[Security] Implement fuzzing for tar parsing and patching

## Issue
OpenSSF Scorecard identified that the project does not implement fuzzing, scoring 0/10.

## Risk Level
**Medium** - Fuzzing helps discover edge cases, crashes, and potential security vulnerabilities in parsing logic before they reach production.

## Current State
- No fuzzing tests implemented
- Tar parsing and patching logic not fuzz-tested
- Missing automated vulnerability discovery for malformed inputs

## Recommendation
Implement fuzzing for critical attack surfaces:

### Priority Areas for Fuzzing:
1. **Tar file parsing** - Test with malformed/malicious tar archives
2. **Diff generation** - Fuzz tar-diff logic with edge cases
3. **Patch application** - Test tar-patch with corrupted tardiff files
4. **Multi-file scenarios** - Fuzz overlapping/conflicting tar entries

### Implementation Options:

**Option 1: Go Native Fuzzing (Recommended)**
Go 1.18+ includes built-in fuzzing support:
```go
func FuzzTarParser(f *testing.F) {
    f.Fuzz(func(t *testing.T, data []byte) {
        // Test tar parsing with arbitrary input
        ParseTar(bytes.NewReader(data))
    })
}
```

**Option 2: OSS-Fuzz Integration**
- Submit project to [OSS-Fuzz](https://github.com/google/oss-fuzz)
- Provides continuous fuzzing infrastructure
- Automatic bug reporting and regression testing
- Free for open-source projects

### Benefits:
- Discover crashes and panics before users do
- Find edge cases that manual testing misses
- Improve robustness against malicious inputs
- Continuous security testing

## Steps to Implement
1. Add fuzz tests to `pkg/tar-diff` and `pkg/tar-patch`
2. Create corpus of valid tar files for seed inputs
3. Run fuzz tests locally: `go test -fuzz=. -fuzztime=10m`
4. (Optional) Apply to OSS-Fuzz for continuous fuzzing
5. Add fuzzing to CI pipeline

## Example Fuzz Targets
- `FuzzTarDiff` - Test diff generation with random tar inputs
- `FuzzTarPatch` - Test patch application with corrupted tardiff files
- `FuzzMultiLayerTar` - Test multi-file scenarios with overlapping entries

## References
- [OpenSSF Scorecard - Fuzzing](https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing)
- [Go Fuzzing Documentation](https://go.dev/doc/fuzz/)
- [OSS-Fuzz](https://google.github.io/oss-fuzz/)
- OpenSSF Scorecard Score: 0/10

## Related
Part of OpenSSF Scorecard evaluation THEEDGE-4717 (overall score: 6.8/10)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] Implement fuzzing for tar parsing and patching #87

Issue

Risk Level

Current State

Recommendation

Priority Areas for Fuzzing:

Implementation Options:

Benefits:

Steps to Implement

Example Fuzz Targets

References

Related

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Security] Implement fuzzing for tar parsing and patching #87

Description

Issue

Risk Level

Current State

Recommendation

Priority Areas for Fuzzing:

Implementation Options:

Benefits:

Steps to Implement

Example Fuzz Targets

References

Related

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions