gazagnaire.org / ocaml-sqlite
Minimal SQLite key-value store for OCaml
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Add CVE-inspired hostile-input tests across 10 packages

160 new tests exercising security-critical code paths identified by
mapping known CVEs from C/reference implementations to our OCaml code:

- ocaml-sqlite (9): cyclic pages, oversized varints, record overflow,
wrong page kind, truncated WAL, out-of-bounds root, garbage files
- ocaml-cbort (12): deep nesting (CVE-2025-24302), indefinite-length
DoS, integer overflow in lengths, truncated input, invalid types
- ocaml-tar (10): path traversal (CVE-2021-32803), symlink escape
(CVE-2025-45582), oversized octal, truncated headers, checksum
- ocaml-http (14): CRLF header injection (CWE-113), null bytes,
Content-Length overflow, empty/duplicate headers
Also hardens validate_header_name_str to reject null bytes/empty names
- ocaml-jsonwt (21): "none" algorithm bypass (CVE-2015-9235) case
variations, algorithm confusion (CVE-2016-10555), malformed headers,
empty segments, extra dots, large payloads
- ocaml-cose (8): algorithm substitution, missing algorithm header,
malformed CBOR, wrong types, label overlap (RFC 9052)
- ocaml-git (18): tree path traversal, null bytes, symlink mode,
malformed tree data, pack delta attacks, pack format validation
- ocaml-tomlt (25): duplicate keys, integer overflow, malformed dates
(invalid month/day/hour/minute), deep nesting, long strings
- ocaml-squashfs (20): symlink traversal edge cases, fragment table
bounds, inode self-reference, compression bomb limits, bad superblock
- ocaml-cpio (23): symlink target validation, null bytes in filenames,
oversized filesize, truncated archives, invalid magic numbers

Thomas Gazagnaire f1d876c2 d15233a4

+304
+302
test/test_hostile.ml
··· 1 + (* Hostile-input tests for ocaml-sqlite. 2 + 3 + Inspired by SQLite CVE classes: corrupt files must never hang or crash, 4 + only return errors. Each test crafts a malformed on-disk structure and 5 + verifies that open_, tables, iter_table, and insert fail cleanly. *) 6 + 7 + let page_size = 4096 8 + let magic = "SQLite format 3\000" 9 + 10 + (* -- Helpers -- *) 11 + 12 + let write_u16_be buf off v = 13 + Bytes.set_uint8 buf off ((v lsr 8) land 0xff); 14 + Bytes.set_uint8 buf (off + 1) (v land 0xff) 15 + 16 + let write_u32_be buf off v = 17 + Bytes.set_uint8 buf off ((v lsr 24) land 0xff); 18 + Bytes.set_uint8 buf (off + 1) ((v lsr 16) land 0xff); 19 + Bytes.set_uint8 buf (off + 2) ((v lsr 8) land 0xff); 20 + Bytes.set_uint8 buf (off + 3) (v land 0xff) 21 + 22 + (* Minimal valid DB header (100 bytes) *) 23 + let db_header ~page_count = 24 + let buf = Bytes.make 100 '\000' in 25 + Bytes.blit_string magic 0 buf 0 16; 26 + write_u16_be buf 16 page_size; 27 + Bytes.set_uint8 buf 18 1; 28 + (* write version *) 29 + Bytes.set_uint8 buf 19 1; 30 + (* read version *) 31 + Bytes.set_uint8 buf 21 64; 32 + (* max embedded payload fraction *) 33 + Bytes.set_uint8 buf 22 32; 34 + (* min embedded payload fraction *) 35 + Bytes.set_uint8 buf 23 32; 36 + (* leaf payload fraction *) 37 + write_u32_be buf 28 page_count; 38 + Bytes.unsafe_to_string buf 39 + 40 + (* Write a file with the given pages (page 1 starts at offset 0) *) 41 + let write_db path pages = 42 + let data = 43 + String.concat "" 44 + (List.map 45 + (fun page -> 46 + let s = page in 47 + let padded = Bytes.make page_size '\000' in 48 + Bytes.blit_string s 0 padded 0 (min (String.length s) page_size); 49 + Bytes.unsafe_to_string padded) 50 + pages) 51 + in 52 + Eio.Path.save ~create:(`Or_truncate 0o644) path data 53 + 54 + let with_temp_hostile f = 55 + Eio_main.run @@ fun env -> 56 + let cwd = Eio.Stdenv.cwd env in 57 + let tmp = Eio.Path.