File: mojo_js_in_process_fuzzer.cc

package info (click to toggle)
chromium 138.0.7204.183-1
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 6,071,908 kB
  • sloc: cpp: 34,937,088; ansic: 7,176,967; javascript: 4,110,704; python: 1,419,953; asm: 946,768; xml: 739,971; pascal: 187,324; sh: 89,623; perl: 88,663; objc: 79,944; sql: 50,304; cs: 41,786; fortran: 24,137; makefile: 21,806; php: 13,980; tcl: 13,166; yacc: 8,925; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (111 lines) | stat: -rw-r--r-- 4,592 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
 
// Copyright 2025 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include <string_view>

#include "base/files/file_util.h"
#include "base/path_service.h"
#include "chrome/browser/ui/browser.h"
#include "chrome/test/base/ui_test_utils.h"
#include "chrome/test/fuzzing/in_process_proto_fuzzer.h"
#include "chrome/test/fuzzing/mojo_js_fuzzing/mojo_js_fuzzer_grammar.h"
#include "chrome/test/fuzzing/mojo_js_fuzzing/mojo_js_fuzzer_grammar.pb.h"
#include "components/content_settings/core/browser/content_settings_registry.h"
#include "components/content_settings/core/common/content_settings.h"
#include "components/content_settings/core/common/content_settings_types.h"
#include "components/permissions/permission_request_manager.h"
#include "components/permissions/permissions_client.h"
#include "content/public/test/browser_test_utils.h"

struct Environment {
  Environment() {}
  const bool kDumpNativeInput = getenv("LPM_DUMP_NATIVE_INPUT");
};

constexpr std::optional<base::TimeDelta> kJsExecutionTimeout = base::Seconds(5);
constexpr RunLoopTimeoutBehavior kJsRunLoopTimeoutBehavior =
    RunLoopTimeoutBehavior::kContinue;

// This fuzzer uses DomatoLPM to generate JS based on an existing Domato
// rule.
class MojoJSInProcessFuzzer
    : public InProcessBinaryProtoFuzzer<
          domatolpm::generated::mojo_js_fuzzer_grammar::fuzzcase> {
 public:
  using FuzzCase = domatolpm::generated::mojo_js_fuzzer_grammar::fuzzcase;
  MojoJSInProcessFuzzer();
  void SetUpOnMainThread() override;

  int Fuzz(const FuzzCase& fuzz_case) override;
  base::CommandLine::StringVector GetChromiumCommandLineArguments() override {
    return {FILE_PATH_LITERAL("--enable-blink-features=MojoJS"),
            FILE_PATH_LITERAL("--enable-blink-test-features"),
            FILE_PATH_LITERAL("--enable-experimental-web-platform-features"),
            FILE_PATH_LITERAL("--disable-kill-after-bad-ipc")};
  }
};

REGISTER_BINARY_PROTO_IN_PROCESS_FUZZER(MojoJSInProcessFuzzer)

void MojoJSInProcessFuzzer::SetUpOnMainThread() {
  InProcessFuzzer::SetUpOnMainThread();
  base::FilePath exe_path;
  CHECK(base::PathService::Get(base::DIR_EXE, &exe_path));
  embedded_https_test_server().ServeFilesFromDirectory(exe_path);
  embedded_test_server()->SetSSLConfig(net::EmbeddedTestServer::CERT_OK);
  CHECK(embedded_https_test_server().Start());

  // This html page includes the necessary scripts for the mojo js bindings.
  // Navigate to this page and execute the fuzzer generated JS in this context.
  CHECK(ui_test_utils::NavigateToURL(
      browser(),
      embedded_https_test_server().GetURL("/mojo_js_in_process_fuzzer.html")));

  auto* web_contents = browser()->tab_strip_model()->GetActiveWebContents();
  permissions::PermissionRequestManager::FromWebContents(web_contents)
      ->set_auto_response_for_test(
          permissions::PermissionRequestManager::ACCEPT_ALL);

  auto* host_content_setting_map =
      permissions::PermissionsClient::Get()->GetSettingsMap(
          web_contents->GetBrowserContext());

  auto* content_setting_registry =
      content_settings::ContentSettingsRegistry::GetInstance();
  for (int i = static_cast<int>(ContentSettingsType::kMinValue);
       i < static_cast<int>(ContentSettingsType::kMaxValue); i++) {
    auto content_setting_type = static_cast<ContentSettingsType>(i);
    auto* content_setting_info =
        content_setting_registry->Get(content_setting_type);
    if (content_setting_info && content_setting_info->IsDefaultSettingValid(
                                    ContentSetting::CONTENT_SETTING_ALLOW)) {
      host_content_setting_map->SetDefaultContentSetting(
          content_setting_type, ContentSetting::CONTENT_SETTING_ALLOW);
    }
  }
}

MojoJSInProcessFuzzer::MojoJSInProcessFuzzer()
    : InProcessBinaryProtoFuzzer(InProcessFuzzerOptions{
          .run_loop_timeout_behavior = kJsRunLoopTimeoutBehavior,
          .run_loop_timeout = kJsExecutionTimeout,
      }) {}

int MojoJSInProcessFuzzer::Fuzz(const FuzzCase& fuzz_case) {
  static Environment env;
  domatolpm::Context ctx;
  CHECK(domatolpm::mojo_js_fuzzer_grammar::handle_fuzzer(&ctx, fuzz_case));
  std::string_view js_str(ctx.GetBuilder()->view());
  if (env.kDumpNativeInput) {
    LOG(INFO) << "native_input: " << js_str;
  }
  content::WebContents* contents =
      browser()->tab_strip_model()->GetActiveWebContents();
  content::RenderFrameHost* rfh = contents->GetPrimaryMainFrame();
  auto res = content::ExecJs(rfh, js_str);
  if (!res) {
    return -1;
  }
  return 0;
}