oauth2client: initial integration (#8083)

* oauth2client: initial integration
Create fuzzers

* Update fuzz_basic.py

Co-authored-by: jonathanmetzman <[email protected]>

Author: arthurscchan

projects/oauth2/Dockerfile

@@ -0,0 +1,22 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder-python
+
+RUN git clone --depth=1 https://github.com/googleapis/oauth2client oauth2
+WORKDIR oauth2
+
+COPY build.sh fuzz_*.py $SRC/

projects/oauth2/build.sh

@@ -0,0 +1,24 @@
+#!/bin/bash -eu
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+# Build and install project (using current CFLAGS, CXXFLAGS).
+pip3 install --upgrade pip
+pip3 install .
+
+for fuzzer in $(find $SRC -name 'fuzz_*.py'); do
+  compile_python_fuzzer $fuzzer
+done

projects/oauth2/fuzz_basic.py

@@ -0,0 +1,45 @@
+#!/usr/bin/python3
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import atheris
+import sys
+
+with atheris.instrument_imports():
+    from oauth2client.client import OAuth2WebServerFlow
+    from oauth2client.client import OAuth2DeviceCodeError
+
+def TestInput(data):
+    fdp = atheris.FuzzedDataProvider(data)
+
+    CLIENT_ID = fdp.ConsumeString(100)
+    CLIENT_SECRET = fdp.ConsumeString(100)
+    SCOPES = ("https://localhost:%d/%s"%(
+         fdp.ConsumeIntInRange(1000,65535),
+         fdp.ConsumeString(50)
+    ))
+
+    try:
+         flow = OAuth2WebServerFlow(CLIENT_ID, CLIENT_SECRET, " ".join(SCOPES))
+         flow_info = flow.step1_get_device_and_user_codes()
+         credentials = flow.step2_exchange(device_flow_info=flow_info)
+    except OAuth2DeviceCodeError as e:
+        pass 
+
+def main():
+    atheris.Setup(sys.argv, TestInput, enable_python_coverage=True)
+    atheris.Fuzz()
+
+if __name__ == "__main__":
+    main()

projects/oauth2/fuzz_helpers.py

@@ -0,0 +1,62 @@
+#!/usr/bin/python3
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import atheris
+import sys
+with atheris.instrument_imports():
+    import oauth2client._helpers as helpers
+
+def TestInput(data):
+    fdp = atheris.FuzzedDataProvider(data)
+
+    helpers.scopes_to_string([
+        fdp.ConsumeString(20),
+        fdp.ConsumeString(20)
+    ])
+    helpers.scopes_to_string(fdp.ConsumeString(20))
+
+    helpers.string_to_scopes(fdp.ConsumeString(100))
+
+    helpers.parse_unique_urlencoded(fdp.ConsumeString(100))
+
+    helpers.update_query_params(
+        fdp.ConsumeString(100),{
+            fdp.ConsumeString(10):fdp.ConsumeString(20),
+            fdp.ConsumeString(10):fdp.ConsumeString(20),
+            fdp.ConsumeString(10):fdp.ConsumeString(20)
+    })
+
+    helpers._add_query_parameter(
+        fdp.ConsumeString(100),
+        fdp.ConsumeString(10),
+        fdp.ConsumeString(20)
+    )
+
+    helpers.validate_file(fdp.ConsumeString(100))
+
+    helpers._json_encode(fdp.ConsumeString(100))
+
+    helpers._to_bytes(fdp.ConsumeString(100))
+    helpers._from_bytes(fdp.ConsumeBytes(100))
+
+    helpers._urlsafe_b64encode(fdp.ConsumeString(100))
+    helpers._urlsafe_b64decode(fdp.ConsumeString(100))
+
+def main():
+    atheris.Setup(sys.argv, TestInput, enable_python_coverage=True)
+    atheris.Fuzz()
+
+if __name__ == "__main__":
+    main()

projects/oauth2/project.yaml

@@ -0,0 +1,12 @@
+fuzzing_engines:
+- libfuzzer
+homepage: https://github.com/googleapis/oauth2client
+language: python
+main_repo: https://github.com/googleapis/oauth2client
+sanitizers:
+- address
+- undefined
+vendor_ccs:
+- [email protected]
+- [email protected]
+- [email protected]