diff options
author | Arthur Chan <arthur.chan@adalogics.com> | 2022-07-06 02:02:07 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-07-06 11:02:07 +1000 |
commit | d2cf83cffe1ed83ef71ad9e6a2e03603d062365b (patch) | |
tree | 73ade7737a75b7ed8fec71bca762c8e98da98e3c | |
parent | 9665b2e1b8d73ce887603991fd7dc8a9c0cd50ac (diff) |
Microsoft Authentication Libary python: initial integration (#7754)
* Microsoft Authentication Libary python: initial integration
add initial fuzzer
* Fix and add new fuzzer
- Fix basic connection fuzzer
- Add new fuzzer with dummy token reponse
* MSAL: Fix fuzzer
Fix typo
Fix error handling
* Fix project setting
-rw-r--r-- | projects/msal/Dockerfile | 22 | ||||
-rw-r--r-- | projects/msal/build.sh | 26 | ||||
-rw-r--r-- | projects/msal/fuzz_auth.py | 59 | ||||
-rw-r--r-- | projects/msal/fuzz_tokencache.py | 90 | ||||
-rw-r--r-- | projects/msal/project.yaml | 12 |
5 files changed, 209 insertions, 0 deletions
diff --git a/projects/msal/Dockerfile b/projects/msal/Dockerfile new file mode 100644 index 00000000..ce6d5a64 --- /dev/null +++ b/projects/msal/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2022 Google LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +FROM gcr.io/oss-fuzz-base/base-builder-python +RUN pip3 install --upgrade pip +RUN git clone https://github.com/AzureAD/microsoft-authentication-library-for-python msal +WORKDIR msal + +#COPY build.sh task_fuzz.py parse_fuzz.py $SRC/ +COPY build.sh fuzz_*.py $SRC/ diff --git a/projects/msal/build.sh b/projects/msal/build.sh new file mode 100644 index 00000000..a6263709 --- /dev/null +++ b/projects/msal/build.sh @@ -0,0 +1,26 @@ +#!/bin/bash -eu +# Copyright 2022 Google LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +# Build and install project (using current CFLAGS, CXXFLAGS). +pip3 install --upgrade pip +pip3 install -r ./requirements.txt +pip3 install . + +# Build fuzzers in $OUT. +cd $SRC +for fuzzer in $(find $SRC -name 'fuzz_*.py'); do + compile_python_fuzzer $fuzzer +done diff --git a/projects/msal/fuzz_auth.py b/projects/msal/fuzz_auth.py new file mode 100644 index 00000000..300afa90 --- /dev/null +++ b/projects/msal/fuzz_auth.py @@ -0,0 +1,59 @@ +#!/usr/bin/python3 + +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +import atheris +import sys +with atheris.instrument_imports(): + from msal import PublicClientApplication + from msal.application import extract_certs + from msal.authority import AuthorityBuilder + +def is_expected(error_list,error_msg): + for error in error_list: + if error in error_msg: + return True + return False + +def TestInput(input_bytes): + if len(input_bytes)<32: + return + + fdp = atheris.FuzzedDataProvider(input_bytes) + + authority = AuthorityBuilder(fdp.ConsumeString(50),fdp.ConsumeString(50)) + + try: + app = PublicClientApplication(client_id=fdp.ConsumeString(32),authority=authority) + app.get_accounts() + except (ValueError,KeyError) as e: + error_list = [ + "tenant_discovery_endpoint", + "Invalid IPv6 URL", + "should consist of an https url with a minimum of one segment in a path", + "netloc" + ] + if not is_expected(error_list,str(e)): + raise e + + cert = "-----BEGIN CERTIFICATE-----%s-----END CERTIFICATE-----"%fdp.ConsumeString(200) + extract_certs(cert) + +def main(): + atheris.Setup(sys.argv, TestInput, enable_python_coverage=True) + atheris.instrument_all() + atheris.Fuzz() + +if __name__ == "__main__": + main() diff --git a/projects/msal/fuzz_tokencache.py b/projects/msal/fuzz_tokencache.py new file mode 100644 index 00000000..8c4d63ae --- /dev/null +++ b/projects/msal/fuzz_tokencache.py @@ -0,0 +1,90 @@ +#!/usr/bin/python3 +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import base64 +import atheris +import sys +with atheris.instrument_imports(): + from msal.token_cache import * + +#Create dummy token +def build_token(issuer="issuer",subject="subject",id="id",**claims): + return "header.%s.signature" % base64.b64encode(json.dumps(dict({ + "iss": issuer, "sub": subject, "aud": id, + "exp": (time.time() + 100), "iat": time.time() + }, **claims)).encode()).decode('utf-8') + +#Create dummy response +def build_response(uid,utid,access_token,expires_in,token_type,**kwargs): + response = {} + if uid and utid: + response["client_info"] = base64.b64encode(json.dumps({ + "uid": uid, "utid": utid, + }).encode()).decode('utf-8') + if access_token: + response.update({ + "access_token": access_token, + "expires_in": expires_in, + "token_type": token_type, + }) + response.update(kwargs) # Pass-through key-value pairs as top-level fields + return response + +def is_expected(error_list,error_msg): + for error in error_list: + if error in error_msg: + return True + return False + +def TestInput(input_bytes): + if len(input_bytes)<32: + return + + fdp = atheris.FuzzedDataProvider(input_bytes) + + cache = TokenCache() + + client_id = fdp.ConsumeString(32) + try: + token = build_token( + oid=fdp.ConsumeString(10), + preferred_username=fdp.ConsumeString(10), + id=client_id + ) + cache.add({ + "client_id": client_id, + "scope": ["s2", "s1", "s3"], + "token_endpoint": "https://%s"%fdp.ConsumeString(20), + "response": build_response(token_type=fdp.ConsumeString(5), + uid=fdp.ConsumeString(5), utid=fdp.ConsumeString(5), + expires_in=3600, access_token=fdp.ConsumeString(10), + id_token=token, refresh_token=fdp.ConsumeString(10)), + }, now=1000) + except ValueError as e: + error_list = [ + "netloc", + "Invalid IPv6 URL", + "should consist of an https url with a minimum of one segment in a path" + ] + if not is_expected(error_list,str(e)): + raise e + +def main(): + atheris.Setup(sys.argv, TestInput, enable_python_coverage=True) + atheris.instrument_all() + atheris.Fuzz() + +if __name__ == "__main__": + main() diff --git a/projects/msal/project.yaml b/projects/msal/project.yaml new file mode 100644 index 00000000..e7517cb7 --- /dev/null +++ b/projects/msal/project.yaml @@ -0,0 +1,12 @@ +fuzzing_engines: +- libfuzzer +homepage: https://github.com/AzureAD/microsoft-authentication-library-for-python +language: python +main_repo: https://github.com/AzureAD/microsoft-authentication-library-for-python +primary_contact: "rayluo@microsoft.com" +sanitizers: +- address +vendor_ccs: +- david@adalogics.com +- adam@adalogics.com +- arthur.chan@adalogics.com |