Microsoft Authentication Libary python: initial integration (#7754)

* Microsoft Authentication Libary python: initial integration add initial fuzzer * Fix and add new fuzzer - Fix basic connection fuzzer - Add new fuzzer with dummy token reponse * MSAL: Fix fuzzer Fix typo Fix error handling * Fix project setting
author: Arthur Chan <arthur.chan@adalogics.com> 2022-07-06 02:02:07 +0100
committer: GitHub <noreply@github.com> 2022-07-06 11:02:07 +1000
commit: d2cf83cffe1ed83ef71ad9e6a2e03603d062365b (patch)
tree: 73ade7737a75b7ed8fec71bca762c8e98da98e3c
parent: 9665b2e1b8d73ce887603991fd7dc8a9c0cd50ac (diff)
5 files changed, 209 insertions, 0 deletions
diff --git a/projects/msal/Dockerfile b/projects/msal/Dockerfile
new file mode 100644
index 00000000..ce6d5a64
--- /dev/null
+++ b/projects/msal/Dockerfile
@@ -0,0 +1,22 @@
+# Copyright 2022 Google LLC.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+FROM gcr.io/oss-fuzz-base/base-builder-python
+RUN pip3 install --upgrade pip
+RUN git clone https://github.com/AzureAD/microsoft-authentication-library-for-python msal
+WORKDIR msal
+
+#COPY build.sh task_fuzz.py parse_fuzz.py $SRC/
+COPY build.sh fuzz_*.py $SRC/
diff --git a/projects/msal/build.sh b/projects/msal/build.sh
new file mode 100644
index 00000000..a6263709
--- /dev/null
+++ b/projects/msal/build.sh
@@ -0,0 +1,26 @@
+#!/bin/bash -eu
+# Copyright 2022 Google LLC.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+# Build and install project (using current CFLAGS, CXXFLAGS).
+pip3 install --upgrade pip
+pip3 install -r ./requirements.txt
+pip3 install .
+
+# Build fuzzers in $OUT.
+cd $SRC
+for fuzzer in $(find $SRC -name 'fuzz_*.py'); do
+  compile_python_fuzzer $fuzzer
+done
diff --git a/projects/msal/fuzz_auth.py b/projects/msal/fuzz_auth.py
new file mode 100644
index 00000000..300afa90
--- /dev/null
+++ b/projects/msal/fuzz_auth.py
@@ -0,0 +1,59 @@
+#!/usr/bin/python3
+
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+import atheris
+import sys
+with atheris.instrument_imports():
+    from msal import PublicClientApplication
+    from msal.application import extract_certs
+    from msal.authority import AuthorityBuilder
+
+def is_expected(error_list,error_msg):
+    for error in error_list:
+        if error in error_msg:
+            return True
+    return False
+
+def TestInput(input_bytes):
+    if len(input_bytes)<32:
+        return 
+
+    fdp = atheris.FuzzedDataProvider(input_bytes)
+
+    authority = AuthorityBuilder(fdp.ConsumeString(50),fdp.ConsumeString(50))
+
+    try:
+        app = PublicClientApplication(client_id=fdp.ConsumeString(32),authority=authority)
+        app.get_accounts()
+    except (ValueError,KeyError) as e:
+        error_list = [
+            "tenant_discovery_endpoint",
+            "Invalid IPv6 URL",
+            "should consist of an https url with a minimum of one segment in a path",
+            "netloc"
+        ]
+        if not is_expected(error_list,str(e)):
+            raise e
+
+    cert = "-----BEGIN CERTIFICATE-----%s-----END CERTIFICATE-----"%fdp.ConsumeString(200)
+    extract_certs(cert)
+
+def main():
+    atheris.Setup(sys.argv, TestInput, enable_python_coverage=True)
+    atheris.instrument_all()
+    atheris.Fuzz()
+
+if __name__ == "__main__":
+    main()
diff --git a/projects/msal/fuzz_tokencache.py b/projects/msal/fuzz_tokencache.py
new file mode 100644
index 00000000..8c4d63ae
