/src/CMake/Tests/Fuzzing/cmArchiveExtractFuzzer.cxx

Source
/* Distributed under the OSI-approved BSD 3-Clause License.  See accompanying
   file LICENSE.rst or https://cmake.org/licensing for details.  */

/*
 * Fuzzer for CMake's archive extraction (tar/zip)
 *
 * CMake extracts archives via cmSystemTools::ExtractTar. This is a critical
 * attack surface as malicious archives could contain path traversal sequences
 * (Zip Slip) or other exploits.
 *
 * Coverage targets:
 * - Archive format detection (tar, gzip, bzip2, xz, zip)
 * - Path handling during extraction
 * - Symlink handling
 * - Large file handling
 * - Malformed archive recovery
 *
 * Security focus:
 * - Path traversal (../) detection
 * - Absolute path handling
 * - Symlink escape attempts
 */

#include <cstddef>
#include <cstdint>
#include <cstdio>
#include <cstdlib>
#include <string>
#include <vector>

#include "cmSystemTools.h"

// Archives can be large but limit for fuzzing
static constexpr size_t kMinInputSize = 4;          // Minimum magic bytes
static constexpr size_t kMaxInputSize = 256 * 1024; // 256KB

// Sandbox directory for extraction
static std::string g_extractDir;

extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)
{
  (void)argc;
  (void)argv;

  // Create a unique extraction directory in /tmp
  char tmpl[] = "/tmp/cmake_fuzz_extract_XXXXXX";
  char* dir = mkdtemp(tmpl);
  if (dir) {
    g_extractDir = dir;
  } else {
    g_extractDir = "/tmp/cmake_fuzz_extract";
    cmSystemTools::MakeDirectory(g_extractDir);
  }

  return 0;
}

extern "C" int LLVMFuzzerTestOneInput(uint8_t const* data, size_t size)
{
  if (size < kMinInputSize || size > kMaxInputSize) {
    return 0;
  }

  // Write archive to temp file
  std::string archiveFile = g_extractDir + "/test_archive";
  {
    FILE* fp = fopen(archiveFile.c_str(), "wb");
    if (!fp) {
      return 0;
    }
    fwrite(data, 1, size, fp);
    fclose(fp);
  }

  // Create a fresh extraction subdirectory each time
  std::string extractSubDir = g_extractDir + "/out";
  cmSystemTools::RemoveADirectory(extractSubDir);
  cmSystemTools::MakeDirectory(extractSubDir);

  // Save current directory
  std::string cwd = cmSystemTools::GetCurrentWorkingDirectory();

  // Change to extraction directory (cmSystemTools extracts to cwd)
  if (cmSystemTools::ChangeDirectory(extractSubDir)) {
    // Try extraction with different options
    std::vector<std::string> files;

    // Extract without verbose, with timestamps
    bool result1 = cmSystemTools::ExtractTar(
      archiveFile, files, cmSystemTools::cmTarExtractTimestamps::Yes, "UTF-8",
      false);
    (void)result1;

    // Restore directory BEFORE removing (can't remove cwd)
    cmSystemTools::ChangeDirectory(cwd);

    // Clean up extracted files
    cmSystemTools::RemoveADirectory(extractSubDir);
    cmSystemTools::MakeDirectory(extractSubDir);

    // Change back for second extraction
    if (cmSystemTools::ChangeDirectory(extractSubDir)) {
      // Extract with verbose, without timestamps
      files.clear();
      bool result2 = cmSystemTools::ExtractTar(
        archiveFile, files, cmSystemTools::cmTarExtractTimestamps::No, "UTF-8",
        true);
      (void)result2;

      // Restore directory
      cmSystemTools::ChangeDirectory(cwd);
    }
  }

  // Note: A more thorough security check would verify nothing escaped the
  // sandbox, but for fuzzing we rely on sanitizers to catch path traversal