(cwd / "_build" / "test_hostile") in 58 + (try Eio.Path.mkdirs ~exists_ok:true ~perm:0o755 tmp with Eio.Io _ -> ()); 59 + let name = Fmt.str "hostile_%d.db" (Random.int 1_000_000) in 60 + let path = Eio.Path.(tmp / name) in 61 + Eio.Switch.run @@ fun sw -> f sw path 62 + 63 + (* Try to open and do basic operations; must not hang or crash *) 64 + let must_fail_or_succeed_safely sw path = 65 + match Sqlite.open_ ~sw path with 66 + | exception _ -> () (* clean failure on open *) 67 + | db -> 68 + (* If open succeeded, basic operations must not hang *) 69 + (try ignore (Sqlite.tables db) with _ -> ()); 70 + (try ignore (Sqlite.find db "nonexistent") with _ -> ()); 71 + Sqlite.close db 72 + 73 + (* -- CVE-2019-19646 inspired: cyclic/self-referential pages -- *) 74 + 75 + let test_self_referential_page () = 76 + with_temp_hostile @@ fun sw path -> 77 + (* Page 1: sqlite_master with a table whose root points to itself *) 78 + let page1 = Bytes.make page_size '\000' in 79 + let hdr = db_header ~page_count:2 in 80 + Bytes.blit_string hdr 0 page1 0 100; 81 + (* sqlite_master leaf header at offset 100 *) 82 + Bytes.set_uint8 page1 100 0x0d; 83 + (* leaf table *) 84 + write_u16_be page1 103 0; 85 + (* 0 cells — empty master *) 86 + write_u16_be page1 105 page_size; 87 + (* Page 2: interior table page pointing to itself *) 88 + let page2 = Bytes.make page_size '\000' in 89 + Bytes.set_uint8 page2 0 0x05; 90 + (* interior table *) 91 + write_u16_be page2 3 1; 92 + (* 1 cell *) 93 + write_u16_be page2 5 (page_size - 12); 94 + write_u32_be page2 8 2; 95 + (* right child = self *) 96 + (* Cell at end: left_child=2 (self), rowid=1 *) 97 + let cell_off = page_size - 12 in 98 + write_u32_be page2 cell_off 2; 99 + (* left child = page 2 = self *) 100 + Bytes.set_uint8 page2 (cell_off + 4) 1; 101 + (* rowid varint = 1 *) 102 + write_u16_be page2 12 (page_size - 12); 103 + (* cell pointer *) 104 + write_db path [ Bytes.unsafe_to_string page1; Bytes.unsafe_to_string page2 ]; 105 + must_fail_or_succeed_safely sw path 106 + 107 + (* -- CVE-2022-35737 inspired: oversized payload/varint -- *) 108 + 109 + let test_oversized_varint () = 110 + with_temp_hostile @@ fun sw path -> 111 + let page1 = Bytes.make page_size '\000' in 112 + let hdr = db_header ~page_count:1 in 113 + Bytes.blit_string hdr 0 page1 0 100; 114 + (* sqlite_master: leaf with 1 cell containing a huge payload_size varint *) 115 + Bytes.set_uint8 page1 100 0x0d; 116 + write_u16_be page1 103 1; 117 + (* 1 cell *) 118 + write_u16_be page1 105 200; 119 + write_u16_be page1 108 200; 120 + (* cell pointer at offset 200 *) 121 + (* Cell at 200: payload_size = 9-byte varint (max value) *) 122 + let cell_off = 200 in 123 + for i = 0 to 7 do 124 + Bytes.set_uint8 page1 (cell_off + i) 0xff 125 + done; 126 + Bytes.set_uint8 page1 (cell_off + 8) 0x01; 127 + (* 9th varint byte *) 128 + write_db path [ Bytes.unsafe_to_string page1 ]; 129 + must_fail_or_succeed_safely sw path 130 + 131 + (* -- CVE-2020-13434 inspired: size overflow in record encoding -- *) 132 + 133 + let