Handle invalid property names gracefully in ProbingMutator

Instead of just assert()ing that the name is valid, explicitly check for that and log an error if an invalid property name is observed. Drive-by: exclude Protobuf/gen_programproto.py in Package.swift to fix compiler warnings.
googleprojectzero · Aug 15, 2023 · 49449fb · 49449fb
1 parent 2e95ff9
commit 49449fb
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 5 deletions.
diff --git a/Package.swift b/Package.swift
@@ -46,9 +46,10 @@ let package = Package(
                     "libreprl",
                     "libcoverage"],
                 exclude: [
-                    "Protobuf/sync.proto",
+                    "Protobuf/gen_programproto.py",
                     "Protobuf/operations.proto",
                     "Protobuf/program.proto",
+                    "Protobuf/sync.proto",
                     "Protobuf/README.md"],
                 resources: [
                     // The ast.proto file is required by the node.js parser

diff --git a/Sources/Fuzzilli/Mutators/ProbingMutator.swift b/Sources/Fuzzilli/Mutators/ProbingMutator.swift
@@ -186,7 +186,7 @@ public class ProbingMutator: RuntimeAssistedMutator {
         let propertyIsStored = result.stores.keys.contains(propertyName)
 
         // Install the property, either as regular property or as a property accessor.
-        let property = parsePropertyName(propertyName)
+        guard let property = parsePropertyName(propertyName) else { return }
         if probability(0.8) {
             installRegularProperty(property, on: obj, using: b)
         } else {
@@ -208,7 +208,7 @@ public class ProbingMutator: RuntimeAssistedMutator {
 
         switch property {
         case .regular(let name):
-            assert(name.rangeOfCharacter(from: .whitespacesAndNewlines) == nil)
+            assert(isValidPropertyName(name))
             b.setProperty(name, of: obj, to: value)
         case .element(let index):
             b.setElement(index, of: obj, to: value)
@@ -253,7 +253,7 @@ public class ProbingMutator: RuntimeAssistedMutator {
 
         switch property {
         case .regular(let name):
-            assert(name.rangeOfCharacter(from: .whitespacesAndNewlines) == nil)
+            assert(isValidPropertyName(name))
             b.configureProperty(name, of: obj, usingFlags: PropertyFlags.random(), as: config)
         case .element(let index):
             b.configureElement(index, of: obj, usingFlags: PropertyFlags.random(), as: config)
@@ -308,7 +308,12 @@ public class ProbingMutator: RuntimeAssistedMutator {
         }
     }
 
-    private func parsePropertyName(_ propertyName: String) -> Property {
+    private func isValidPropertyName(_ name: String) -> Bool {
+        // Currently only property names containing whitespaces or newlines are invalid.
+        return name.rangeOfCharacter(from: .whitespacesAndNewlines) == nil
+    }
+
+    private func parsePropertyName(_ propertyName: String) -> Property? {
         // Anything that parses as an Int64 is an element index.
         if let index = Int64(propertyName) {
             return .element(index)
@@ -323,6 +328,11 @@ public class ProbingMutator: RuntimeAssistedMutator {
         }
 
         // Everything else is a regular property name.
+        guard isValidPropertyName(propertyName) else {
+            // Invalid property names should have been filtered out on the JavaScript side, so receiving them here is an error.
+            logger.error("Received invalid property name: \(propertyName)")
+            return nil
+        }
         return .regular(propertyName)
     }