  // Cleanup
  cmSystemTools::RemoveADirectory(extractSubDir);
  cmSystemTools::RemoveFile(archiveFile);

  return 0;
}

Line	Count	Source
1		/* Distributed under the OSI-approved BSD 3-Clause License. See accompanying
2		file LICENSE.rst or https://cmake.org/licensing for details. */
3
4		/*
5		* Fuzzer for CMake's archive extraction (tar/zip)
6		*
7		* CMake extracts archives via cmSystemTools::ExtractTar. This is a critical
8		* attack surface as malicious archives could contain path traversal sequences
9		* (Zip Slip) or other exploits.
10		*
11		* Coverage targets:
12		* - Archive format detection (tar, gzip, bzip2, xz, zip)
13		* - Path handling during extraction
14		* - Symlink handling
15		* - Large file handling
16		* - Malformed archive recovery
17		*
18		* Security focus:
19		* - Path traversal (../) detection
20		* - Absolute path handling
21		* - Symlink escape attempts
22		*/
23
24		#include <cstddef>
25		#include <cstdint>
26		#include <cstdio>
27		#include <cstdlib>
28		#include <string>
29		#include <vector>
30
31		#include "cmSystemTools.h"
32
33		// Archives can be large but limit for fuzzing
34		static constexpr size_t kMinInputSize = 4; // Minimum magic bytes
35		static constexpr size_t kMaxInputSize = 256 * 1024; // 256KB
36
37		// Sandbox directory for extraction
38		static std::string g_extractDir;
39
40		extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)
41	6	{
42	6	(void)argc;
43	6	(void)argv;
44
45		// Create a unique extraction directory in /tmp
46	6	char tmpl[] = "/tmp/cmake_fuzz_extract_XXXXXX";
47	6	char* dir = mkdtemp(tmpl);
48	6	if (dir) {
49	6	g_extractDir = dir;
50	6	} else {
51	0	g_extractDir = "/tmp/cmake_fuzz_extract";
52	0	cmSystemTools::MakeDirectory(g_extractDir);
53	0	}
54
55	6	return 0;
56	6	}
57
58		extern "C" int LLVMFuzzerTestOneInput(uint8_t const* data, size_t size)
59	16.1k	{
60	16.1k	if (size < kMinInputSize \|\| size > kMaxInputSize) {
61	2	return 0;
62	2	}
63
64		// Write archive to temp file
65	16.1k	std::string archiveFile = g_extractDir + "/test_archive";
66	16.1k	{
67	16.1k	FILE* fp = fopen(archiveFile.c_str(), "wb");
68	16.1k	if (!fp) {
69	0	return 0;
70	0	}
71	16.1k	fwrite(data, 1, size, fp);
72	16.1k	fclose(fp);
73	16.1k	}
74
75		// Create a fresh extraction subdirectory each time
76	0	std::string extractSubDir = g_extractDir + "/out";
77	16.1k	cmSystemTools::RemoveADirectory(extractSubDir);
78	16.1k	cmSystemTools::MakeDirectory(extractSubDir);
79
80		// Save current directory
81	16.1k	std::string cwd = cmSystemTools::GetCurrentWorkingDirectory();
82
83		// Change to extraction directory (cmSystemTools extracts to cwd)
84	16.1k	if (cmSystemTools::ChangeDirectory(extractSubDir)) {
85		// Try extraction with different options
86	16.1k	std::vector<std::string> files;
87
88		// Extract without verbose, with timestamps
89	16.1k	bool result1 = cmSystemTools::ExtractTar(
90	16.1k	archiveFile, files, cmSystemTools::cmTarExtractTimestamps::Yes, "UTF-8",
91	16.1k	false);
92	16.1k	(void)result1;
93
94		// Restore directory BEFORE removing (can't remove cwd)
95	16.1k	cmSystemTools::ChangeDirectory(cwd);
96
97		// Clean up extracted files
98	16.1k	cmSystemTools::RemoveADirectory(extractSubDir);
99	16.1k	cmSystemTools::MakeDirectory(extractSubDir);
100
101		// Change back for second extraction
102	16.1k	if (cmSystemTools::ChangeDirectory(extractSubDir)) {
103		// Extract with verbose, without timestamps
104	16.1k	files.clear();
105	16.1k	bool result2 = cmSystemTools::ExtractTar(
106	16.1k	archiveFile, files, cmSystemTools::cmTarExtractTimestamps::No, "UTF-8",
107	16.1k	true);
108	16.1k	(void)result2;
109
110		// Restore directory
111	16.1k	cmSystemTools::ChangeDirectory(cwd);
112	16.1k	}
113	16.1k	}
114
115		// Note: A more thorough security check would verify nothing escaped the
116		// sandbox, but for fuzzing we rely on sanitizers to catch path traversal
117
118		// Cleanup
119	16.1k	cmSystemTools::RemoveADirectory(extractSubDir);
120	16.1k	cmSystemTools::RemoveFile(archiveFile);
121
122	16.1k	return 0;
123	16.1k	}

Coverage Report

Created: 2026-04-29 07:01