Bitcoin Core  27.99.0
P2P Digital Currency
http_request.cpp
Go to the documentation of this file.
1 // Copyright (c) 2020-2022 The Bitcoin Core developers
2 // Distributed under the MIT software license, see the accompanying
3 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
4 
5 #include <httpserver.h>
6 #include <netaddress.h>
8 #include <test/fuzz/fuzz.h>
9 #include <test/fuzz/util.h>
10 #include <util/signalinterrupt.h>
11 #include <util/strencodings.h>
12 
13 #include <event2/buffer.h>
14 #include <event2/event.h>
15 #include <event2/http.h>
16 #include <event2/http_struct.h>
17 
18 #include <cassert>
19 #include <cstdint>
20 #include <string>
21 #include <vector>
22 
23 extern "C" int evhttp_parse_firstline_(struct evhttp_request*, struct evbuffer*);
24 extern "C" int evhttp_parse_headers_(struct evhttp_request*, struct evbuffer*);
25 
27 
28 FUZZ_TARGET(http_request)
29 {
30  FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
31  evhttp_request* evreq = evhttp_request_new(nullptr, nullptr);
32  assert(evreq != nullptr);
33  evreq->kind = EVHTTP_REQUEST;
34  evbuffer* evbuf = evbuffer_new();
35  assert(evbuf != nullptr);
36  const std::vector<uint8_t> http_buffer = ConsumeRandomLengthByteVector(fuzzed_data_provider, 4096);
37  evbuffer_add(evbuf, http_buffer.data(), http_buffer.size());
38  // Avoid constructing requests that will be interpreted by libevent as PROXY requests to avoid triggering
39  // a nullptr dereference. The dereference (req->evcon->http_server) takes place in evhttp_parse_request_line
40  // and is a consequence of our hacky but necessary use of the internal function evhttp_parse_firstline_ in
41  // this fuzzing harness. The workaround is not aesthetically pleasing, but it successfully avoids the troublesome
42  // code path. " http:// HTTP/1.1\n" was a crashing input prior to this workaround.
43  const std::string http_buffer_str = ToLower(std::string{http_buffer.begin(), http_buffer.end()});
44  if (http_buffer_str.find(" http://") != std::string::npos || http_buffer_str.find(" https://") != std::string::npos ||
45  evhttp_parse_firstline_(evreq, evbuf) != 1 || evhttp_parse_headers_(evreq, evbuf) != 1) {
46  evbuffer_free(evbuf);
47  evhttp_request_free(evreq);
48  return;
49  }
50 
51  util::SignalInterrupt interrupt;
52  HTTPRequest http_request{evreq, interrupt, true};
53  const HTTPRequest::RequestMethod request_method = http_request.GetRequestMethod();
54  (void)RequestMethodString(request_method);
55  (void)http_request.GetURI();
56  (void)http_request.GetHeader("Host");
57  const std::string header = fuzzed_data_provider.ConsumeRandomLengthString(16);
58  (void)http_request.GetHeader(header);
59  (void)http_request.WriteHeader(header, fuzzed_data_provider.ConsumeRandomLengthString(16));
60  (void)http_request.GetHeader(header);
61  const std::string body = http_request.ReadBody();
62  assert(body.empty());
63  const CService service = http_request.GetPeer();
64  assert(service.ToStringAddrPort() == "[::]:0");
65 
66  evbuffer_free(evbuf);
67  evhttp_request_free(evreq);
68 }
A combination of a network address (CNetAddr) and a (TCP) port.
Definition: netaddress.h:531
std::string ToStringAddrPort() const
Definition: netaddress.cpp:905
In-flight HTTP request.
Definition: httpserver.h:61
Helper class that manages an interrupt flag, and allows a thread or signal to interrupt another threa...
std::string RequestMethodString(HTTPRequest::RequestMethod m)
HTTP request method as string - use for logging only.
Definition: httpserver.cpp:242
int evhttp_parse_headers_(struct evhttp_request *, struct evbuffer *)
int evhttp_parse_firstline_(struct evhttp_request *, struct evbuffer *)
FUZZ_TARGET(http_request)
std::vector< B > ConsumeRandomLengthByteVector(FuzzedDataProvider &fuzzed_data_provider, const std::optional< size_t > &max_length=std::nullopt) noexcept
Definition: util.h:57
std::string ToLower(std::string_view str)
Returns the lowercase equivalent of the given string.
assert(!tx.IsCoinBase())