Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add some security/fuzz testing #441

Closed
twsouthwick opened this issue Mar 13, 2018 · 3 comments
Closed

Add some security/fuzz testing #441

twsouthwick opened this issue Mar 13, 2018 · 3 comments

Comments

@twsouthwick
Copy link
Collaborator

@twsouthwick twsouthwick commented Mar 13, 2018

We should add some sort of fuzz testing to test for potential security/reliability issues:

  • Zip bombs
  • Malicious XML
  • Recursive content

These are the items at the top of my head.... there are probably others

@Metalnem
Copy link

@Metalnem Metalnem commented Dec 27, 2018

Hi Taylor!

I'm the author of SharpFuzz, which is a tool that enables fuzzing of .NET programs using afl-fuzz. I did a small experiment on SpreadsheetDocument.Open method, which discovered that it can throw many unexpected exceptions (documentation states that this method should throw only OpenXmlPackageException). These are:

  • ArgumentException
  • FileFormatException
  • InvalidDataException
  • InvalidOperationException
  • XmlException

I didn't have the time to do a longer fuzzing run, and I think that this only scratches the surface of all the possible problems that could be discovered. If you are interested in exploring this area, here is my fuzzing playground for Open XML SDK.

If you have any questions, I'll be glad to assist you!

All the best,
Nemanja

@twsouthwick
Copy link
Collaborator Author

@twsouthwick twsouthwick commented Jan 4, 2019

This is awesome! I had gone through and tried to update some of the exceptions (I had noticed more were thrown than was documented).

@github-actions
Copy link

@github-actions github-actions bot commented May 15, 2020

Stale issue message

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants