Merge pull request #49 from OWASP/may

Fixes for hashed files.
OWASP · May 19, 2023 · 485e58f · 485e58f
2 parents 6b828ef + 5039b77
commit 485e58f
Show file tree

Hide file tree

Showing 9 changed files with 36 additions and 30 deletions.
diff --git a/.clusterfuzzlite/Dockerfile b/.clusterfuzzlite/Dockerfile
@@ -0,0 +1,5 @@
+FROM gcr.io/oss-fuzz-base/base-builder-python:v1@sha256:c52f920f4c057e04114972891af85c3cb8c9806e4bf7fd8fea6d4f42514573ca
+RUN apt-get update && apt-get install -y make autoconf automake libtool
+COPY . $SRC/cornucopia
+WORKDIR cornucopia
+COPY .clusterfuzzlite/build.sh $SRC/
diff --git a/.clusterfuzzlite/build.sh b/.clusterfuzzlite/build.sh
@@ -0,0 +1,13 @@
+#!/bin/bash -eu
+
+# build project
+# e.g.
+# ./autogen.sh
+# ./configure
+# make -j$(nproc) all
+
+# build fuzzers
+# e.g.
+# $CXX $CXXFLAGS -std=c++11 -Iinclude \
+#     /path/to/name_of_fuzzer.cc -o $OUT/name_of_fuzzer \
+#     $LIB_FUZZING_ENGINE /path/to/library.a
diff --git a/.clusterfuzzlite/project.yaml b/.clusterfuzzlite/project.yaml
@@ -0,0 +1 @@
+language: python
diff --git a/.github/workflows/cflite_pr.yml b/.github/workflows/cflite_pr.yml
@@ -15,23 +15,15 @@ jobs:
       matrix:
         sanitizer:
         - address
-        # Override this with the sanitizers you want.
-        # - undefined
-        # - memory
+        - undefined
     steps:
     - name: Build Fuzzers (${{ matrix.sanitizer }})
       id: build
       uses: google/clusterfuzzlite/actions/build_fuzzers@v1
       with:
-        language: python # Change this to the language you are fuzzing.
+        language: python
         github-token: ${{ secrets.GITHUB_TOKEN }}
         sanitizer: ${{ matrix.sanitizer }}
-        # Optional but recommended: used to only run fuzzers that are affected
-        # by the PR.
-        # See later section on "Git repo for storage".
-        # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-REPO-NAME.git
-        # storage-repo-branch: main   # Optional. Defaults to "main"
-        # storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".
     - name: Run Fuzzers (${{ matrix.sanitizer }})
       id: run
       uses: google/clusterfuzzlite/actions/run_fuzzers@v1
@@ -40,9 +32,3 @@ jobs:
         fuzz-seconds: 600
         mode: 'code-change'
         sanitizer: ${{ matrix.sanitizer }}
-        # Optional but recommended: used to download the corpus produced by
-        # batch fuzzing.
-        # See later section on "Git repo for storage".
-        # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-REPO-NAME.git
-        # storage-repo-branch: main   # Optional. Defaults to "main"
-        # storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".
diff --git a/.python-version b/.python-version
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,4 @@
-ARG PYTHON_VERSION
-
-FROM python:${PYTHON_VERSION}-alpine AS linter-base
+FROM python:3.10-alpine@sha256:def82962a6ee048e54b5bec2fcdfd4aada4a907277ba6b0300f18c836d27f095 AS pipenv
 RUN apk add --no-cache shadow
 # UID of current user who runs the build
 ARG user_id
@@ -17,19 +15,17 @@ RUN groupmod -g 64 dialout \
     && groupmod -g 2999 ping \
     && mkdir -p "${home}" \
     && adduser -S -u "${user_id}" -h "${home}" -s "/bin/bash" -G union builder
-
-
-FROM linter-base AS pipenv
+# Add pip and build requirements
 RUN apk add --no-cache \
     bash \
     curl \
     docker \
     gcc \
     git \
     libc-dev \
-    make \
-    && pip install --upgrade pip
-RUN pip install --upgrade pipenv
+    make
+COPY --chown=builder:union requirements.txt ./
+RUN pip install -r requirements.txt --require-hashes
 USER builder
 # Install Python dependencies so they are cached
 ARG workdir
@@ -38,5 +34,5 @@ COPY --chown=builder:union Pipfile Pipfile.lock ./
 RUN pipenv install --ignore-pipfile --dev
 ENTRYPOINT [ "/usr/local/bin/pipenv" ]
 
-FROM mvdan/shfmt AS shfmt
+FROM mvdan/shfmt@sha256:b4b3f2598e3d04bbf2e54ea9c80c19d4f807f8911b27f043f7e4c82a9ee06910 AS shfmt
 ENTRYPOINT [ "/bin/shfmt" ]
diff --git a/Makefile b/Makefile
@@ -17,13 +17,11 @@ RETRY_DELAY = 0.01
 
 PYTHON_TEST_PATTERN ?= "*_?test.py" # Default to all types of tests
 PYTHON_COVERAGE_MIN = 85 # %
-PYTHON_VERSION = $(shell head -1 .python-version)
 
 .PHONY: shfmt shellcheck pipenv
 shfmt shellcheck pipenv:
 	@docker build \
 		--tag $@ \
-		--build-arg PYTHON_VERSION=$(PYTHON_VERSION) \
 		--build-arg "user_id=$(shell id -u)" \
 		--build-arg "group_id=$(shell id -g)" \
 		--build-arg "home=${HOME}" \

diff --git a/requirements.txt b/requirements.txt
@@ -0,0 +1,8 @@
+pipenv == 2023.4.29 --hash=sha256:ee86355e1965bbcabf6702a01622a5bbb7f086c45e93ed4a1ccc106bab54021e
+virtualenv == 20.23.0 --hash=sha256:6abec7670e5802a528357fdc75b26b9f57d5d92f29c5462ba0fbe45feacc685e
+virtualenv-clone == 0.5.7 --hash=sha256:44d5263bceed0bac3e1424d64f798095233b64def1c5689afa43dc3223caf5b0
+certifi == 2023.5.7 --hash=sha256:c6c2e98f5c7869efca1f8916fed228dd91539f9f1b444c314c06eef02980c716
+setuptools == 67.7.2 --hash=sha256:23aaf86b85ca52ceb801d32703f12d77517b2556af839621c641fca11287952b
+platformdirs == 3.5.1 --hash=sha256:e2378146f1964972c03c085bb5662ae80b2b8c06226c54b2ff4aa9483e8a13a5
+filelock == 3.12.0 --hash=sha256:ad98852315c2ab702aeb628412cbf7e95b7ce8c3bf9565670b4eaecf1db370a9
+distlib == 0.3.6 --hash=sha256:f35c4b692542ca110de7ef0bea44d73981caeb34ca0b9b6b2e6d7790dda8f80e
diff --git a/scripts/convert.py b/scripts/convert.py
@@ -476,7 +476,7 @@ def get_replacement_mapping_value(k: str, v: str, el_text: str) -> str:
 
 
 def get_replacement_value_from_dict(el_text: str, replacement_values: List[Tuple[str, str]]) -> str:
-    for (k, v) in replacement_values:
+    for k, v in replacement_values:
         k2: str = k.replace("'", "’").strip()
         v2: str = v.strip()
         if el_text == k: