search

googleprojectzero / domato

DOM fuzzer
https://googleprojectzero.blogspot.ch/2017/09/the-great-dom-fuzz-off-of-2017.html
Apache License 2.0
1.67k stars 278 forks source link

about GetVariable and SetVariable #14

Closed tinysec closed 6 years ago

tinysec commented 6 years ago

hi , at first , it's a great project! i am a bit confused with GetVariable and SetVariable

at template and output file , call GetVariable/SetVariable mismatch of declare

function SetVariable(fuzzervars, var_name, var_type) { fuzzervars[var_type] = var_name; }
....
try { /* newvar{var00005:HTMLTemplateElement} */ var var00005 = document.createElement("template"); } catch(e) { }
try { if (!var00005) { var00005 = GetVariable(fuzzervars, 'HTMLTemplateElement'); } else { SetVariable(var00005, 'HTMLTemplateElement'); SetVariable(var00005, 'Element'); SetVariable(var00005, 'GlobalEventHandlers'); SetVariable(var00005, 'EventTarget');  } } catch(e) { }

i am wonder what's your really goal of these generated code

at grammar.py(528 ~ 532) you just generate var with 2 params

for v in new_vars:
            if v['type'] not in _NONINTERESTING_TYPES:
                self._add_variable(v['name'], v['type'], context)
                additional_lines.append("if (!" + v['name'] + ") { " + v['name'] + " = GetVariable(fuzzervars, '" + v['type'] + "'); } else { " + self._get_variable_setters(v['name'], v['type']) + " }")

thank you!

ifratric commented 6 years ago

The general issue GetVariable/SetVariable are trying to solve is:

In DOM fuzzing, method calls will often throw an exception or return null. However at code generation time, Domato doesn't know when it is going to happen. And if it does happen, without GetVariable/SetVariable, Domato is going to use the return value (null) as an argument to future calls, essentially rendering them useless and leading to even more null variables down the line.

So, if the return value from a DOM call is not null, Domato is going to store it for later (that's what SetVariable does). And if the return value is null, then Domato is going to tell JavaScript: "give me a variable of this type I was trying to generate that was generated successfully in some previous call" (that's what GetVariable does).

You should also note that, due to inheritance, a single variable can be interpreted as multiple types (e.g. HTMLTemplateElement is also an Element), which is why you see a mismatch between GetVariable and SetVariable calls.

tinysec commented 6 years ago

thank you!