src/tests/org/owasp/html/HtmlSanitizerFuzzerTest.java - platform/external/owasp/sanitizer - Git at Google

 // Copyright (c) 2011, Mike Samuel
 // All rights reserved.
 //
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions
 // are met:
 //
 // Redistributions of source code must retain the above copyright
 // notice, this list of conditions and the following disclaimer.
 // Redistributions in binary form must reproduce the above copyright
 // notice, this list of conditions and the following disclaimer in the
 // documentation and/or other materials provided with the distribution.
 // Neither the name of the OWASP nor the names of its contributors may
 // be used to endorse or promote products derived from this software
 // without specific prior written permission.
 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 // INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 // BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 // LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 // LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 // ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 // POSSIBILITY OF SUCH DAMAGE.

 package org.owasp.html;

 import java.util.List;
 import java.util.concurrent.LinkedBlockingQueue;
 import java.util.concurrent.ThreadPoolExecutor;
 import java.util.concurrent.TimeUnit;

 import com.google.common.base.Charsets;
 import com.google.common.base.Throwables;
 import com.google.common.io.Resources;

 /**
  * Throws malformed inputs at the HTML sanitizer to try and crash it.
  * This test is stochastic -- not guaranteed to pass or fail consistently.
  * If you see a failure, please report it along with the seed from the output.
  * If you want to repeat a failure, set the system property "junit.seed".
  *
  * @author Mike Samuel <mikesamuel@gmail.com>
  */
 public class HtmlSanitizerFuzzerTest extends FuzzyTestCase {

   private static final HtmlSanitizer.Policy DO_NOTHING_POLICY
       = new HtmlSanitizer.Policy() {
         public void openDocument() { /* do nothing */ }
         public void closeDocument() { /* do nothing */ }
         public void openTag(String elementName, List<String> attrs) {
           /* do nothing */
         }
         public void closeTag(String elementName) { /* do nothing */ }
         public void text(String textChunk) { /* do nothing */ }
       };

   public final void testFuzzHtmlParser() throws Exception {
     String html = Resources.toString(
         Resources.getResource("Yahoo!.html"), Charsets.UTF_8);
     int length = html.length();

     char[] fuzzyHtml0 = new char[length];
     char[] fuzzyHtml1 = new char[length];

     final LinkedBlockingQueue<Throwable> failures
         = new LinkedBlockingQueue<Throwable>();

     final int runCount = 1000;
     // Use an executor so that any infinite loops do not cause the test runner
     // to fail.
     ThreadPoolExecutor executor = new ThreadPoolExecutor(
         10, 10, 10, TimeUnit.SECONDS, new LinkedBlockingQueue<Runnable>());

     for (int run = runCount; --run >= 0;) {
       for (int i = length; --i >= 0;) { fuzzyHtml0[i] = html.charAt(i); }
       for (int fuzz = 1 + rnd.nextInt(25); --fuzz >= 0;) {
         if (rnd.nextBoolean()) {
           fuzzyHtml0[rnd.nextInt(length)] = (char) rnd.nextInt(0x10000);
           continue;
         }
         int s0 = rnd.nextInt(length - 1);
         double d = Math.abs(rnd.nextGaussian()) / 3.0d;
         int e0 = s0 + (int) (rnd.nextInt(length - s0) * d);
         if (e0 >= length) { e0 = s0 + 1; }

         int s1 = rnd.nextInt(length - 1);
         d = Math.abs(rnd.nextGaussian()) / 3.0d;
         int e1 = s1 + (int) (rnd.nextInt(length - s1) * d);
         if (e1 >= length) { e1 = s1 + 1; }

         if (s0 > s1) {
           int st = s0, et = e0;
           s0 = s1;
           e0 = e1;
           s1 = st;
           e1 = et;
         }

         if (e0 > s1) { e0 = s1; }

         // Swap the ranges [s0, e0) and [s1, e1) into fuzzyHtml1.
         int i0, i1 = 0;
         for (i0 = 0; i0 < s0; ++i0, ++i1) {
           fuzzyHtml1[i1] = fuzzyHtml0[i0];
         }
         for (i0 = s1; i0 < e1; ++i0, ++i1) {
           fuzzyHtml1[i1] = fuzzyHtml0[i0];
         }
         for (i0 = e0; i0 < s1; ++i0, ++i1) {
           fuzzyHtml1[i1] = fuzzyHtml0[i0];
         }
         for (i0 = s0; i0 < e0; ++i0, ++i1) {
           fuzzyHtml1[i1] = fuzzyHtml0[i0];
         }
         for (i0 = e1; i0 < length; ++i0, ++i1) {
           fuzzyHtml1[i1] = fuzzyHtml0[i0];
         }
         // Swap the two buffers.
         char[] swap = fuzzyHtml0;
         fuzzyHtml0 = fuzzyHtml1;
         fuzzyHtml1 = swap;
       }
       final String fuzzyHtml = new String(fuzzyHtml0);
       executor.execute(new Runnable() {
         public void run() {
           try {
             HtmlSanitizer.sanitize(fuzzyHtml, DO_NOTHING_POLICY);
           } catch (Exception ex) {
             System.err.println(
                 "Using seed " + seed + "L\n"
                 + "Failed on <<<" + fuzzyHtml + ">>>");
             failures.add(ex);
           }
         }
       });
     }
     executor.shutdown();
     executor.awaitTermination(runCount * 4, TimeUnit.SECONDS);
     assertTrue("seed=" + seed, executor.isTerminated());
     Throwable failure = failures.poll();
     if (failure != null) {
       Throwables.propagate(failure);
     }
   }

 }
	// Copyright (c) 2011, Mike Samuel
	// All rights reserved.
	//
	// Redistribution and use in source and binary forms, with or without
	// modification, are permitted provided that the following conditions
	// are met:
	//
	// Redistributions of source code must retain the above copyright
	// notice, this list of conditions and the following disclaimer.
	// Redistributions in binary form must reproduce the above copyright
	// notice, this list of conditions and the following disclaimer in the
	// documentation and/or other materials provided with the distribution.
	// Neither the name of the OWASP nor the names of its contributors may
	// be used to endorse or promote products derived from this software
	// without specific prior written permission.
	// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
	// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
	// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
	// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
	// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
	// INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
	// BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	// LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
	// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	// LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
	// ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
	// POSSIBILITY OF SUCH DAMAGE.

	package org.owasp.html;

	import java.util.List;
	import java.util.concurrent.LinkedBlockingQueue;
	import java.util.concurrent.ThreadPoolExecutor;
	import java.util.concurrent.TimeUnit;

	import com.google.common.base.Charsets;
	import com.google.common.base.Throwables;
	import com.google.common.io.Resources;

	/**
	* Throws malformed inputs at the HTML sanitizer to try and crash it.
	* This test is stochastic -- not guaranteed to pass or fail consistently.
	* If you see a failure, please report it along with the seed from the output.
	* If you want to repeat a failure, set the system property "junit.seed".
	*
	* @author Mike Samuel <mikesamuel@gmail.com>
	*/
	public class HtmlSanitizerFuzzerTest extends FuzzyTestCase {

	private static final HtmlSanitizer.Policy DO_NOTHING_POLICY
	= new HtmlSanitizer.Policy() {
	public void openDocument() { /* do nothing */ }
	public void closeDocument() { /* do nothing */ }
	public void openTag(String elementName, List<String> attrs) {
	/* do nothing */
	}
	public void closeTag(String elementName) { /* do nothing */ }
	public void text(String textChunk) { /* do nothing */ }
	};

	public final void testFuzzHtmlParser() throws Exception {
	String html = Resources.toString(
	Resources.getResource("Yahoo!.html"), Charsets.UTF_8);
	int length = html.length();

	char[] fuzzyHtml0 = new char[length];
	char[] fuzzyHtml1 = new char[length];

	final LinkedBlockingQueue<Throwable> failures
	= new LinkedBlockingQueue<Throwable>();

	final int runCount = 1000;
	// Use an executor so that any infinite loops do not cause the test runner
	// to fail.
	ThreadPoolExecutor executor = new ThreadPoolExecutor(
	10, 10, 10, TimeUnit.SECONDS, new LinkedBlockingQueue<Runnable>());

	for (int run = runCount; --run >= 0;) {
	for (int i = length; --i >= 0;) { fuzzyHtml0[i] = html.charAt(i); }
	for (int fuzz = 1 + rnd.nextInt(25); --fuzz >= 0;) {
	if (rnd.nextBoolean()) {
	fuzzyHtml0[rnd.nextInt(length)] = (char) rnd.nextInt(0x10000);
	continue;
	}
	int s0 = rnd.nextInt(length - 1);
	double d = Math.abs(rnd.nextGaussian()) / 3.0d;
	int e0 = s0 + (int) (rnd.nextInt(length - s0) * d);
	if (e0 >= length) { e0 = s0 + 1; }

	int s1 = rnd.nextInt(length - 1);
	d = Math.abs(rnd.nextGaussian()) / 3.0d;
	int e1 = s1 + (int) (rnd.nextInt(length - s1) * d);
	if (e1 >= length) { e1 = s1 + 1; }

	if (s0 > s1) {
	int st = s0, et = e0;
	s0 = s1;
	e0 = e1;
	s1 = st;
	e1 = et;
	}

	if (e0 > s1) { e0 = s1; }

	// Swap the ranges [s0, e0) and [s1, e1) into fuzzyHtml1.
	int i0, i1 = 0;
	for (i0 = 0; i0 < s0; ++i0, ++i1) {
	fuzzyHtml1[i1] = fuzzyHtml0[i0];
	}
	for (i0 = s1; i0 < e1; ++i0, ++i1) {
	fuzzyHtml1[i1] = fuzzyHtml0[i0];
	}
	for (i0 = e0; i0 < s1; ++i0, ++i1) {
	fuzzyHtml1[i1] = fuzzyHtml0[i0];
	}
	for (i0 = s0; i0 < e0; ++i0, ++i1) {
	fuzzyHtml1[i1] = fuzzyHtml0[i0];
	}
	for (i0 = e1; i0 < length; ++i0, ++i1) {
	fuzzyHtml1[i1] = fuzzyHtml0[i0];
	}
	// Swap the two buffers.
	char[] swap = fuzzyHtml0;
	fuzzyHtml0 = fuzzyHtml1;
	fuzzyHtml1 = swap;
	}
	final String fuzzyHtml = new String(fuzzyHtml0);
	executor.execute(new Runnable() {
	public void run() {
	try {
	HtmlSanitizer.sanitize(fuzzyHtml, DO_NOTHING_POLICY);
	} catch (Exception ex) {
	System.err.println(
	"Using seed " + seed + "L\n"
	+ "Failed on <<<" + fuzzyHtml + ">>>");
	failures.add(ex);
	}
	}
	});
	}
	executor.shutdown();
	executor.awaitTermination(runCount * 4, TimeUnit.SECONDS);
	assertTrue("seed=" + seed, executor.isTerminated());
	Throwable failure = failures.poll();
	if (failure != null) {
	Throwables.propagate(failure);
	}
	}

	}