// Copyright (c) 2011, Mike Samuel
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions
// are met:
//
// Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// Redistributions in binary form must reproduce the above copyright
// notice, this list of conditions and the following disclaimer in the
// documentation and/or other materials provided with the distribution.
// Neither the name of the OWASP nor the names of its contributors may
// be used to endorse or promote products derived from this software
// without specific prior written permission.
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
// INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
// BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
// LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
// LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
// ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.

package org.owasp.html;

import java.util.List;
import java.util.concurrent.LinkedBlockingQueue;
import java.util.concurrent.ThreadPoolExecutor;
import java.util.concurrent.TimeUnit;

import com.google.common.base.Charsets;
import com.google.common.base.Throwables;
import com.google.common.io.Resources;

/**
 * Throws malformed inputs at the HTML sanitizer to try and crash it.
 * This test is stochastic -- not guaranteed to pass or fail consistently.
 * If you see a failure, please report it along with the seed from the output.
 * If you want to repeat a failure, set the system property "junit.seed".
 *
 * @author Mike Samuel <mikesamuel@gmail.com>
 */
public class HtmlSanitizerFuzzerTest extends FuzzyTestCase {

  private static final HtmlSanitizer.Policy DO_NOTHING_POLICY
      = new HtmlSanitizer.Policy() {
        public void openDocument() { /* do nothing */ }
        public void closeDocument() { /* do nothing */ }
        public void openTag(String elementName, List<String> attrs) {
          /* do nothing */
        }
        public void closeTag(String elementName) { /* do nothing */ }
        public void text(String textChunk) { /* do nothing */ }
      };

  public final void testFuzzHtmlParser() throws Exception {
    String html = Resources.toString(
        Resources.getResource("Yahoo!.html"), Charsets.UTF_8);
    int length = html.length();

    char[] fuzzyHtml0 = new char[length];
    char[] fuzzyHtml1 = new char[length];

    final LinkedBlockingQueue<Throwable> failures
        = new LinkedBlockingQueue<Throwable>();

    final int runCount = 1000;
    // Use an executor so that any infinite loops do not cause the test runner
    // to fail.
    ThreadPoolExecutor executor = new ThreadPoolExecutor(
        10, 10, 10, TimeUnit.SECONDS, new LinkedBlockingQueue<Runnable>());

    for (int run = runCount; --run >= 0;) {
      for (int i = length; --i >= 0;) { fuzzyHtml0[i] = html.charAt(i); }
      for (int fuzz = 1 + rnd.nextInt(25); --fuzz >= 0;) {
        if (rnd.nextBoolean()) {
          fuzzyHtml0[rnd.nextInt(length)] = (char) rnd.nextInt(0x10000);
          continue;
        }
        int s0 = rnd.nextInt(length - 1);
        double d = Math.abs(rnd.nextGaussian()) / 3.0d;
        int e0 = s0 + (int) (rnd.nextInt(length - s0) * d);
        if (e0 >= length) { e0 = s0 + 1; }

        int s1 = rnd.nextInt(length - 1);
        d = Math.abs(rnd.nextGaussian()) / 3.0d;
        int e1 = s1 + (int) (rnd.nextInt(length - s1) * d);
        if (e1 >= length) { e1 = s1 + 1; }

        if (s0 > s1) {
          int st = s0, et = e0;
          s0 = s1;
          e0 = e1;
          s1 = st;
          e1 = et;
        }

        if (e0 > s1) { e0 = s1; }

        // Swap the ranges [s0, e0) and [s1, e1) into fuzzyHtml1.
        int i0, i1 = 0;
        for (i0 = 0; i0 < s0; ++i0, ++i1) {
          fuzzyHtml1[i1] = fuzzyHtml0[i0];
        }
        for (i0 = s1; i0 < e1; ++i0, ++i1) {
          fuzzyHtml1[i1] = fuzzyHtml0[i0];
        }
        for (i0 = e0; i0 < s1; ++i0, ++i1) {
          fuzzyHtml1[i1] = fuzzyHtml0[i0];
        }
        for (i0 = s0; i0 < e0; ++i0, ++i1) {
          fuzzyHtml1[i1] = fuzzyHtml0[i0];
        }
        for (i0 = e1; i0 < length; ++i0, ++i1) {
          fuzzyHtml1[i1] = fuzzyHtml0[i0];
        }
        // Swap the two buffers.
        char[] swap = fuzzyHtml0;
        fuzzyHtml0 = fuzzyHtml1;
        fuzzyHtml1 = swap;
      }
      final String fuzzyHtml = new String(fuzzyHtml0);
      executor.execute(new Runnable() {
        public void run() {
          try {
            HtmlSanitizer.sanitize(fuzzyHtml, DO_NOTHING_POLICY);
          } catch (Exception ex) {
            System.err.println(
                "Using seed " + seed + "L\n"
                + "Failed on <<<" + fuzzyHtml + ">>>");
            failures.add(ex);
          }
        }
      });
    }
    executor.shutdown();
    executor.awaitTermination(runCount * 4, TimeUnit.SECONDS);
    assertTrue("seed=" + seed, executor.isTerminated());
    Throwable failure = failures.poll();
    if (failure != null) {
      Throwables.propagate(failure);
    }
  }

}