From 19e1b7b4320dd9da47705d3cbcdbb571c4339d30 Mon Sep 17 00:00:00 2001
From: Nathaniel Brough <nathaniel.brough@gmail.com>
Date: Sat, 23 Dec 2023 17:27:40 -0800
Subject: [PATCH 1/2] Fuzz more of gix_url::Url

---
 gix-url/fuzz/Cargo.toml            |  1 +
 gix-url/fuzz/fuzz_targets/parse.rs | 21 ++++++++++++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/gix-url/fuzz/Cargo.toml b/gix-url/fuzz/Cargo.toml
index 8c28d8fdd6d..5a6a5e0a886 100644
--- a/gix-url/fuzz/Cargo.toml
+++ b/gix-url/fuzz/Cargo.toml
@@ -9,6 +9,7 @@ edition = "2021"
 cargo-fuzz = true
 
 [dependencies]
+anyhow = "1.0.76"
 libfuzzer-sys = "0.4"
 
 [dependencies.gix-url]
diff --git a/gix-url/fuzz/fuzz_targets/parse.rs b/gix-url/fuzz/fuzz_targets/parse.rs
index c9d8073d795..de564d124fb 100644
--- a/gix-url/fuzz/fuzz_targets/parse.rs
+++ b/gix-url/fuzz/fuzz_targets/parse.rs
@@ -1,6 +1,25 @@
 #![no_main]
+use anyhow::Result;
 use libfuzzer_sys::fuzz_target;
+use std::hint::black_box;
+use std::path::Path;
+
+fn fuzz(data: &[u8]) -> Result<()> {
+    let url = gix_url::parse(data.into())?;
+    _ = black_box(url.user());
+    _ = black_box(url.password());
+    _ = black_box(url.password());
+    _ = black_box(url.host_argument_safe());
+    _ = black_box(url.path_argument_safe());
+    _ = black_box(url.path_is_root());
+    _ = black_box(url.port_or_default());
+    _ = black_box(url.canonicalized(Path::new("/cwd")));
+    _ = black_box(url.to_bstring());
+
+    _ = black_box(gix_url::expand_path::parse(data.into()));
+    Ok(())
+}
 
 fuzz_target!(|data: &[u8]| {
-    let _a = gix_url::parse(data.into());
+    _ = black_box(fuzz(data));
 });

From 8d4f9d7359344f95d6631f7ac53fe54a40beb5f1 Mon Sep 17 00:00:00 2001
From: Nathaniel Brough <nathaniel.brough@gmail.com>
Date: Sat, 23 Dec 2023 17:34:25 -0800
Subject: [PATCH 2/2] Add fuzzing assert to fuzz against CVE-2017-1000117

---
 gix-url/fuzz/fuzz_targets/parse.rs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/gix-url/fuzz/fuzz_targets/parse.rs b/gix-url/fuzz/fuzz_targets/parse.rs
index de564d124fb..6a483b7c59f 100644
--- a/gix-url/fuzz/fuzz_targets/parse.rs
+++ b/gix-url/fuzz/fuzz_targets/parse.rs
@@ -9,7 +9,11 @@ fn fuzz(data: &[u8]) -> Result<()> {
     _ = black_box(url.user());
     _ = black_box(url.password());
     _ = black_box(url.password());
-    _ = black_box(url.host_argument_safe());
+    if let Some(safe_host) = black_box(url.host_argument_safe()) {
+        // Ensure malicious host paths can't be returned see;
+        // https://secure.phabricator.com/T12961
+        assert!(!safe_host.starts_with("ssh://-"));
+    }
     _ = black_box(url.path_argument_safe());
     _ = black_box(url.path_is_root());
     _ = black_box(url.port_or_default());