 ter
+EOF
+
+new "negative xpath 7"
+#expectpart "$($clixon_util_xpath -D $DBG -f $dir/1.xml -n ex:urn:example:clixon -y /usr/local/share/clixon/clixon-example@${CLIXON_EXAMPLE_REV}.yang  -Y /usr/local/share/clixon < $dir/1.xpath)" 0 "bool:false"
+
+cat <<EOF > $dir/1.xpath
+*<-9****
+EOF
+
+new "negative xpath 8"
+expectpart "$($clixon_util_xpath -D $DBG -f $dir/1.xml -n ex:urn:example:clixon -y /usr/local/share/clixon/clixon-example@${CLIXON_EXAMPLE_REV}.yang  -Y /usr/local/share/clixon < $dir/1.xpath)" 0 "bool:false"
+
 rm -rf $dir

 # unset conditional parameters