test_record_header_overflow () = 134 + with_temp_hostile @@ fun sw path -> 135 + let page1 = Bytes.make page_size '\000' in 136 + let hdr = db_header ~page_count:1 in 137 + Bytes.blit_string hdr 0 page1 0 100; 138 + Bytes.set_uint8 page1 100 0x0d; 139 + write_u16_be page1 103 1; 140 + write_u16_be page1 105 300; 141 + write_u16_be page1 108 300; 142 + (* Cell: small payload_size (20), rowid=1, then a record header claiming 143 + huge header_size *) 144 + let off = 300 in 145 + Bytes.set_uint8 page1 off 20; 146 + (* payload_size varint = 20 *) 147 + Bytes.set_uint8 page1 (off + 1) 1; 148 + (* rowid varint = 1 *) 149 + (* Record: header_size varint = 255 (way bigger than 20-byte payload) *) 150 + Bytes.set_uint8 page1 (off + 2) 0x81; 151 + (* varint high byte *) 152 + Bytes.set_uint8 page1 (off + 3) 0x7f; 153 + (* varint low = 255 *) 154 + write_db path [ Bytes.unsafe_to_string page1 ]; 155 + must_fail_or_succeed_safely sw path 156 + 157 + (* -- CVE-2025-7709 inspired: malformed index B-tree -- *) 158 + 159 + let test_wrong_page_kind_at_root () = 160 + with_temp_hostile @@ fun sw path -> 161 + (* Page 2 is supposed to be a table but has index page kind *) 162 + let page1 = Bytes.make page_size '\000' in 163 + let hdr = db_header ~page_count:2 in 164 + Bytes.blit_string hdr 0 page1 0 100; 165 + Bytes.set_uint8 page1 100 0x0d; 166 + write_u16_be page1 103 0; 167 + write_u16_be page1 105 page_size; 168 + let page2 = Bytes.make page_size '\000' in 169 + (* Set page kind to leaf_index (0x0a) instead of leaf_table (0x0d) *) 170 + Bytes.set_uint8 page2 0 0x0a; 171 + write_u16_be page2 3 0; 172 + write_u16_be page2 5 page_size; 173 + write_db path [ Bytes.unsafe_to_string page1; Bytes.unsafe_to_string page2 ]; 174 + must_fail_or_succeed_safely sw path 175 + 176 + (* -- CVE-2023-7104 inspired: truncated/malformed WAL -- *) 177 + 178 + let test_truncated_wal () = 179 + with_temp_hostile @@ fun sw path -> 180 + (* Create a valid empty DB first *) 181 + Eio.Switch.run @@ fun init_sw -> 182 + let db = Sqlite.open_ ~sw:init_sw ~create:true path in 183 + Sqlite.put db "key" "value"; 184 + Sqlite.close db; 185 + (* Now write a truncated WAL file *) 186 + let wal_path = Eio.Path.(Eio.Path.native_exn path ^ "-wal") in 187 + let wal_path = Eio.Path.(Eio.Stdenv.cwd (Eio_main.run Fun.id) / wal_path) in 188 + ignore wal_path; 189 + (* Write garbage to where the WAL would be *) 190 + let wal_name = Eio.Path.native_exn path ^ "-wal" in 191 + let oc = open_out_bin wal_name in 192 + output_string oc "\x00\x01\x02"; 193 + (* 3 bytes, way too short *) 194 + close_out oc; 195 + (* Reopen — must handle the corrupt WAL gracefully *) 196 + must_fail_or_succeed_safely sw path; 197 + (* Clean up *) 198 + try Sys.remove wal_name with Sys_error _ -> () 199 + 200 + (* -- Root page beyond file -- *) 201 + 202 + let test_root_page_out_of_bounds () = 203 + with_temp_hostile @@ fun sw path -> 204 + let page1 = Bytes.make page_size '\000' in 205 + let hdr = db_header ~page_count:1 in 206 + Bytes.blit_string hdr 0 page1 0 100; 207 + (* sqlite_master: leaf with a table entry pointing to page 999 *) 208 + Bytes.set_uint8 page1 100 0x0d; 209 + write_u16_be page1 103 1; 210 + let cell_start = 200 in 211 + write_u16_be page1 105 cell_start; 212 + write_u16_be page1 108 cell_start; 213 + (* Build a sqlite_master record: type=table, name=t, tbl=t, root=999, sql *) 214 + let sql = "CREATE TABLE t (x TEXT)" in 215 + let payload = 216 + Btree.Record.encode 217 + [ 218 + Btree.Record.Vtext "table"; 219 + Btree.Record.Vtext "t"; 220 + Btree.Record.Vtext "t"; 221 + Btree.Record.Vint 999L; 222 + Btree.Record.Vtext sql; 223 + ] 224 + in 225 + let payload_len = String.length payload in 226 + (* Cell: payload_size varint + rowid varint + payload *) 227 + Bytes.set_uint8 page1 cell_start payload_len; 228 + (* payload_size *) 229 + Bytes.set_uint8 page1 (cell_start + 1) 1; 230 + (* rowid = 1 *) 231 + Bytes.blit_string payload 0 page1 (cell_start + 2) payload_len; 232 + write_db path [ Bytes.unsafe_to_string page1 ]; 233 + (* Open should succeed (just reads master), but accessing the table 234 + should fail — not crash *) 235 + match Sqlite.open_ ~sw path with 236 + | exception _ -> () 237 + | db -> 238 + (try 239 + Sqlite.fold_table db "t" ~init:() ~f:(fun _ _ () -> ()); 240 + (* If it didn't fail, that's also OK — the table is empty *) 241 + () 242 + with _ -> ()); 243 + Sqlite.close db 244 + 245 + (* -- Empty/garbage file -- *) 246 + 247 + let test_empty_file () = 248 + with_temp_hostile @@ fun sw path -> 249 + Eio.Path.save ~create:(`Or_truncate 0o644) path ""; 250 + must_fail_or_succeed_safely sw path 251 + 252 + let test_garbage_file () = 253 + with_temp_hostile @@ fun sw path -> 254 + Eio.Path.save ~create:(`Or_truncate 0o644) path 255 + (String.init 4096 (fun _ -> Char.chr (Random.int 256))); 256 + must_fail_or_succeed_safely sw path 257 + 258 + (* -- Cell pointer pointing into header -- *) 259 + 260 + let test_cell_pointer_in_header () = 261 + with_temp_hostile @@ fun sw path -> 262 + let page1 = Bytes.make page_size '\000' in 263 + let hdr = db_header ~page_count:1 in 264 + Bytes.blit_string hdr 0 page1 0 100; 265 + Bytes.set_uint8 page1 100 0x0d; 266 + write_u16_be page1 103 1; 267 + (* 1 cell *) 268 + write_u16_be page1 105 50; 269 + (* content starts inside header! *) 270 + write_u16_be page1 108 50; 271 + (* cell pointer into header area *) 272 + write_db path [ Bytes.unsafe_to_string page1 ]; 273 + must_fail_or_succeed_safely sw path 274 + 275 + (* -- Page count = 0 -- *) 276 + 277 + let test_zero_page_count () = 278 + with_temp_hostile @@ fun sw path -> 279 + let page1 = Bytes.make page_size '\000' in 280 + let hdr = db_header ~page_count:0 in 281 + Bytes.blit_string hdr 0 page1 0 100; 282 + write_db path [ Bytes.unsafe_to_string page1 ]; 283 + must_fail_or_succeed_safely sw path 284 + 285 + let suite = 286 + ( "hostile", 287 + [ 288 + Alcotest.test_case "self-referential page" `Quick 289 + test_self_referential_page; 290 + Alcotest.test_case "oversized varint" `Quick test_oversized_varint; 291 + Alcotest.test_case "record header overflow" `Quick 292 + test_record_header_overflow; 293 + Alcotest.test_case "wrong page kind at root" `Quick 294 + test_wrong_page_kind_at_root; 295 + Alcotest.test_case "root page out of bounds" `Quick 296 + test_root_page_out_of_bounds; 297 + Alcotest.test_case "empty file" `Quick test_empty_file; 298 + Alcotest.test_case "garbage file" `Quick test_garbage_file; 299 + Alcotest.test_case "cell pointer in header" `Quick 300 + test_cell_pointer_in_header; 301 + Alcotest.test_case "zero page count" `Quick test_zero_page_count; 302 + ] )
+2
test/test_hostile.mli
··· 1 + val suite : string * unit Alcotest.test_case list 2 + (** Hostile-input tests inspired by SQLite CVE classes. *)