add support for template literals (googleprojectzero#208)

amarekano · web-flow · commit 0cd2f83aa728 · 2021-06-24T11:54:34.000+02:00
diff --git a/Sources/Fuzzilli/Core/CodeGenerators.swift b/Sources/Fuzzilli/Core/CodeGenerators.swift
@@ -97,6 +97,20 @@ public let CodeGenerators: [CodeGenerator] = [
         b.createArray(with: initialValues, spreading: spreads)
     },
 
+    CodeGenerator("TemplateStringGenerator") { b in
+        var interpolatedValues = [Variable]()
+        for _ in 1..<Int.random(in: 1...5) {
+            interpolatedValues.append(b.randVar())
+        }
+
+        var parts = [String]()
+        for _ in 0...interpolatedValues.count {
+            // For now we generate random strings
+            parts.append(b.genString())
+        }
+        b.createTemplateString(from: parts, interpolating: interpolatedValues)
+    },
+
     CodeGenerator("BuiltinGenerator") { b in
         b.loadBuiltin(b.genBuiltinName())
     },
diff --git a/Sources/Fuzzilli/Core/ProgramBuilder.swift b/Sources/Fuzzilli/Core/ProgramBuilder.swift
@@ -480,6 +480,16 @@ public class ProgramBuilder {
         if type.Is(.bigint) || type.Is(fuzzer.environment.bigIntType) {
             return loadBigInt(genInt())
         }
+        if type.Is(.function()) {
+            let signature = type.signature ?? FunctionSignature(withParameterCount: Int.random(in: 2...5), hasRestParam: probability(0.1)) 
+            return definePlainFunction(withSignature: signature) { _ in
+                generateRecursive()
+                doReturn(value: randVar())
+            }
+        }
+        if type.Is(.regexp) || type.Is(fuzzer.environment.regExpType) {
+            return loadRegExp(genRegExp(), genRegExpFlags())
+        }
 
         assert(type.Is(.object()), "Unexpected type encountered \(type)")
 
@@ -998,6 +1008,11 @@ public class ProgramBuilder {
         return perform(CreateArrayWithSpread(numInitialValues: initialValues.count, spreads: spreads), withInputs: initialValues).output
     }
 
+    @discardableResult
+    public func createTemplateString(from parts: [String], interpolating interpolatedValues: [Variable]) -> Variable {
+        return perform(CreateTemplateString(parts: parts), withInputs: interpolatedValues).output
+    }
+
     @discardableResult
     public func loadBuiltin(_ name: String) -> Variable {
         return perform(LoadBuiltin(builtinName: name)).output
diff --git a/Sources/Fuzzilli/FuzzIL/AbstractInterpreter.swift b/Sources/Fuzzilli/FuzzIL/AbstractInterpreter.swift
@@ -362,6 +362,9 @@ public struct AbstractInterpreter {
              is CreateArrayWithSpread:
             set(instr.output, environment.arrayType)
 
+        case is CreateTemplateString:
+            set(instr.output, environment.stringType)
+
         case let op as StoreProperty:
             if environment.customMethodNames.contains(op.propertyName) {
                 set(instr.input(0), type(ofInput: 0).adding(method: op.propertyName))
diff --git a/Sources/Fuzzilli/FuzzIL/Instruction.swift b/Sources/Fuzzilli/FuzzIL/Instruction.swift
@@ -290,6 +290,8 @@ extension Instruction: ProtobufConvertible {
                 $0.createArray = Fuzzilli_Protobuf_CreateArray()
             case let op as CreateArrayWithSpread:
                 $0.createArrayWithSpread = Fuzzilli_Protobuf_CreateArrayWithSpread.with { $0.spreads = op.spreads }
+            case let op as CreateTemplateString:
+                $0.createTemplateString = Fuzzilli_Protobuf_CreateTemplateString.with { $0.parts = op.parts }
             case let op as LoadBuiltin:
                 $0.loadBuiltin = Fuzzilli_Protobuf_LoadBuiltin.with { $0.builtinName = op.builtinName }
             case let op as LoadProperty:
@@ -525,6 +527,8 @@ extension Instruction: ProtobufConvertible {
             op = CreateObjectWithSpread(propertyNames: p.propertyNames, numSpreads: inouts.count - 1 - p.propertyNames.count)
         case .createArrayWithSpread(let p):
             op = CreateArrayWithSpread(numInitialValues: inouts.count - 1, spreads: p.spreads)
+        case .createTemplateString(let p):
+            op = CreateTemplateString(parts: p.parts)
         case .loadBuiltin(let p):
             op = LoadBuiltin(builtinName: p.builtinName)
         case .loadProperty(let p):
diff --git a/Sources/Fuzzilli/FuzzIL/Operations.swift b/Sources/Fuzzilli/FuzzIL/Operations.swift
@@ -240,6 +240,23 @@ class CreateArrayWithSpread: Operation {
     }
 }
 
+class CreateTemplateString: Operation {
+    // Stores the string elements of the temaplate literal
+    let parts: [String]
+
+    var numInterpolatedValues: Int {
+        return numInputs
+    }
+
+    // This operation isn't parametric since it will most likely mutate imported templates (which would mostly be valid JS snippets) and
+    // replace them with random strings and/or other template strings that may not be syntactically and/or semantically valid.
+    init(parts: [String]) {
+        self.parts = parts
+        assert(parts.count > 0)
+        super.init(numInputs: parts.count - 1, numOutputs: 1, attributes: [.isVarargs])
+    }
+}
+
 class LoadBuiltin: Operation {
     let builtinName: String
     
diff --git a/Sources/Fuzzilli/Lifting/FuzzILLifter.swift b/Sources/Fuzzilli/Lifting/FuzzILLifter.swift
@@ -82,6 +82,11 @@ public class FuzzILLifter: Lifter {
             }
             w.emit("\(instr.output) <- CreateArrayWithSpread [\(elems.joined(separator: ", "))]")
 
+        case let op as CreateTemplateString:
+            let parts = op.parts.map({ "'\($0)'" }).joined(separator: ", ")
+            let values = instr.inputs.map({ $0.identifier }).joined(separator: ", ")
+            w.emit("\(instr.output) <- CreateTemplateString [\(parts)], [\(values)]")
+
         case let op as LoadBuiltin:
             w.emit("\(instr.output) <- LoadBuiltin '\(op.builtinName)'")
 
diff --git a/Sources/Fuzzilli/Lifting/JavaScriptLifter.swift b/Sources/Fuzzilli/Lifting/JavaScriptLifter.swift
@@ -213,6 +213,15 @@ public class JavaScriptLifter: Lifter {
                 }
                 output = ArrayLiteral.new("[" + elems.joined(separator: ",") + "]")
 
+            case let op as CreateTemplateString:
+                assert(!op.parts.isEmpty)
+                assert(op.parts.count == instr.numInputs + 1)
+                var parts = [op.parts[0]]
+                for i in 1..<op.parts.count {
+                    parts.append("${\(input(i - 1))}\(op.parts[i])")
+                }
+                output = Literal.new("`" + parts.joined() + "`")
+
             case let op as LoadBuiltin:
                 output = Identifier.new(op.builtinName)
 
diff --git a/Sources/Fuzzilli/Protobuf/operations.pb.swift b/Sources/Fuzzilli/Protobuf/operations.pb.swift
@@ -366,6 +366,18 @@ public struct Fuzzilli_Protobuf_CreateArray {
   public init() {}
 }
 
+public struct Fuzzilli_Protobuf_CreateTemplateString {
+  // SwiftProtobuf.Message conformance is added in an extension below. See the
+  // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
+  // methods supported on all messages.
+
+  public var parts: [String] = []
+
+  public var unknownFields = SwiftProtobuf.UnknownStorage()
+
+  public init() {}
+}
+
 public struct Fuzzilli_Protobuf_CreateObjectWithSpread {
   // SwiftProtobuf.Message conformance is added in an extension below. See the
   // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
@@ -1693,6 +1705,38 @@ extension Fuzzilli_Protobuf_CreateArray: SwiftProtobuf.Message, SwiftProtobuf._M
   }
 }
 
+extension Fuzzilli_Protobuf_CreateTemplateString: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
+  public static let protoMessageName: String = _protobuf_package + ".CreateTemplateString"
+  public static let _protobuf_nameMap: SwiftProtobuf._NameMap = [
+    1: .same(proto: "parts"),
+  ]
+
+  public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
+    while let fieldNumber = try decoder.nextFieldNumber() {
+      // The use of inline closures is to circumvent an issue where the compiler
+      // allocates stack space for every case branch when no optimizations are
+      // enabled. https://github.com/apple/swift-protobuf/issues/1034
+      switch fieldNumber {
+      case 1: try { try decoder.decodeRepeatedStringField(value: &self.parts) }()
+      default: break
+      }
+    }
+  }
+
+  public func traverse<V: SwiftProtobuf.Visitor>(visitor: inout V) throws {
+    if !self.parts.isEmpty {
+      try visitor.visitRepeatedStringField(value: self.parts, fieldNumber: 1)
+    }
+    try unknownFields.traverse(visitor: &visitor)
+  }
+
+  public static func ==(lhs: Fuzzilli_Protobuf_CreateTemplateString, rhs: Fuzzilli_Protobuf_CreateTemplateString) -> Bool {
+    if lhs.parts != rhs.parts {return false}
+    if lhs.unknownFields != rhs.unknownFields {return false}
+    return true
+  }
+}
+
 extension Fuzzilli_Protobuf_CreateObjectWithSpread: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
   public static let protoMessageName: String = _protobuf_package + ".CreateObjectWithSpread"
   public static let _protobuf_nameMap: SwiftProtobuf._NameMap = [
diff --git a/Sources/Fuzzilli/Protobuf/operations.proto b/Sources/Fuzzilli/Protobuf/operations.proto
@@ -55,6 +55,10 @@ message CreateObject {
 message CreateArray {
 }
 
+message CreateTemplateString {
+    repeated string parts = 1;
+}
+
 message CreateObjectWithSpread {
     repeated string propertyNames = 1;
 }
diff --git a/Sources/Fuzzilli/Protobuf/program.pb.swift b/Sources/Fuzzilli/Protobuf/program.pb.swift
@@ -225,6 +225,14 @@ public struct Fuzzilli_Protobuf_Instruction {
     set {operation = .createArray(newValue)}
   }
 
+  public var createTemplateString: Fuzzilli_Protobuf_CreateTemplateString {
+    get {
+      if case .createTemplateString(let v)? = operation {return v}
+      return Fuzzilli_Protobuf_CreateTemplateString()
+    }
+    set {operation = .createTemplateString(newValue)}
+  }
+
   public var createObjectWithSpread: Fuzzilli_Protobuf_CreateObjectWithSpread {
     get {
       if case .createObjectWithSpread(let v)? = operation {return v}
@@ -920,6 +928,7 @@ public struct Fuzzilli_Protobuf_Instruction {
     case loadRegExp(Fuzzilli_Protobuf_LoadRegExp)
     case createObject(Fuzzilli_Protobuf_CreateObject)
     case createArray(Fuzzilli_Protobuf_CreateArray)
+    case createTemplateString(Fuzzilli_Protobuf_CreateTemplateString)
     case createObjectWithSpread(Fuzzilli_Protobuf_CreateObjectWithSpread)
     case createArrayWithSpread(Fuzzilli_Protobuf_CreateArrayWithSpread)
     case loadBuiltin(Fuzzilli_Protobuf_LoadBuiltin)
@@ -1056,6 +1065,10 @@ public struct Fuzzilli_Protobuf_Instruction {
         guard case .createArray(let l) = lhs, case .createArray(let r) = rhs else { preconditionFailure() }
         return l == r
       }()
+      case (.createTemplateString, .createTemplateString): return {
+        guard case .createTemplateString(let l) = lhs, case .createTemplateString(let r) = rhs else { preconditionFailure() }
+        return l == r
+      }()
       case (.createObjectWithSpread, .createObjectWithSpread): return {
         guard case .createObjectWithSpread(let l) = lhs, case .createObjectWithSpread(let r) = rhs else { preconditionFailure() }
         return l == r
@@ -1521,6 +1534,7 @@ extension Fuzzilli_Protobuf_Instruction: SwiftProtobuf.Message, SwiftProtobuf._M
     77: .same(proto: "loadRegExp"),
     11: .same(proto: "createObject"),
     12: .same(proto: "createArray"),
+    102: .same(proto: "createTemplateString"),
     13: .same(proto: "createObjectWithSpread"),
     14: .same(proto: "createArrayWithSpread"),
     15: .same(proto: "loadBuiltin"),
@@ -2476,6 +2490,15 @@ extension Fuzzilli_Protobuf_Instruction: SwiftProtobuf.Message, SwiftProtobuf._M
         try decoder.decodeSingularMessageField(value: &v)
         if let v = v {self.operation = .endSwitch(v)}
       }()
+      case 102: try {
+        var v: Fuzzilli_Protobuf_CreateTemplateString?
+        if let current = self.operation {
+          try decoder.handleConflictingOneOf()
+          if case .createTemplateString(let m) = current {v = m}
+        }
+        try decoder.decodeSingularMessageField(value: &v)
+        if let v = v {self.operation = .createTemplateString(v)}
+      }()
       default: break
       }
     }
@@ -2873,6 +2896,10 @@ extension Fuzzilli_Protobuf_Instruction: SwiftProtobuf.Message, SwiftProtobuf._M
       guard case .endSwitch(let v)? = self.operation else { preconditionFailure() }
       try visitor.visitSingularMessageField(value: v, fieldNumber: 101)
     }()
+    case .createTemplateString?: try {
+      guard case .createTemplateString(let v)? = self.operation else { preconditionFailure() }
+      try visitor.visitSingularMessageField(value: v, fieldNumber: 102)
+    }()
     case nil: break
     }
     try unknownFields.traverse(visitor: &visitor)
diff --git a/Sources/Fuzzilli/Protobuf/program.proto b/Sources/Fuzzilli/Protobuf/program.proto
@@ -36,6 +36,7 @@ message Instruction {
         LoadRegExp loadRegExp = 77;
         CreateObject createObject = 11;
         CreateArray createArray = 12;
+        CreateTemplateString createTemplateString = 102;
         CreateObjectWithSpread createObjectWithSpread = 13;
         CreateArrayWithSpread createArrayWithSpread = 14;
         LoadBuiltin loadBuiltin = 15;
diff --git a/Sources/FuzzilliCli/CodeGeneratorWeights.swift b/Sources/FuzzilliCli/CodeGeneratorWeights.swift
@@ -30,6 +30,7 @@ let codeGeneratorWeights = [
     "ArrayGenerator":                       10,
     "ObjectWithSpreadGenerator":            5,
     "ArrayWithSpreadGenerator":             5,
+    "TemplateStringGenerator":              1,
     "PlainFunctionGenerator":               15,
     "StrictFunctionGenerator":              1,
     "ArrowFunctionGenerator":               3,
diff --git a/Tests/FuzzilliTests/LifterTest.swift b/Tests/FuzzilliTests/LifterTest.swift
@@ -669,6 +669,33 @@ class LifterTests: XCTestCase {
         let v4 = ++v3;
         const v5 = v4++;
 
+        """
+        
+        XCTAssertEqual(lifted_program,expected_program)
+    }
+
+    func testCreateTemplateLifting(){
+        let fuzzer = makeMockFuzzer()
+        let b = fuzzer.makeBuilder()
+
+        let v0 = b.loadInt(1337)
+        let _ = b.createTemplateString(from: [""], interpolating: [])
+        let v2 = b.createTemplateString(from: ["Hello", "World"], interpolating: [v0])
+        let v3 = b.createObject(with: ["foo": v0])
+        let v4 = b.loadProperty("foo", of: v3)
+        let _ = b.createTemplateString(from: ["bar", "baz"], interpolating: [v4])
+        let _ = b.createTemplateString(from: ["test", "inserted", "template"], interpolating: [v4, v2] )
+
+        let program = b.finalize()
+
+        let lifted_program = fuzzer.lifter.lift(program)
+        let expected_program = """
+        const v1 = ``;
+        const v3 = {foo:1337};
+        const v4 = v3.foo;
+        const v5 = `bar${v4}baz`;
+        const v6 = `test${v4}inserted${`Hello${1337}World`}template`;
+
         """
 
         XCTAssertEqual(lifted_program,expected_program)
@@ -695,6 +722,7 @@ extension LifterTests {
             ("testBinaryOperationReassignLifting", testBinaryOperationReassignLifting),
             ("testVariableAnalyzer", testVariableAnalyzer),
             ("testSwitchStatementLifting", testSwitchStatementLifting),
+            ("testCreateTemplateLifting", testCreateTemplateLifting),
         ]
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -55,6 +55,10 @@ message CreateObject {`
`55`	`55`	`message CreateArray {`
`56`	`56`	`}`
`57`	`57`
	`58`	`+message CreateTemplateString {`
	`59`	`+ repeated string parts = 1;`
	`60`	`+}`
	`61`	`+`
`58`	`62`	`message CreateObjectWithSpread {`
`59`	`63`	`repeated string propertyNames = 1;`
`60`	`64`	`}`