Exemple #1
0
    def render(self, path, values=None, status=200):
        """Write HTML response."""
        if values is None:
            values = {}

        values['menu_items'] = _MENU_ITEMS
        values['is_oss_fuzz'] = utils.is_oss_fuzz()
        values['is_development'] = (
            environment.is_running_on_app_engine_development())
        values['is_logged_in'] = bool(helpers.get_user_email())

        # Only track analytics for non-admin users.
        values['ga_tracking_id'] = (
            local_config.GAEConfig().get('ga_tracking_id')
            if not auth.is_current_user_admin() else None)

        if values['is_logged_in']:
            values['switch_account_url'] = make_login_url(request.url)
            values['logout_url'] = make_logout_url(dest_url=request.url)

        template = _JINJA_ENVIRONMENT.get_template(path)

        response = Response()
        response = self._add_security_response_headers(response)
        response.headers['Content-Type'] = 'text/html'
        response.data = template.render(values)
        response.status_code = status
        return response
Exemple #2
0
    def check_public_testcase(self, blob_info, testcase):
        """Check public testcase."""
        if blob_info.key() != testcase.minimized_keys:
            return False

        if not testcase.bug_information:
            return False

        issue_tracker = issue_tracker_utils.get_issue_tracker_for_testcase(
            testcase)
        issue = issue_tracker.get_issue(testcase.bug_information)
        if not issue:
            return False

        # If the issue is explicitly marked as view restricted to committers only
        # (OSS-Fuzz only), then don't allow public download.
        if 'restrict-view-commit' in issue.labels:
            return False

        # For OSS-Fuzz, delay the disclosure of the reproducer by 30 days.
        # If the deadline had previously exceeded, the reproducer was made public
        # already so exclude that case.
        if (utils.is_oss_fuzz() and 'deadline-exceeded' not in issue.labels
                and issue.closed_time and not dates.time_has_expired(
                    issue.closed_time, days=_OSS_FUZZ_REPRODUCER_DELAY)):
            return False

        return True
Exemple #3
0
    def get(self, resource=None):
        """Handle a get request with resource."""
        testcase = None
        testcase_id = request.args.get('testcase_id')
        if not testcase_id and not resource:
            raise helpers.EarlyExitException('No file requested.', 400)

        if testcase_id:
            try:
                testcase = data_handler.get_testcase_by_id(testcase_id)
            except errors.InvalidTestcaseError:
                raise helpers.EarlyExitException('Invalid testcase.', 400)

            if not resource:
                if testcase.minimized_keys and testcase.minimized_keys != 'NA':
                    resource = testcase.minimized_keys
                else:
                    resource = testcase.fuzzed_keys

        fuzzer_binary_name = None
        if testcase:
            fuzzer_binary_name = testcase.get_metadata('fuzzer_binary_name')

        resource = str(urllib.parse.unquote(resource))
        blob_info = blobs.get_blob_info(resource)
        if not blob_info:
            raise helpers.EarlyExitException('File does not exist.', 400)

        if (testcase and testcase.fuzzed_keys != blob_info.key()
                and testcase.minimized_keys != blob_info.key()):
            raise helpers.EarlyExitException('Invalid testcase.', 400)

        if (utils.is_oss_fuzz() and testcase
                and self.check_public_testcase(blob_info, testcase)):
            # Public OSS-Fuzz testcase.
            return self._send_blob(blob_info,
                                   testcase.key.id(),
                                   is_minimized=True,
                                   fuzzer_binary_name=fuzzer_binary_name)

        is_minimized = testcase and blob_info.key() == testcase.minimized_keys
        if access.has_access():
            # User has general access.
            return self._send_blob(blob_info, testcase_id, is_minimized,
                                   fuzzer_binary_name)

        # If this blobstore file is for a testcase, check if the user has access to
        # the testcase.
        if not testcase:
            raise helpers.AccessDeniedException()

        if access.can_user_access_testcase(testcase):
            return self._send_blob(blob_info, testcase_id, is_minimized,
                                   fuzzer_binary_name)

        raise helpers.AccessDeniedException()
Exemple #4
0
  def get(self):
    """Handle a get request."""
    if utils.is_oss_fuzz():
      manager_class = OssFuzzClustersManager
    else:
      manager_class = ClustersManager

    for project_id in _get_project_ids():
      manager = manager_class(project_id)
      manager.update_clusters()
def _allow_unprivileged_metadata(testcase_metadata):
    """Returns whether or not the provided testcase metadata can be set by an
  unprivileged user."""
    if utils.is_oss_fuzz():
        # Labels in OSS-Fuzz are privileged and control things like disclosure
        # deadlines. Do not let these be editable.
        return False

    # Allow *only* issue labels to be set.
    return len(testcase_metadata) == 1 and 'issue_labels' in testcase_metadata
def run_server():
    """Start a HTTP server to respond to the health checker."""
    if utils.is_oss_fuzz():
        # OSS-Fuzz's multiple instances per host model isn't supported yet.
        return

    health_check_responder_server = HTTPServer((RESPONDER_IP, RESPONDER_PORT),
                                               RequestHandler)
    server_thread = threading.Thread(
        target=health_check_responder_server.serve_forever)
    server_thread.start()
Exemple #7
0

def register_routes(flask_app, routes):
    """Utility function to register all routes to the flask app."""
    for route, handler in routes:
        flask_app.add_url_rule(route, view_func=handler.as_view(route))


# Add item to the navigation menu. Order is important.
base_handler.add_menu('Testcases', '/testcases')
base_handler.add_menu('Fuzzer Statistics', '/fuzzer-stats')
base_handler.add_menu('Crash Statistics', '/crash-stats')
base_handler.add_menu('Upload Testcase', '/upload-testcase')

_is_chromium = utils.is_chromium()
_is_oss_fuzz = utils.is_oss_fuzz()

if _is_chromium:
    base_handler.add_menu('Crashes by range', '/commit-range')

if not _is_oss_fuzz:
    base_handler.add_menu('Fuzzers', '/fuzzers')
    base_handler.add_menu('Corpora', '/corpora')
    base_handler.add_menu('Bots', '/bots')

base_handler.add_menu('Jobs', '/jobs')
base_handler.add_menu('Configuration', '/configuration')
base_handler.add_menu('Report Bug', '/report-bug')
base_handler.add_menu('Documentation', '/docs')

# We need to separate routes for cron to avoid redirection.
Exemple #8
0
def is_admin_or_not_oss_fuzz():
    """Return True if the current user is an admin or if this is not OSS-Fuzz."""
    return not utils.is_oss_fuzz() or auth.is_current_user_admin()
Exemple #9
0
  def wrapper(self):
    """Wrapper."""
    if utils.is_oss_fuzz():
      return check_admin_access(func)(self)

    return func(self)