--- /dev/null
+++ b/projects/msal/fuzz_tokencache.py
@@ -0,0 +1,90 @@
+#!/usr/bin/python3
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import base64
+import atheris
+import sys
+with atheris.instrument_imports():
+    from msal.token_cache import *
+
+#Create dummy token
+def build_token(issuer="issuer",subject="subject",id="id",**claims): 
+    return "header.%s.signature" % base64.b64encode(json.dumps(dict({
+        "iss": issuer, "sub": subject, "aud": id,
+        "exp": (time.time() + 100), "iat": time.time()
+        }, **claims)).encode()).decode('utf-8')
+
+#Create dummy response
+def build_response(uid,utid,access_token,expires_in,token_type,**kwargs):
+    response = {}
+    if uid and utid:
+        response["client_info"] = base64.b64encode(json.dumps({
+            "uid": uid, "utid": utid,
+        }).encode()).decode('utf-8')
+    if access_token:
+        response.update({
+            "access_token": access_token,
+            "expires_in": expires_in,
+            "token_type": token_type,
+        })
+    response.update(kwargs)  # Pass-through key-value pairs as top-level fields
+    return response
+
+def is_expected(error_list,error_msg):
+    for error in error_list:
+        if error in error_msg:
+            return True
+    return False
+
+def TestInput(input_bytes):
+    if len(input_bytes)<32:
+        return 
+
+    fdp = atheris.FuzzedDataProvider(input_bytes)
+
+    cache = TokenCache()
+
+    client_id = fdp.ConsumeString(32)
+    try:
+        token = build_token(
+          oid=fdp.ConsumeString(10), 
+          preferred_username=fdp.ConsumeString(10), 
+          id=client_id
+        )
+        cache.add({
+          "client_id": client_id,
+          "scope": ["s2", "s1", "s3"],
+          "token_endpoint": "https://%s"%fdp.ConsumeString(20),
+          "response": build_response(token_type=fdp.ConsumeString(5),
+            uid=fdp.ConsumeString(5), utid=fdp.ConsumeString(5),
+            expires_in=3600, access_token=fdp.ConsumeString(10),
+            id_token=token, refresh_token=fdp.ConsumeString(10)),
+        }, now=1000)
+    except ValueError as e:
+        error_list = [
+           "netloc",
+           "Invalid IPv6 URL",
+           "should consist of an https url with a minimum of one segment in a path"
+        ]
+        if not is_expected(error_list,str(e)):
+            raise e
+
+def main():
+    atheris.Setup(sys.argv, TestInput, enable_python_coverage=True)
+    atheris.instrument_all()
+    atheris.Fuzz()
+
+if __name__ == "__main__":
+    main()
diff --git a/projects/msal/project.yaml b/projects/msal/project.yaml
new file mode 100644
index 00000000..e7517cb7
--- /dev/null
+++ b/projects/msal/project.yaml
@@ -0,0 +1,12 @@
+fuzzing_engines:
+- libfuzzer
+homepage: https://github.com/AzureAD/microsoft-authentication-library-for-python
+language: python
+main_repo: https://github.com/AzureAD/microsoft-authentication-library-for-python
+primary_contact: "rayluo@microsoft.com"
+sanitizers:
+- address
+vendor_ccs:
+- david@adalogics.com
+- adam@adalogics.com
+- arthur.chan@adalogics.com
author	Arthur Chan <arthur.chan@adalogics.com>	2022-07-06 02:02:07 +0100
committer	GitHub <noreply@github.com>	2022-07-06 11:02:07 +1000
commit	d2cf83cffe1ed83ef71ad9e6a2e03603d062365b (patch)
tree	73ade7737a75b7ed8fec71bca762c8e98da98e3c
parent	9665b2e1b8d73ce887603991fd7dc8a9c0cd50ac (diff)