1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "medialibraryappurisensitiveoperations_fuzzer.h"
17
18 #include <cstdint>
19 #include <string>
20 #include <vector>
21
22 #include "ability_context_impl.h"
23 #include "medialibrary_app_uri_permission_operations.h"
24 #include "medialibrary_app_uri_sensitive_operations.h"
25 #include "datashare_predicates.h"
26 #include "media_app_uri_permission_column.h"
27 #include "media_app_uri_sensitive_column.h"
28 #include "media_column.h"
29 #include "media_log.h"
30 #include "medialibrary_command.h"
31 #include "medialibrary_data_manager.h"
32 #include "medialibrary_errno.h"
33 #include "medialibrary_operation.h"
34 #include "medialibrary_photo_operations.h"
35 #include "medialibrary_unistore.h"
36 #include "medialibrary_unistore_manager.h"
37 #include "rdb_store.h"
38 #include "rdb_utils.h"
39 #include "userfile_manager_types.h"
40 #include "values_bucket.h"
41
42 namespace OHOS {
43 using namespace std;
44 using namespace DataShare;
45 const int32_t PERMISSION_DEFAULT = -1;
46 const int32_t SENSITIVE_DEFAULT = -1;
47 const int32_t URI_DEFAULT = 0;
48 const int32_t BATCH_INSERT_NUMBER = 5;
49 std::shared_ptr<Media::MediaLibraryRdbStore> g_rdbStore;
FuzzInt32(const uint8_t * data,size_t size)50 static inline int32_t FuzzInt32(const uint8_t *data, size_t size)
51 {
52 if (data == nullptr || size < sizeof(int32_t)) {
53 return 0;
54 }
55 return static_cast<int32_t>(*data);
56 }
57
FuzzString(const uint8_t * data,size_t size)58 static inline string FuzzString(const uint8_t *data, size_t size)
59 {
60 return {reinterpret_cast<const char*>(data), size};
61 }
62
FuzzPermissionType(const uint8_t * data,size_t size)63 static int FuzzPermissionType(const uint8_t *data, size_t size)
64 {
65 vector<int> vecPermissionType;
66 vecPermissionType.assign(Media::AppUriPermissionColumn::PERMISSION_TYPES_ALL.begin(),
67 Media::AppUriPermissionColumn::PERMISSION_TYPES_ALL.end());
68 vecPermissionType.push_back(PERMISSION_DEFAULT);
69 uint8_t length = static_cast<uint8_t>(vecPermissionType.size());
70 if (*data < length) {
71 return vecPermissionType[*data];
72 }
73 return Media::AppUriPermissionColumn::PERMISSION_TEMPORARY_READ;
74 }
75
FuzzUriType(const uint8_t * data,size_t size)76 static int FuzzUriType(const uint8_t *data, size_t size)
77 {
78 vector<int> vecUriType;
79 vecUriType.assign(Media::AppUriSensitiveColumn::URI_TYPES_ALL.begin(),
80 Media::AppUriSensitiveColumn::URI_TYPES_ALL.end());
81 vecUriType.push_back(URI_DEFAULT);
82 uint8_t length = static_cast<uint8_t>(vecUriType.size());
83 if (*data < length) {
84 return vecUriType[*data];
85 }
86 return Media::AppUriSensitiveColumn::URI_PHOTO;
87 }
88
FuzzHideSensitiveType(const uint8_t * data,size_t size)89 static int FuzzHideSensitiveType(const uint8_t *data, size_t size)
90 {
91 vector<int> vecHideSensitiveType;
92 vecHideSensitiveType.assign(Media::AppUriSensitiveColumn::SENSITIVE_TYPES_ALL.begin(),
93 Media::AppUriSensitiveColumn::SENSITIVE_TYPES_ALL.end());
94 vecHideSensitiveType.push_back(SENSITIVE_DEFAULT);
95 uint8_t length = static_cast<uint8_t>(vecHideSensitiveType.size());
96 if (*data < length) {
97 return vecHideSensitiveType[*data];
98 }
99 return Media::AppUriSensitiveColumn::SENSITIVE_ALL_DESENSITIZE;
100 }
101
HandleInsertOperationFuzzer(string appId,int32_t photoId,int32_t sensitiveType,int32_t permissionType,int32_t uriType)102 static void HandleInsertOperationFuzzer(string appId, int32_t photoId, int32_t sensitiveType, int32_t permissionType,
103 int32_t uriType)
104 {
105 DataShareValuesBucket values;
106 values.Put(Media::AppUriSensitiveColumn::APP_ID, appId);
107 values.Put(Media::AppUriSensitiveColumn::FILE_ID, photoId);
108 values.Put(Media::AppUriSensitiveColumn::HIDE_SENSITIVE_TYPE, sensitiveType);
109 values.Put(Media::AppUriPermissionColumn::PERMISSION_TYPE, permissionType);
110 values.Put(Media::AppUriSensitiveColumn::URI_TYPE, uriType);
111
112 Media::MediaLibraryCommand cmd(Media::OperationObject::MEDIA_APP_URI_PERMISSION, Media::OperationType::CREATE,
113 Media::MediaLibraryApi::API_10);
114 NativeRdb::ValuesBucket rdbValue = RdbDataShareAdapter::RdbUtils::ToValuesBucket(values);
115 cmd.SetValueBucket(rdbValue);
116 Media::MediaLibraryAppUriSensitiveOperations::HandleInsertOperation(cmd);
117 }
118
DeleteOperationFuzzer(string appId,int32_t photoId)119 static void DeleteOperationFuzzer(string appId, int32_t photoId)
120 {
121 DataSharePredicates predicates;
122 predicates.And()->EqualTo(Media::AppUriSensitiveColumn::APP_ID, appId);
123 predicates.And()->EqualTo(Media::AppUriSensitiveColumn::FILE_ID, photoId);
124 NativeRdb::RdbPredicates rdbPredicate = RdbDataShareAdapter::RdbUtils::ToPredicates(predicates,
125 Media::AppUriSensitiveColumn::APP_URI_SENSITIVE_TABLE);
126 Media::MediaLibraryAppUriSensitiveOperations::DeleteOperation(rdbPredicate);
127 }
128
BatchInsertFuzzer(const uint8_t * data,size_t size)129 static void BatchInsertFuzzer(const uint8_t* data, size_t size)
130 {
131 vector<DataShare::DataShareValuesBucket> dataShareValues;
132 for (int32_t i = 0; i < BATCH_INSERT_NUMBER; i++) {
133 DataShareValuesBucket value;
134 int32_t photoId = FuzzInt32(data, size);
135 value.Put(Media::AppUriSensitiveColumn::APP_ID, FuzzString(data, size));
136 value.Put(Media::AppUriSensitiveColumn::FILE_ID, photoId);
137 value.Put(Media::AppUriSensitiveColumn::HIDE_SENSITIVE_TYPE, FuzzHideSensitiveType(data, size));
138 value.Put(Media::AppUriPermissionColumn::PERMISSION_TYPE, FuzzPermissionType(data, size));
139 value.Put(Media::AppUriSensitiveColumn::URI_TYPE, FuzzUriType(data, size));
140 dataShareValues.push_back(value);
141 }
142 Media::MediaLibraryCommand cmd(Media::OperationObject::MEDIA_APP_URI_PERMISSION, Media::OperationType::CREATE,
143 Media::MediaLibraryApi::API_10);
144 Media::MediaLibraryAppUriSensitiveOperations::BatchInsert(cmd, dataShareValues);
145 }
146
BeForceSensitiveFuzzer(const uint8_t * data,size_t size)147 static void BeForceSensitiveFuzzer(const uint8_t* data, size_t size)
148 {
149 vector<DataShare::DataShareValuesBucket> dataShareValues;
150 for (int32_t i = 0; i < BATCH_INSERT_NUMBER; i++) {
151 DataShareValuesBucket value;
152 int32_t photoId = FuzzInt32(data, size);
153 value.Put(Media::AppUriSensitiveColumn::APP_ID, FuzzString(data, size));
154 value.Put(Media::AppUriSensitiveColumn::FILE_ID, photoId);
155 value.Put(Media::AppUriSensitiveColumn::HIDE_SENSITIVE_TYPE, FuzzHideSensitiveType(data, size));
156 value.Put(Media::AppUriPermissionColumn::PERMISSION_TYPE, FuzzPermissionType(data, size));
157 value.Put(Media::AppUriSensitiveColumn::URI_TYPE, FuzzUriType(data, size));
158 value.Put(Media::AppUriSensitiveColumn::IS_FORCE_SENSITIVE, FuzzInt32(data, size));
159 dataShareValues.push_back(value);
160 }
161 Media::MediaLibraryCommand cmd(Media::OperationObject::MEDIA_APP_URI_PERMISSION, Media::OperationType::CREATE,
162 Media::MediaLibraryApi::API_10);
163 Media::MediaLibraryAppUriSensitiveOperations::BeForceSensitive(cmd, dataShareValues);
164 }
165
AppUriSensitiveOperationsFuzzer(const uint8_t * data,size_t size)166 static void AppUriSensitiveOperationsFuzzer(const uint8_t* data, size_t size)
167 {
168 int32_t photoId = FuzzInt32(data, size);
169 string appId = FuzzString(data, size);
170 int32_t sensitiveType = FuzzHideSensitiveType(data, size);
171 int32_t permissionType = FuzzPermissionType(data, size);
172 int32_t uriType = FuzzUriType(data, size);
173
174 HandleInsertOperationFuzzer(appId, photoId, sensitiveType, permissionType, uriType);
175 sensitiveType = FuzzHideSensitiveType(data, size);
176 HandleInsertOperationFuzzer(appId, photoId, sensitiveType, permissionType, uriType);
177 DeleteOperationFuzzer(appId, photoId);
178 BatchInsertFuzzer(data, size);
179 BeForceSensitiveFuzzer(data, size);
180 }
181
SetTables()182 void SetTables()
183 {
184 vector<string> createTableSqlList = {
185 Media::PhotoColumn::CREATE_PHOTO_TABLE,
186 Media::AppUriPermissionColumn::CREATE_APP_URI_PERMISSION_TABLE,
187 Media::AppUriSensitiveColumn::CREATE_APP_URI_SENSITIVE_TABLE,
188 };
189 for (auto &createTableSql : createTableSqlList) {
190 int32_t ret = g_rdbStore->ExecuteSql(createTableSql);
191 if (ret != NativeRdb::E_OK) {
192 MEDIA_ERR_LOG("Execute sql %{private}s failed", createTableSql.c_str());
193 return;
194 }
195 MEDIA_DEBUG_LOG("Execute sql %{private}s success", createTableSql.c_str());
196 }
197 }
198
Init()199 static void Init()
200 {
201 auto stageContext = std::make_shared<AbilityRuntime::ContextImpl>();
202 auto abilityContextImpl = std::make_shared<OHOS::AbilityRuntime::AbilityContextImpl>();
203 abilityContextImpl->SetStageContext(stageContext);
204 int32_t sceneCode = 0;
205 auto ret = Media::MediaLibraryDataManager::GetInstance()->InitMediaLibraryMgr(abilityContextImpl,
206 abilityContextImpl, sceneCode);
207 CHECK_AND_RETURN_LOG(ret == NativeRdb::E_OK, "InitMediaLibraryMgr failed, ret: %{public}d", ret);
208
209 auto rdbStore = Media::MediaLibraryUnistoreManager::GetInstance().GetRdbStore();
210 if (rdbStore == nullptr) {
211 MEDIA_ERR_LOG("rdbStore is nullptr");
212 return;
213 }
214 g_rdbStore = rdbStore;
215 SetTables();
216 }
217 } // namespace OHOS
218
LLVMFuzzerInitialize(int * argc,char *** argv)219 extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv)
220 {
221 OHOS::Init();
222 return 0;
223 }
224
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)225 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
226 {
227 OHOS::AppUriSensitiveOperationsFuzzer(data, size);
228 return 0;
229 }
230