Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

poco: Net library fuzzing #12506

Merged
merged 1 commit into from
Sep 25, 2024
Merged

poco: Net library fuzzing #12506

merged 1 commit into from
Sep 25, 2024

Conversation

tyler92
Copy link
Contributor

@tyler92 tyler92 commented Sep 16, 2024

Two new fuzzing targets:

  • HTTP messages (request/response/authorization) parsing
  • Mail message parsing

@github-actions GitHub Actions
Copy link

tyler92 has previously contributed to projects/poco. The previous PR was #12432

@jonathanmetzman
Copy link
Contributor

@DavidKorczynski WDYT of this?

@tyler92
Copy link
Contributor Author

tyler92 commented Sep 18, 2024

If it helps: two issues were found by these fuzzers:

pocoproject/poco#4687
pocoproject/poco#4690

DavidKorczynski
DavidKorczynski requested changes Sep 23, 2024
View reviewed changes
Copy link
Collaborator

@DavidKorczynski DavidKorczynski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ditto: #12526 (comment)

@tyler92 please coordinate with maintainers of poco.

@tyler92
Copy link
Contributor Author

tyler92 commented Sep 25, 2024

@obiltschnig @aleks-f Hi.

Could you please help with review here? I believe these fuzzers and fuzzers that I added previously are useful. They found several issues that potentially can be considered as vulnerabilities. If you want we can consider moving them to the upstream later.

@obiltschnig
Copy link

Looks good to me and these tests are certainly very helpful. Looking forward to get more of these in the future.
Is there any advantage of moving the tests into the poco repository?

@tyler92
Copy link
Contributor Author

tyler92 commented Sep 25, 2024

As far as I understand, the main advantage is gaining ownership of the fuzz targets (and seed corpus). This means that changes to existing fuzz targets, or even the addition of new ones, can be made directly in the upstream repository without involving the maintainers of google/oss-fuzz. Given that the repository contains hundreds of different projects, this would significantly reduce the effort required from the maintainers.

Perhaps @DavidKorczynski can add more insights

@DavidKorczynski
Copy link
Collaborator

As far as I understand, the main advantage is gaining ownership of the fuzz targets (and seed corpus). This means that changes to existing fuzz targets, or even the addition of new ones, can be made directly in the upstream repository without involving the maintainers of google/oss-fuzz. Given that the repository contains hundreds of different projects, this would significantly reduce the effort required from the maintainers.

Perhaps @DavidKorczynski can add more insights

yes, it would be great if we could get them upstream from our perspective

@DavidKorczynski DavidKorczynski merged commit b351668 into google:master Sep 25, 2024
16 checks passed
@tyler92 tyler92 mentioned this pull request Oct 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DavidKorczynski DavidKorczynski DavidKorczynski approved these changes

Assignees
No one assigned
Labels
ready to merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tyler92 @jonathanmetzman @obiltschnig @DavidKorczynski