Initial fuzzing set up

[DavidKorczynski]

@kapilt following our discussion I added a fuzzing set up. I also added a doc clarifying fuzzing of cloud-custodian and why there is not a ton to come for.

Please take a look. If you run the fuzzer you shuld be able to trigger and uncaught exception:

#1738   NEW    cov: 194 ft: 261 corp: 19/64b lim: 8 exec/s: 0 rss: 60Mb L: 6/6 MS: 2 CopyPart-ChangeByte-
#1869   REDUCE cov: 194 ft: 261 corp: 19/63b lim: 8 exec/s: 0 rss: 60Mb L: 5/6 MS: 1 EraseBytes-
                                      
 === Uncaught Python exception: ===                                  
ValueError: Invalid IPv6 URL                         
Traceback (most recent call last):       
  File "./tests/fuzzing/fuzz_general.py", line 22, in fuzz_general                                      
    utils.parse_url_config(schema_str)                                                                        
  File ".../cloud-custodian/venv/lib/python3.6/site-packages/c7n/utils.py", line 595, in
 parse_url_config                          
    parsed = urlparse.urlparse(url)            
  File "/usr/lib/python3.6/urllib/parse.py", line 368, in urlparse                           
    splitresult = urlsplit(url, scheme, allow_fragments)                   
  File "/usr/lib/python3.6/urllib/parse.py", line 460, in urlsplit         
    raise ValueError("Invalid IPv6 URL")

[linux-foundation-easycla]

The committers are authorized under a signed CLA.

• ✅ DavidKorczynski (75407dd, 0e43433, 6fc2db1bb30b86ff0d4e1569186aad3b1e50604d)

[kapilt]

@DavidKorczynski thanks, we use the cncf/lf cla for this project vs dco per the bot message. we'll also need to add in a dep dependency for atheris, i'm happy to do that once the cla is taken care of.

[DavidKorczynski]

Thanks Kapil, I actually thought I did this - but I had to register our organisation (Ada Logics) fist. My thought was it would just take some time - will look into this a bit later!

[DavidKorczynski]

will the CLA update automatically after I have signed or do I need to do something to trigger it?

[kapilt]

ugh.. it should auto update, but we've had at least one other person with issues in this, where i had to manually check the tool because it didn't auto update.

[DavidKorczynski]

Hmm - there might have been some oddities since I both had to create an organisation and then put myself on the approved list on the CLA. However, I am pretty should I have done what could be done for the signing now. I have issued a ticket for the Linux Foundation support.

[DavidKorczynski]

@kapilt got the CLA done :)!

[kapilt]

thanks reproduced on the fuzz result, i'm a little unclear the parse url config err as anything needing specific handling, the date parse is actually pretty useful to fuzz, in that it does get called with untrusted inputs, as we parse tag values from resources (aka potentially attacker controlled). added in to dev deps for wrt to packaging, currently doing a run to see total run time and if we can add as a github action.

[DavidKorczynski]

thanks reproduced on the fuzz result, i'm a little unclear the parse url config err as anything needing specific handling, the date parse is actually pretty useful to fuzz, in that it does get called with untrusted inputs, as we parse tag values from resources (aka potentially attacker controlled).

Great (that the fuzzing was useful)!

added in to dev deps for wrt to packaging, currently doing a run to see total run time and if we can add as a github action.

We can! There is "CIFuzz" which allows continuous integration of fuzzing: https://google.github.io/oss-fuzz/getting-started/continuous-integration/

[DavidKorczynski]

FYI, I integrated urllib3 into OSS-Fuzz earlier this year and it is being fuzzed: https://github.com/google/oss-fuzz/tree/master/projects/urllib3

[DavidKorczynski]

@kapilt how are we doing on this one? It would be great to get it merged in as I am looking to write some CNCF documentation referencing the fuzzing set up here