googleprojectzero / domato Goto Github PK
View Code? Open in Web Editor NEWDOM fuzzer
Home Page: https://googleprojectzero.blogspot.ch/2017/09/the-great-dom-fuzz-off-of-2017.html
License: Apache License 2.0
DOM fuzzer
Home Page: https://googleprojectzero.blogspot.ch/2017/09/the-great-dom-fuzz-off-of-2017.html
License: Apache License 2.0
I'm trying to make a grammar that embeds XML and XSL into CSS used in a private document editor, but I do not understand why I can not use:
htmlgrammar.generate_symbol('style_value')
I created another section:
<cssurl> = url(<xmlelement_xml>)
Error:
...
...
File "/Users/agarcia/domato/grammar.py", line 347, in _select_creator
raise GrammarError('No creators for type ' + symbol)
grammar.GrammarError: No creators for type xmlelement_xml
Result should be:
cssurl = URL(data:mimetype;<xml.....>)
In grammar.py
, line 524:
for v in new_vars:
if v['type'] not in _NONINTERESTING_TYPES:
self._add_variable(v['name'], v['type'], context)
additional_lines.append("if (!" + v['name'] + ") { " + v['name'] + " = GetVariable(fuzzervars, '" + v['type'] + "'); } else { " + self._get_variable_setters(v['name'], v['type']) + " }")
after run generate.py
,these code will generate something like:
try { if (!fuzzvar00001) { fuzzvar00001 = GetVariable(fuzzervars, 'element'); } else { SetVariable(fuzzvar00001, 'element'); } } catch(e) {}
=>
fuzzervars = {}
function GetVariable(fuzzervars, var_type) { if(fuzzervars[var_type]) { return fuzzervars[var_type]; } else { return null; }}
function SetVariable(fuzzervars, var_name, var_type) { fuzzervars[var_type] = var_name; }
I guess something wrong in SetVariable, and it should be :
SetVariable(fuzzervars, fuzzvar00001, 'element')
please check it, thanx
Basic support was added in 127b7f2
Igalia sent the intent-to-ship for MathML Core in Chromium last week and we were asked about support for MathML in fuzzers. Specifically, @dbratell asked "Do the fuzzing tools have support for mathml elements? If not, you should probably add a to-do item to teach them.".
So just opening this as a TODO.
I noticed that the CVEs referred are bit old despite the fact that i was able to discover the recent CVE-2022-3040 with Domato.
I didn't know that this Domato finding was CVE-2022-3040, but when i tired to submit the bug i found a similar crash reported and submitted for the same code few months ago and then it was labeled as CVE-2022-3040 ( i wish i was bit faster :) )
I think we can add this new CVE ref in the readme ?
I can share the Domato output that triggered this crash identified in CVE-2022-3040, this was generated using the default template !
Hi,
"=" symbol is different in basic syntax and lines syntax.
In basic syntax, the left symbol will be expanded by the right symbol.
But in lines syntax, it's just an equal symbol instead of expanding the left symbol.
If there exists some way that we can define symbols that can be expanded in lines instead of ending up in the output?
For example, I have a recursion expression in lines, which will new variables, the number of variables is according to the recursion depth. And I need basic syntax's "=" to define the recursion expression, but I also need the "new" features in lines syntax. So I may need some way that domato can define a symbol that can be expanded in lines instead of outputting it.
Or this problem can be solved by other ways?
hi , at first , it's a great project!
i am a bit confused with GetVariable and SetVariable
at template and output file , call GetVariable/SetVariable mismatch of declare
function SetVariable(fuzzervars, var_name, var_type) { fuzzervars[var_type] = var_name; }
....
try { /* newvar{var00005:HTMLTemplateElement} */ var var00005 = document.createElement("template"); } catch(e) { }
try { if (!var00005) { var00005 = GetVariable(fuzzervars, 'HTMLTemplateElement'); } else { SetVariable(var00005, 'HTMLTemplateElement'); SetVariable(var00005, 'Element'); SetVariable(var00005, 'GlobalEventHandlers'); SetVariable(var00005, 'EventTarget'); } } catch(e) { }
i am wonder what's your really goal of these generated code
at grammar.py(528 ~ 532) you just generate var with 2 params
for v in new_vars:
if v['type'] not in _NONINTERESTING_TYPES:
self._add_variable(v['name'], v['type'], context)
additional_lines.append("if (!" + v['name'] + ") { " + v['name'] + " = GetVariable(fuzzervars, '" + v['type'] + "'); } else { " + self._get_variable_setters(v['name'], v['type']) + " }")
thank you!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.