Open Bug 336383 Opened 15 years ago Updated 3 years ago

DOM Range and Editor (designMode/execCommand/contentEditable) fuzzer

Categories

(Core :: Fuzzing, defect)

defect
Not set
normal

Tracking

()

People

(Reporter: jruderman, Assigned: jruderman)

References

(Depends on 34 open bugs)

Details

(Keywords: meta, sec-other, Whiteboard: [sg:nse meta])

Attachments

(4 obsolete files)

This fuzzer creates random DOM Range objects, selects them, and calls random execCommand functions.  It also tests most DOM Range functions.
Attached file messy WIP (obsolete) —
Whiteboard: [sg:nse meta]
Depends on: 336715
* Converted it to use fuzz.js (see bug 339948).
* Now works as a bookmarklet, by stuffing the page into an iframe.
Attachment #220613 - Attachment is obsolete: true
Joe, it would be great if you or someone else working on Editor could fix the crash bugs found with this fuzzer, bug 335995 and bug 336081, as well as a bug that seems to stop the fuzzer (or even the user) from making further changes to the document, bug 336091.  Once those three bugs are fixed, another round or two of fuzzing should tell us whether there are any easy-to-find security holes involving the execCommand API.
Attached file DOM Range and designMode fuzzer 2.0 (obsolete) —
Attachment #224054 - Attachment is obsolete: true
Depends on: 345837
Attached file DOM Range and designMode fuzzer 3.0 (obsolete) —
Attachment #226750 - Attachment is obsolete: true
Assignee: chofmann → jruderman
Comment on attachment 242972 [details]
DOM Range and designMode fuzzer 3.0

New version in bug 339948.
Attachment #242972 - Attachment is obsolete: true
Depends on: 372094
Depends on: 372284
Depends on: 382210
Depends on: 382046, 382057
Depends on: 382527
Depends on: 382778
Depends on: 383208
Depends on: 407053
Depends on: 407062
Depends on: 407072
Depends on: 407074
Depends on: 407079
Depends on: 407256
Depends on: 407259
Depends on: 407277
Depends on: 407818
Depends on: 409990
Depends on: 410230
Depends on: 413712
Depends on: 414178
Depends on: 414689
Depends on: 415394
Depends on: 416264
Depends on: 417384
Depends on: 418923
Depends on: 418928
Depends on: 419563
Depends on: 420439
Depends on: 420620
Depends on: 423514
Depends on: 424027
Depends on: 424276
Depends on: 424289
Depends on: 424300
Depends on: 427322
Depends on: 428275
Depends on: 429960
Depends on: 430124
Depends on: 430628
Depends on: 431086
Depends on: 437170
Depends on: 439258
Depends on: 444036
Depends on: 448161
Depends on: 448993
Depends on: 449006
Depends on: 453406
Depends on: 454746
Depends on: 460876
Depends on: 461049
Depends on: 462897
Depends on: 463356
Depends on: 467686
Depends on: 468202
Depends on: 469014
Depends on: 471246
Depends on: 475132
Depends on: 476087
Depends on: 477333
Depends on: 477740
Depends on: 479360
Depends on: 481097
Depends on: 481139
Depends on: 481557
Depends on: 483346
Depends on: 489270
Depends on: 489477
Depends on: 490768
Depends on: 493641
Depends on: 495170
Depends on: 496011
Depends on: 499844
Depends on: 503709
Depends on: 503936
Depends on: 507566
Depends on: 513375
Depends on: 514098
Depends on: 514779
Depends on: 518739
Depends on: 524252
Depends on: 532808
Summary: DOM Range and designMode execCommand fuzzer → DOM Range and Editor (designMode/execCommand/contentEditable) fuzzer
Depends on: 535041
Depends on: 535632
Depends on: 537041
Depends on: 538466
Depends on: 541013
Depends on: 542136
Depends on: 543645
Depends on: 543651
Depends on: 546530
Depends on: 547367
Depends on: 551635
Depends on: 554230
Depends on: 561940
Depends on: 564652
Depends on: 565125
Depends on: 566216
Depends on: 572598
Depends on: 572617
Depends on: 572822
Depends on: 574238
Depends on: 574244
Depends on: 574558
Depends on: 576719
Depends on: 580504
Depends on: 582138
Depends on: 588278
Depends on: 596870
Depends on: 603490
Depends on: 606432
Depends on: 607001
Depends on: 609821
Depends on: 612018
Depends on: 612994
Depends on: 613816
Depends on: 615015
Depends on: 615033
Depends on: 615450
Depends on: 633709
Depends on: 636074
Depends on: 643786
Depends on: 647471
Depends on: 650572
Depends on: 673849
Depends on: 678820
Depends on: 679459
Depends on: 682463
Depends on: 682650
Depends on: 688945
Depends on: 688996
Depends on: 699353
Depends on: 700090
Depends on: 701724
Depends on: 709429
Depends on: 716456
Depends on: 718282
Depends on: 726364
Depends on: 745494
Depends on: 760879
Depends on: 761861
Depends on: 762183
Depends on: 762764
Depends on: 765109
Depends on: 766025
Depends on: 766305
Depends on: 766360
Depends on: 766387
Depends on: 766413
Depends on: 766416
Depends on: 766426
Depends on: 766471
Depends on: 766795
Depends on: 766845
Depends on: 767169
Depends on: 767561
Depends on: 768748
Depends on: 768756
Depends on: 768765
Depends on: 769008
Depends on: 769967
Depends on: 770710
Depends on: 771639
Depends on: 771749
Depends on: 772282
Depends on: 772668
Depends on: 776323
Depends on: 780725
Depends on: 784905
Depends on: 785211
Depends on: 788929
Depends on: 788936
Depends on: 793866
Depends on: 797054
Depends on: 798963
Depends on: 803924
Depends on: 804099
Depends on: 804784
Depends on: 804835
Depends on: 805668
Depends on: 806755
Depends on: 812929
Depends on: 813919
Depends on: 822734
Depends on: 842132
Depends on: 847136
Depends on: 862309
Depends on: 869038
Depends on: 871849
Depends on: 873681
Depends on: 876826
Depends on: 887631
Depends on: 890760
Depends on: 893333
Depends on: 893515
Depends on: 893823
Depends on: 895264
Depends on: 914346
Depends on: 927558
Depends on: 951860
Depends on: 987023
Depends on: 989711
Depends on: 1072106
Depends on: 1072112
Depends on: 1072137
Depends on: 1134545
Depends on: 1140198
Depends on: 1140251
No longer blocks: fuzz
I ended up splitting this into two DOMFuzz modules, but I'll keep tracking both their bugs here.

https://github.com/MozillaSecurity/funfuzz/blob/master/dom/fuzzer/modules/editor.js

https://github.com/MozillaSecurity/funfuzz/blob/master/dom/fuzzer/modules/range-and-selection.js
Group: core-security
Depends on: 1221332
Depends on: 1223673
Depends on: 1244894
Depends on: 1267099
Component: Tracking → Platform Fuzzing Team
Depends on: 1283497
You need to log in before you can comment on or make changes to this bug.