Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fuzz Testing via OSS-Fuzz Proposal #385

Open
DaveLak opened this issue May 2, 2024 · 0 comments
Open

Fuzz Testing via OSS-Fuzz Proposal #385

DaveLak opened this issue May 2, 2024 · 0 comments

Comments

@DaveLak
Copy link

DaveLak commented May 2, 2024

Fuzz Testing via OSS-Fuzz Proposal

Hi,

I was wondering if you would be interested in continuous fuzz testing for this project via an integration with OSS-Fuzz. I've been contributing to OSS-Fuzz integrated projects recently1 as a means to learn more about fuzzing, and to give some meaningful value back to the open source community that's enabled me over the years, and I thought mistune could benefit from such an integration.

About OSS-Fuzz

OSS-Fuzz is a free service run by Google that performs continuous fuzzing of important open source projects to automate test-case generation and identify bugs that are difficult to find via traditional unit tests.

From the OSS-Fuzz project's README:

Fuzz testing is a well-known technique for uncovering programming errors in software. Many of these detectable errors, like buffer overflow, can have serious security implications. Google has found thousands of security vulnerabilities and stability bugs by deploying guided in-process fuzzing of Chrome components, and we now want to share that service with the open source community.

In cooperation with the Core Infrastructure Initiative and the OpenSSF, OSS-Fuzz aims to make common open source software more secure and stable by combining modern fuzzing techniques with scalable, distributed execution.

What Happens When OSS-Fuzz Finds a Bug

Because the nature of OSS-Fuzz as a security tool, bugs identified by fuzzing are reported privately on an issue tracker that requires a Gmail account to access.

The issue tracker has a 90-day disclosure policy so project maintainers (or anyone else that maintainers wish to add to the access allow list) can evaluate the impact of the bug before it becomes public.

Next Steps if You Are Interested

I am happy to set up the integration and contribute as much or as little to it's maintenance as you would find helpful.

An integration requires:

1. A PR on the OSS-Fuzz repo proposing the project with a comment from a maintainer approving it.

This would add some config files (see the GitPython files for reference) and request the OSS-Fuzz maintainers at Google to consider mistune for integration. Given this project is a parser with a large footprint in the Python community, I'd expect the approval to be smooth, but if you happen to know of some high profile or popular projects that depend on mistune, that would help inform their review.

2. A PR adding fuzz tests and some setup scripts used by OSS-Fuzz in this repo.

I have already experimented with the setup in a fork prior to opening this issue, so you can see the changes to this repo that I'd propose via PR here: master...DaveLak:mistune:oss-fuzz-initial-integration


Thanks for reading! Let me know if there is anything I can clarify!

Footnotes

  1. See the commit history of the files in GitPython's fuzzing/ directory for a detailed log: https://github.com/gitpython-developers/GitPython/tree/5f267792b7983bd85f4a4f6299b9d795516d0892/fuzzing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant