Continuous fuzzing of python-email-validator by way of OSS-Fuzz #84
Comments
|
@JoshData friendly ping :) |
|
Hi. Since this is a pure python library, I don't really understand what sorts of bugs in this repository (i.e. not a dependency) this might reveal. And if the fuzzer is run once now, does it report any issues? |
Hi @JoshData, with my initial assessment by running fuzzer locally for few minutes i did find an issue, but i'm not sure what the root cause is, maybe its because of my local dns or something else but few inputs to validate_email() were taking 10s to 30s before raising EmailUndeliverableError exception. If you want i can share those fuzzer inputs for test :) |
|
What I'm trying to figure out here is if this is going to end up opening a lot of misdirected or spurious issues --- i.e. is this going to create new busywork for me. Before adding this project to OSS-Fuzz, I would ask you to try to sort through any issues that are going to arise immediately. If you think there might be a bug with the fuzzed inputs you generate, feel free to list them here and we can work through it. |
Hi Josh, thanks for raising valid points, as a new contributor to oss-fuzz i was not sure how to address this and asked the oss-fuzz team for their thoughts, Yes there is a chance for it raising such issues but its less likely, as all this fuzzer is doing right now is testing email-validator against random inputs,
for this i'ill have to run it locally or via other medium, It will be hard for me to run it locally, as inputs are random hence chance of initial assessment issues occurring again are random too, and running fuzzer for long time is resource intensive, so i believe best place for that is oss-fuzz with their continuous fuzzing. if you are still interested, please let me know :) |
|
Hi @JoshData will it be okay for me to add my mail id for this integration, as i did for some other project integrations, i'll keep an eye for exception or other crashes and will raise it here, if it feels to be a genuine issue. if you don't want to go ahead with integration please let me know here :) |
|
That sounds like a great solution. Yes, please go ahead. :) |
|
Closing this now, later if you wish to add your mail, please create a new issue at oss-fuzz or you can let me know :) |
Given the popularity of python-email-validator, I was thinking that it would be nice to set up continuous fuzzing of python-email-validator, by way of OSS-Fuzz. In this PR: google/oss-fuzz#8107 I have done exactly that, namely created the necessary logic from an OSS-Fuzz perspective to integrate python-email-validator. This includes developing initial fuzzers as well as integrating into OSS-Fuzz.
Essentially, OSS-Fuzz is a free service run by Google that performs continuous fuzzing of important open source projects. The only expectation of integrating into OSS-Fuzz is that bugs will be fixed. This is not a "hard" requirement in that no one enforces this and the main point is if bugs are not fixed then it is a waste of resources to run the fuzzers, which we would like to avoid.
If you would like to integrate, could I please have an email(s), it must be associated with a Google account like gmail (why?). by doing that, the provided email(s) will get access to the data produced by OSS-Fuzz, such as bug reports, coverage reports and more stats. Notice the emails affiliated with the project will be public in the OSS-Fuzz repo, as they will be part of a configuration file.
The text was updated successfully, but these errors were encountered: