From df7633aaa1dfb9fc1c028fedcdfa9df0a592042b Mon Sep 17 00:00:00 2001
From: Asra Ali <asraa@google.com>
Date: Thu, 4 Mar 2021 14:13:14 -0500
Subject: [PATCH 1/4] fix h1 filepath issue

Signed-off-by: Asra Ali <asraa@google.com>
---
 test/integration/h1_capture_direct_response_fuzz_test.cc     | 5 +++--
 ...ase-h1_capture_direct_response_fuzz_test-5145199254831104 | 3 +++
 2 files changed, 6 insertions(+), 2 deletions(-)
 create mode 100644 test/integration/h1_corpus/clusterfuzz-testcase-h1_capture_direct_response_fuzz_test-5145199254831104

diff --git a/test/integration/h1_capture_direct_response_fuzz_test.cc b/test/integration/h1_capture_direct_response_fuzz_test.cc
index 621179a183546..31f149de9435f 100644
--- a/test/integration/h1_capture_direct_response_fuzz_test.cc
+++ b/test/integration/h1_capture_direct_response_fuzz_test.cc
@@ -6,7 +6,6 @@ namespace Envoy {
 
 void H1FuzzIntegrationTest::initialize() {
   const std::string body = "Response body";
-  const std::string file_path = TestEnvironment::writeStringToFileForTest("test_envoy", body);
   const std::string prefix("/");
   const Http::Code status(Http::Code::OK);
   config_helper_.addConfigModifier(
@@ -19,7 +18,9 @@ void H1FuzzIntegrationTest::initialize() {
             hcm.mutable_route_config()->mutable_virtual_hosts(0)->mutable_routes(0);
         default_route->mutable_match()->set_prefix(prefix);
         default_route->mutable_direct_response()->set_status(static_cast<uint32_t>(status));
-        default_route->mutable_direct_response()->mutable_body()->set_filename(file_path);
+        // Use inline bytes rather than a filename to avoid using a path that may look illegal to
+        // Envoy.
+        default_route->mutable_direct_response()->mutable_body()->set_inline_bytes(body);
         // adding headers to the default route
         auto* header_value_option = route_config->mutable_response_headers_to_add()->Add();
         header_value_option->mutable_header()->set_value("direct-response-enabled");
diff --git a/test/integration/h1_corpus/clusterfuzz-testcase-h1_capture_direct_response_fuzz_test-5145199254831104 b/test/integration/h1_corpus/clusterfuzz-testcase-h1_capture_direct_response_fuzz_test-5145199254831104
new file mode 100644
index 0000000000000..ed8ac64aa376c
--- /dev/null
+++ b/test/integration/h1_corpus/clusterfuzz-testcase-h1_capture_direct_response_fuzz_test-5145199254831104
@@ -0,0 +1,3 @@
+events {
+  downstream_send_bytes: "POST /test/long/url HTTP/1.1\r\nhost: host\r\nx-lyft-user-id: 123\r\nx-fkrwarded-for: 10.0.0.1\r\ntransfer-encoding:event\r\nx-lyft-user-id: 123\r\nx-fkrwarded-for: 10.0.0.1\r\ntransfer-encoding:events er-id: 123\r\nx-fkrwarded-for: 10.0.0.1\r\ntransfer-encoding:events {\n   downnstrc"
+}
\ No newline at end of file

From 139deb7bf8c849f01fdce8550ba14fe2a67905c9 Mon Sep 17 00:00:00 2001
From: Asra Ali <asraa@google.com>
Date: Thu, 4 Mar 2021 14:46:46 -0500
Subject: [PATCH 2/4] fix bootrstrap path

Signed-off-by: Asra Ali <asraa@google.com>
---
 .../filesystem/posix/filesystem_impl.cc       |  8 ++++++
 ...case-h2_capture_fuzz_test-5096668204761088 | 28 +++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 test/integration/h2_corpus/clusterfuzz-testcase-h2_capture_fuzz_test-5096668204761088

diff --git a/source/common/filesystem/posix/filesystem_impl.cc b/source/common/filesystem/posix/filesystem_impl.cc
index 5f69e98e764bf..747b96687c889 100644
--- a/source/common/filesystem/posix/filesystem_impl.cc
+++ b/source/common/filesystem/posix/filesystem_impl.cc
@@ -160,6 +160,14 @@ bool InstanceImplPosix::illegalPath(const std::string& path) {
       absl::StartsWith(canonical_path.rc_, "/proc")) {
     return true;
   }
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+  // Allow temporary files in OSS-Fuzz to prevent failures running (h1/h2)_capture_fuzz_test.
+  // Ideally this would be TestEnvironment::temporaryPath() but this avoids depending on test
+  // libraries.
+  if (absl::StartsWith(canonical_path.rc_, "/mnt")) {
+    return true;
+  }
+#endif
   return false;
 }
 
diff --git a/test/integration/h2_corpus/clusterfuzz-testcase-h2_capture_fuzz_test-5096668204761088 b/test/integration/h2_corpus/clusterfuzz-testcase-h2_capture_fuzz_test-5096668204761088
new file mode 100644
index 0000000000000..7ba9c97f1245e
--- /dev/null
+++ b/test/integration/h2_corpus/clusterfuzz-testcase-h2_capture_fuzz_test-5096668204761088
@@ -0,0 +1,28 @@
+events {
+  downstream_send_event {
+    h2_frames {
+      settings {
+      }
+    }
+    h2_frames {
+    }
+    h2_frames {
+      request {
+        stream_index: 1
+        host: "host"
+        path: "/path/to/long/url"
+      }
+    }
+  }
+}
+events {
+}
+events {
+  downstream_send_event {
+    h2_frames {
+      generic {
+        frame_bytes: "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"
+      }
+    }
+  }
+}
\ No newline at end of file

From e0ce71294a9ee6716dc771e26726b413001cdc1a Mon Sep 17 00:00:00 2001
From: Asra Ali <asraa@google.com>
Date: Thu, 4 Mar 2021 16:28:49 -0500
Subject: [PATCH 3/4] fix arm

Signed-off-by: Asra Ali <asraa@google.com>
---
 test/integration/h1_capture_direct_response_fuzz_test.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/integration/h1_capture_direct_response_fuzz_test.cc b/test/integration/h1_capture_direct_response_fuzz_test.cc
index 31f149de9435f..af93de0b152cf 100644
--- a/test/integration/h1_capture_direct_response_fuzz_test.cc
+++ b/test/integration/h1_capture_direct_response_fuzz_test.cc
@@ -9,7 +9,7 @@ void H1FuzzIntegrationTest::initialize() {
   const std::string prefix("/");
   const Http::Code status(Http::Code::OK);
   config_helper_.addConfigModifier(
-      [&file_path, &prefix](
+      [&body, &prefix](
           envoy::extensions::filters::network::http_connection_manager::v3::HttpConnectionManager&
               hcm) -> void {
         auto* route_config = hcm.mutable_route_config();

From 206442f43986187e689cff02b4c51bfd5355658c Mon Sep 17 00:00:00 2001
From: Asra Ali <asraa@google.com>
Date: Fri, 5 Mar 2021 11:07:53 -0500
Subject: [PATCH 4/4] address comment

Signed-off-by: Asra Ali <asraa@google.com>
---
 source/common/filesystem/posix/filesystem_impl.cc        | 8 --------
 test/integration/h2_capture_direct_response_fuzz_test.cc | 7 ++++---
 2 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/source/common/filesystem/posix/filesystem_impl.cc b/source/common/filesystem/posix/filesystem_impl.cc
index 747b96687c889..5f69e98e764bf 100644
--- a/source/common/filesystem/posix/filesystem_impl.cc
+++ b/source/common/filesystem/posix/filesystem_impl.cc
@@ -160,14 +160,6 @@ bool InstanceImplPosix::illegalPath(const std::string& path) {
       absl::StartsWith(canonical_path.rc_, "/proc")) {
     return true;
   }
-#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-  // Allow temporary files in OSS-Fuzz to prevent failures running (h1/h2)_capture_fuzz_test.
-  // Ideally this would be TestEnvironment::temporaryPath() but this avoids depending on test
-  // libraries.
-  if (absl::StartsWith(canonical_path.rc_, "/mnt")) {
-    return true;
-  }
-#endif
   return false;
 }
 
diff --git a/test/integration/h2_capture_direct_response_fuzz_test.cc b/test/integration/h2_capture_direct_response_fuzz_test.cc
index 78bd2d3f6ef7c..fd7c2e9ef0cc0 100644
--- a/test/integration/h2_capture_direct_response_fuzz_test.cc
+++ b/test/integration/h2_capture_direct_response_fuzz_test.cc
@@ -6,7 +6,6 @@ namespace Envoy {
 
 void H2FuzzIntegrationTest::initialize() {
   const std::string body = "Response body";
-  const std::string file_path = TestEnvironment::writeStringToFileForTest("test_envoy", body);
   const std::string prefix("/");
   const Http::Code status(Http::Code::OK);
 
@@ -14,7 +13,7 @@ void H2FuzzIntegrationTest::initialize() {
   setUpstreamProtocol(FakeHttpConnection::Type::HTTP2);
 
   config_helper_.addConfigModifier(
-      [&file_path, &prefix](
+      [&body, &prefix](
           envoy::extensions::filters::network::http_connection_manager::v3::HttpConnectionManager&
               hcm) -> void {
         auto* route_config = hcm.mutable_route_config();
@@ -23,7 +22,9 @@ void H2FuzzIntegrationTest::initialize() {
             hcm.mutable_route_config()->mutable_virtual_hosts(0)->mutable_routes(0);
         default_route->mutable_match()->set_prefix(prefix);
         default_route->mutable_direct_response()->set_status(static_cast<uint32_t>(status));
-        default_route->mutable_direct_response()->mutable_body()->set_filename(file_path);
+        // Use inline bytes rather than a filename to avoid using a path that may look illegal to
+        // Envoy.
+        default_route->mutable_direct_response()->mutable_body()->set_inline_bytes(body);
         // adding headers to the default route
         auto* header_value_option = route_config->mutable_response_headers_to_add()->Add();
         header_value_option->mutable_header()->set_value("direct-response-enabled");