Added 2 fuzzers #13818
Added 2 fuzzers #13818
Conversation
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: AdamKorcz <adam@adalogics.com>
|
OSS-fuzz integration set up here: google/oss-fuzz#4775 |
GiteaBot
added
the
lgtm/need 2
Codecov Report
@@ Coverage Diff @@
## master #13818 +/- ##
==========================================
+ Coverage 42.21% 42.23% +0.01%
==========================================
Files 710 710
Lines 77232 77232
==========================================
+ Hits 32607 32616 +9
+ Misses 39255 39252 -3
+ Partials 5370 5364 -6
Continue to review full report at Codecov.
|
|
Email for receiving reports could be |
|
Can we not introduce another top-level directory? I'd suggest making a |
|
@silverwind Not a problem from a fuzzing-perspective. Just let me know if that is what we go for. @lafriks Duly noted! |
|
I'd say start with |
|
@silverwind Done! |
|
Is it possible to make this runnable locally? e.g. through a |
Co-authored-by: 6543 <6543@obermui.de>
Sure is. This would install some dependencies locally. I would prefer to set this up in a separate PR as it can be a quick fix or a longer task depending on the existing build system which I have not perused yet. Let me know if you are fine with that or would prefer it in this PR. Either way I am happy to do it. |
6543
added
lgtm/need 1
GiteaBot
added
the
lgtm/need 2
|
Could this be a feature of Gitea to check repositories hosted on Gitea instance? |
|
@lunny I am afraid I don't understand what you mean by "check"? |
I guess it's fine to do separately if you promise to follow up on it 😉 |
6543
removed
the
lgtm/need 2
GiteaBot
added
the
lgtm/need 2
I will be happy to. I would like to see this integrated into the build system. |
GiteaBot
removed
the
lgtm/need 2
Co-authored-by: silverwind <me@silverwind.io>
GiteaBot
added
lgtm/done
|
Oh, I think we need to add |
diff --git a/Makefile b/Makefile
index 0e33047aa..e21cf20f8 100644
--- a/Makefile
+++ b/Makefile
@@ -110,7 +110,7 @@ TAGS ?=
TAGS_SPLIT := $(subst $(COMMA), ,$(TAGS))
TAGS_EVIDENCE := $(MAKE_EVIDENCE_DIR)/tags
-GO_DIRS := cmd integrations models modules routers build services vendor
+GO_DIRS := cmd integrations models modules routers build services vendor tools
GO_SOURCES := $(wildcard *.go)
|
|
@AdamKorcz ping ? |
|
Still here. I will have a look at the diff this evening |
|
@6543 Sorry for the delay. I ran the patch with |
AFAIU it just needs an extra empty newline |
Thanks for the suggestion. That just gave "... at line 13". Nonetheless, I have added tools to the Makefile manually. Let me now if any further changes are needed from my side. |
|
@AdamKorcz pleace follow up with a make target to fuzz localy :) |
This PR adds 2 fuzzers that target
markdown.RenderRawandmarkup.PostProcessrespectively. These fuzzers are implemented by way of the go-fuzz fuzzing engine.Fuzzing is a way of testing programs whereby pseudo-random data is passed to a target with the goal of finding bugs and vulnerabilities.
I have worked on setting continuous fuzzing up for these two fuzzers which will allow them to run for longer and find harder-to-find bugs as well. I have set up the integration files for gitea on OSS-fuzz (google/oss-fuzz#4775), and upon merging the 2 fuzzers here, they would be able to run continuously through OSS-fuzz. OSS-fuzz is a free service for open source projects, and if/when bugs are found, maintainers get notified with an email containing a link to a detailed bug report with stacktrace and reproducer test-case. While it is a free service it is offered with an implied expectation that bugs are fixed, so that the resources spent on fuzzing gitea go towards resolving bugs in the codebase.
All that is needed to setup continuous fuzzing would be at least one maintainer email address.
For some examples of previous bugs found from fuzzing Golang projects I recommend checking out the trophy list on the go-fuzz repository: https://github.com/dvyukov/go-fuzz#trophies
Signed-off-by: AdamKorcz adam@adalogics.com