mozillasecurity / dharma Goto Github PK
View Code? Open in Web Editor NEWGeneration-based, context-free grammar fuzzer. Refer to https://github.com/posidron/dharma for a maintained version.
License: Mozilla Public License 2.0
Generation-based, context-free grammar fuzzer. Refer to https://github.com/posidron/dharma for a maintained version.
License: Mozilla Public License 2.0
In the following code as you can see the variable typedArray1 is used before being declared. This is not the only time this is happening.
try { var getRandomInt1= 213; } catch (e) { }
try { var blob1 = new Blob([typedArray1], {type: "application/json"}); } catch (e) { }
try { var fileParts1 = ['AAAAA%d"UdUzgNbbgwsJqtHhxJoENRVfstctp"'] } catch (e) { }
try { var typedArray1 = GetTheTypedArraySomehow(); } catch (e) { }
try { var slice1 = blob1.slice(getRandomInt1, 1! "application/xhtml+xml"); } catch (e) { }
try { for(var i=0; i < getRandomInt1; i++) { slice1.append(fileParts1[-57938]); } } catch (e) { }
and this is how part of my grammar looks like:
%%% ###########################################################################
%section% := variable
blob :=
var @blob@ = new Blob([!typedArray!], {type: +common:app_mime_type+});
typedArray :=
var @TypedArray@ = GetTheTypedArraySomehow();
Thanks
Hi,
I have recently installed dharma using pip. But while running the following command I am facing some issue:
$ dharma -grammars grammars/canvas2d.dg -server -template grammars/var/templates/html5/default.html
[Dharma] 2019-05-09 14:48:31,245 INFO: Machine random seed: 62779021592397288
[Dharma] 2019-05-09 14:48:31,246 DEBUG: Using configuration from: /home/hackintosh/.local/lib/python2.7/site-packages/dharma/settings.py
[Dharma] 2019-05-09 14:48:31,247 DEBUG: Processing grammar content of ../../../.local/lib/python2.7/site-packages/dharma/grammars/common.dg
[Dharma] 2019-05-09 14:48:31,250 DEBUG: Processing grammar content of grammars/canvas2d.dg
[Dharma] 2019-05-09 14:48:31,253 WARNING: Line 227 [canvas2d]: Unable to identify argument of uri() "fuzzdata/samples/jpg/"
[Dharma] 2019-05-09 14:48:31,254 INFO: Socket server is listening at 127.0.0.1:9090
----------------------------------------
Exception happened during processing of request from ('127.0.0.1', 48738)
Traceback (most recent call last):
File "/usr/lib/python2.7/SocketServer.py", line 596, in process_request_thread
self.finish_request(request, client_address)
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request
self.RequestHandlerClass(request, client_address, self)
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__
self.handle()
File "/home/hackintosh/.local/lib/python2.7/site-packages/dharma/core/websocket.py", line 48, in handle
hresponse = hashlib.sha1(headers['sec-websocket-key'].encode('ascii'))
AttributeError: 'NoneType' object has no attribute 'encode'
Can someone explain me what is going wrong?
Hi,
First off, thank you for this awesome project.
I've recently updated to dharma 1.3.1 for my fuzzing projects, and noticed that it couldn't generate correct code anymore. After investigation it turned out that recursive definition of variable now produces an incorrect output.
Here is a basic test case for reproduction:
dharma_regression.dg
%section% := value
UseOfVar :=
print(!var!);
%section% := variable
var :=
@var@ = new Foo();
@var@ = new FooFromVar(!var!);
%section% := variance
main :=
+UseOfVar+
On dharma 1.2, the !var!
used in the second variable definition is correctly recursed over until no dependencies are needed, which produces a "correct" output such as:
$ dharma -grammars dharma_regression.dg
var1 = new Foo();
var2 = new FooFromVar(var1);
var3 = new FooFromVar(var2);
var4 = new FooFromVar(var3);
print(var3);
print(var4);
print(var4);
print(var1);
print(var3);
print(var1);
However, by upgrading dharma 1.3.1, the test cases generated look more like:
$ dharma -grammars dharma_regression.dg
var2 = new FooFromVar(var2);
var2 = new FooFromVar(var2);
var3 = new Foo();
print(var2);
print(var3);
Which will produce "used-before-assigned" type of errors once trying to be executed. After some quick check, it seems that the regression was introduced by 834203f. With that commit reverted, the variable recursion operates as expected.
Can you confirm this behavior?
Thank you.
Hi,
While trying dharma, I was wondering how can I declare variables with only one definition in the grammars. For instance with the following grammar:
%section% := value
test :=
!test! = +dictObject+
dictObject :=
{}
%section% := variable
test :=
@test@ = new +dictObject+;
%section% := variance
main :=
!test! !test!
Will produce this output:
test1 = new {};
test1 test1
How can we declare test2, test3, ... with just one definition of test in the grammar ?
Looking at the core/dharma.py
, the DharmaVariable seems to not work as expected to me:
def generate(self, state):
"""Return a random variable if any otherwise create a new default variable."""
if self.count:
return "%s%d" % (self.var, random.randint(1, self.count))
self.count += 1
var = random.choice(self)
element_name = "%s%d" % (self.var, self.count)
self.default = "%s%s%s" % (self.eval(var[0], state), element_name, self.eval(var[1], state))
return element_name
The self.count will never be greater than 1, which makes the random doesn't make sense.
Hi, there.
Thanks for your awesome tool! I am playing dharma nowadays and I have a question about the "-recursion-limit" option.
In the --help output, "-recursion-limit" represents the max python recursion limit. I doubt that is this the grammar recursion limit, either?
For example,
%%% test.dg
%section% := value
statement :=
+ifstatement+
ifstatement :=
if (1) { +statement+ }
%section% := variable
%section% := variance
main :=
+statement+
Above grammar rule may usually be used when defining a specific language, but dharma rejects this with "ERROR: No path to leaf in force-leaf mode in value test:statement".
Also, when I used the example in dharma
$dharma -grammars dharma/grammars/canvas2d.dg -storage . -count 1 -recursion-limit 5
Traceback (most recent call last):
File "/usr/local/bin/dharma", line 11, in <module>
File "/usr/local/lib/python3.5/dist-packages/dharma-1.3.2-py3.5.egg/dharma/dharma.py", line 61, in main
File "/usr/lib/python3.5/logging/__init__.py", line 1747, in basicConfig
RecursionError: maximum recursion depth exceeded while calling a Python object
Error in sys.excepthook:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/apport_python_hook.py", line 53, in apport_excepthook
File "/usr/lib/python3/dist-packages/apport_python_hook.py", line 26, in enabled
RecursionError: maximum recursion depth exceeded while calling a Python object
Original exception was:
Traceback (most recent call last):
File "/usr/local/bin/dharma", line 11, in <module>
File "/usr/local/lib/python3.5/dist-packages/dharma-1.3.2-py3.5.egg/dharma/dharma.py", line 61, in main
File "/usr/lib/python3.5/logging/__init__.py", line 1747, in basicConfig
RecursionError: maximum recursion depth exceeded while calling a Python object
So, my question is that is this similar recursion grammar can be defined in .dg? What is the difference between grammar max recursion limit and the option "-recursion-limit"?
Please understand if I state something wrong. Any suggestions are welcome. Thank you very much!
In the README.md, a webcrypto.dg
is mentioned, but it doesn't seem to be in the git repo. (;
Hi,I just started using dharma and i met some problems:
When i run: dharma -grammars dharma/grammars/common.dg -storage common -count 5
, i get error info:
[Dharma] 2019-11-28 21:40:30,732 INFO: Machine random seed: 5845788605360104063
[Dharma] 2019-11-28 21:40:30,732 DEBUG: Using configuration from: /export/nisl/.conda/envs/funfuzz/lib/python3.6/site-packages/dharma/settings.py
[Dharma] 2019-11-28 21:40:30,733 DEBUG: Processing grammar content of ../../.conda/envs/funfuzz/lib/python3.6/site-packages/dharma/grammars/common.dg
[Dharma] 2019-11-28 21:40:30,737 DEBUG: Processing grammar content of dharma/grammars/common.dg
[Dharma] 2019-11-28 21:40:30,737 ERROR: Line 8 [common](value): 'common:bool' gets redefined
And when i run: dharma -grammars dharma/grammars/svg.dg -storage svg -count 5
, i get the error info:
[Dharma] 2019-11-28 21:32:47,487 INFO: Machine random seed: 8969750037613965213
[Dharma] 2019-11-28 21:32:47,487 DEBUG: Using configuration from: /export/nisl/.conda/envs/funfuzz/lib/python3.6/site-packages/dharma/settings.py
[Dharma] 2019-11-28 21:32:47,488 DEBUG: Processing grammar content of ../../.conda/envs/funfuzz/lib/python3.6/site-packages/dharma/grammars/common.dg
[Dharma] 2019-11-28 21:32:47,492 DEBUG: Processing grammar content of dharma/grammars/svg.dg
Segmentation fault (core dumped)
Except this two grammar files, others are worked as expected, So i want to know what is the reason. If i typed the command incorrectly, please let me know!
Thanks, looking forward your response.
