1  // Copyright (c) 2020-present The Bitcoin Core developers
 2  // Distributed under the MIT software license, see the accompanying
 3  // file COPYING or http://www.opensource.org/licenses/mit-license.php.
 4  
 5  #include <httpserver.h>
 6  #include <netaddress.h>
 7  #include <test/fuzz/FuzzedDataProvider.h>
 8  #include <test/fuzz/fuzz.h>
 9  #include <test/fuzz/util.h>
10  #include <util/signalinterrupt.h>
11  #include <util/strencodings.h>
12  
13  #include <event2/buffer.h>
14  #include <event2/event.h>
15  #include <event2/http.h>
16  #include <event2/http_struct.h>
17  
18  #include <cassert>
19  #include <cstdint>
20  #include <string>
21  #include <vector>
22  
23  extern "C" int evhttp_parse_firstline_(struct evhttp_request*, struct evbuffer*);
24  extern "C" int evhttp_parse_headers_(struct evhttp_request*, struct evbuffer*);
25  
26  std::string RequestMethodString(HTTPRequest::RequestMethod m);
27  
28  FUZZ_TARGET(http_request)
29  {
30      FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
31      evhttp_request* evreq = evhttp_request_new(nullptr, nullptr);
32      assert(evreq != nullptr);
33      evreq->kind = EVHTTP_REQUEST;
34      evbuffer* evbuf = evbuffer_new();
35      assert(evbuf != nullptr);
36      const std::vector<uint8_t> http_buffer = ConsumeRandomLengthByteVector(fuzzed_data_provider, 4096);
37      evbuffer_add(evbuf, http_buffer.data(), http_buffer.size());
38      // Avoid constructing requests that will be interpreted by libevent as PROXY requests to avoid triggering
39      // a nullptr dereference. The dereference (req->evcon->http_server) takes place in evhttp_parse_request_line
40      // and is a consequence of our hacky but necessary use of the internal function evhttp_parse_firstline_ in
41      // this fuzzing harness. The workaround is not aesthetically pleasing, but it successfully avoids the troublesome
42      // code path. " http:// HTTP/1.1\n" was a crashing input prior to this workaround.
43      const std::string http_buffer_str = ToLower(std::string{http_buffer.begin(), http_buffer.end()});
44      if (http_buffer_str.find(" http://") != std::string::npos || http_buffer_str.find(" https://") != std::string::npos ||
45          evhttp_parse_firstline_(evreq, evbuf) != 1 || evhttp_parse_headers_(evreq, evbuf) != 1) {
46          evbuffer_free(evbuf);
47          evhttp_request_free(evreq);
48          return;
49      }
50  
51      util::SignalInterrupt interrupt;
52      HTTPRequest http_request{evreq, interrupt, true};
53      const HTTPRequest::RequestMethod request_method = http_request.GetRequestMethod();
54      (void)RequestMethodString(request_method);
55      (void)http_request.GetURI();
56      (void)http_request.GetHeader("Host");
57      const std::string header = fuzzed_data_provider.ConsumeRandomLengthString(16);
58      (void)http_request.GetHeader(header);
59      (void)http_request.WriteHeader(header, fuzzed_data_provider.ConsumeRandomLengthString(16));
60      (void)http_request.GetHeader(header);
61      const std::string body = http_request.ReadBody();
62      assert(body.empty());
63      const CService service = http_request.GetPeer();
64      assert(service.ToStringAddrPort() == "[::]:0");
65  
66      evbuffer_free(evbuf);
67      evhttp_request_free(evreq);
68  }