Hi @MozillaSecurity and others,
I've successfully set up dharma
+ quokka
+ FuzzManager
to fuzz Firefox nightly via websockets. However, when quokka
detects a fault/crash only stdout/stderr/ASAN traces are submitted to FuzzManager
. I'd also like to (automatically) collect the crash samples generated by dharma
that cause the crash itself. (And only those samples, that are interesting.)
Is there a way to achieve just that using the dharma
/quokka
/FuzzManager
setup?
It seems dharma needs a file called 'settings.py', but it's not included into rep nor we are told how to create it. Dharma doesn't work without it.
I encounter this error when running dharma on Windows
Traceback (most recent call last): File "d:\softwares\python\python38\lib\runpy.py", line 194, in _run_module_as_main return _run_code(code, main_globals, None, File "d:\softwares\python\python38\lib\runpy.py", line 87, in _run_code exec(code, run_globals) File "D:\softwares\Python\Python38\Scripts\dharma.exe\__main__.py", line 9, in <module> File "d:\softwares\python\python38\lib\site-packages\dharma\dharma.py", line 71, in main dharma.process_grammars(args.grammars) File "d:\softwares\python\python38\lib\site-packages\dharma\core\dharma.py", line 520, in process_grammars grammars.insert(0, open(os.path.relpath(os.path.join(os.path.dirname(os.path.abspath(__file__)), File "d:\softwares\python\python38\lib\ntpath.py", line 703, in relpath raise ValueError("path is on mount %r, start on mount %r" % ( ValueError: path is on mount 'd:', start on mount 'E:'
Suggest fix:
remove os.path.relpath
in dharma.py:517
grammars.insert(0, open(os.path.join(os.path.dirname(os.path.abspath(__file__)), os.path.normcase(path))))
while writing custom grammar got dharma to crash.Maybe a possible bug.I will attach a ss with the code and the crashpoint.Will also provide source to custom grammar.
//////////source code
%section% := value
definition :=
"hello" +!array!
setProperty :=
!new_array!
!new_array!.prototype.slice.call( %range%(0-32767), +common:intoverflow+ );
!array!.prototype.slice.call( %range%(0-32767), +common:intoverflow+ );
!new_array!.prototype.slice.call( !new_array!.length, +common:intoverflow+ );
!array!.prototype.slice.call( !array!.length, +common:intoverflow+ );
wrapper :=
try { +setProperty+ } catch (e) {} \n
stuff :=
world
mom
dad
number :=
+common:intoverflow+
%section% := variable
array :=
var @array@ = [];
dict :=
try { var @dict@ = {}; } catch(e) {}
new_array :=
var @new_array@ = new Array((Math.random() & @[email protected]) | 0)
property :=
var @Property@ = "+common:character+"
%section% := variance
main :=
Object.defineProperty(!dict!,!property!,{value: +number+});
Object.defineProperty(!array!,!property!,{value: +number+});
Object.defineProperty(!dict!,!property!,{value: +number+});
Object.defineProperty(!array!,!property!,{value: +number+});
+wrapper+
+wrapper+
+wrapper+
+wrapper+
I have looked in each file (including the settings.py file) but I have yet to see a configuration file. I would like to set the path of firefox but I see no where I can do that?
As of January 1 2019, Mozilla requires that all GitHub projects include this CODE_OF_CONDUCT.md file in the project root. The file has two parts:
If you have any questions about this file, or Code of Conduct policies and procedures, please see Mozilla-GitHub-Standards or email [email protected].
(Message COC001)
It took me a good few minutes of "Why isn't this working?" before I twigged that my vim is configured to replace tabs with spaces and dharma requires tabs...
Seems to be a simple change in core/dharma.py
diff --git a/dharma/core/dharma.py b/dharma/core/dharma.py
index e4885a4..0c3c8cf 100644
--- a/dharma/core/dharma.py
+++ b/dharma/core/dharma.py
@@ -213,7 +213,7 @@ class DharmaMachine(object):
%section%\s*:=\s*(?P<section>value|variable|variance)|
(?P<ident>[a-zA-Z0-9_]+)\s*:=\s*|
(?P<empty>\s*)|
- \t(?P<assign>.*)
+ (\t|[ ]+)(?P<assign>.*)
)$"""
self.xref_registry = r"""(
(?P<type>\+|!|@)(?P<xref>[a-zA-Z0-9:_]+)(?P=type)|
Hi @posidron,
First of all thanks for dharma, awesome tool ;)
I just release a blogpost where i'm using it for fuzzing V8 WebAssembly JS APIs.
https://webassembly-security.com/fuzzing-wasm-javascript-dharma-chrome-v8/
Hope you will like it ;)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.