Added fuzzer

[AdamKorcz]

This PR adds a fuzzer in an added /fuzzing directory. The fuzzer targets the Open-function.

The fuzzer can be run locally, and I also managed to run it through oss-fuzz's infrastructure. I suggest integrating Go-MySQL-Driver into oss-fuzz. oss-fuzz will run the fuzzers continuously on their platform, and if a bug is encountered, a report will be sent to the maintainers on the contact list. It is a free service that is offered with an expectation that bugs are fixed, so that the fuzzers can keep running and check for other bugs.

The current fuzzer is a good starting point. I would like to write more fuzzers for Go-MySQL-Driver to progressively increase code coverage and optimize their effectiveness.

If there is interest in integrating with oss-fuzz, I will be happy to do that. All I need are the email addresses to add to the contact list. Please note that this list will be public and can be modified at any time.

[julienschmidt]

Looking at other projects, I believe this should be just a file with a build tag in the main package. See e.g. https://github.com/golang/go/blob/4ad13555184eb0697c2e92c64c1b0bdb287ccc10/src/html/fuzz.go
This PR would add a new exported sub-package, which is definitely a no-go.

I'm also not sure how much sense it makes to fuzz Open, as it does nothing more than string parsing. It never starts any network IO on its own.

[AdamKorcz]

This PR would add a new exported sub-package, which is definitely a no-go

Sure, this should not be a problem to amend.

I'm also not sure how much sense it makes to fuzz Open, as it does nothing more than string parsing. It never starts any network IO on its own.

Fair enough, although parsers do cause crashes. This writeup and this as well provide some examples of that.

Looking at other projects, I believe this should be just a file with a build tag in the main package

Yes, this can be added. I can confirm that the fuzzers are running fine on oss-fuzz's infrastructure without it.

[julienschmidt]

Ok sure, we have to start somewhere.

[julienschmidt]

• Move it to the main package (with build tag)
• Indicate who the copyright holder is or make an addition to the AUTHORS file

[julienschmidt]

LGTM. Thanks!

[AdamKorcz]

Shall I setup continuous fuzzing for mysql through oss-fuzz as well? I have the fuzzer running on their infrastructure, and I will be happy to set it up.

[julienschmidt]

We would definitely appreciate it 👍

I just noticed that you didn't indicate who the copyright holder is (simple comment is enough) or made an addition to the AUTHORS file. Could you please also do that?

[AdamKorcz]

Sure, I will get it added.

Could you provide me with an email address for potential bug reports?

[AdamKorcz]

@julienschmidt On the question of the copyright holder, will the existing header not suffice?

mysql/fuzz.go

Lines 1 to 9 in 128a673

	// Go MySQL Driver - A MySQL-Driver for Go's database/sql package.
	//
	// Copyright 2020 The Go-MySQL-Driver Authors. All rights reserved.
	//
	// This Source Code Form is subject to the terms of the Mozilla Public
	// License, v. 2.0. If a copy of the MPL was not distributed with this file,
	// You can obtain one at http://mozilla.org/MPL/2.0/.
	// +build gofuzz

[AdamKorcz]

@julienschmidt Kind ping regarding the email addresses for bug reports

[arnehormann]

@AdamKorcz there is no common address, afaik. Can you create issues instead? Fuzzing results should (famous last words) not be security critical, the driver is as memory safe as Go is. Reports can be public ... unless a more active maintainer disagrees.

[AdamKorcz]

@arnehormann We can add any number of maintainers' email addresses to the list of bug reports - it doesn't have to be a single email address.
Creating issues, I am afraid, would not be a viable solution. For the notifications to be effective and to avoid delay, the maintainers interested in fixing potential bugs should receive the emails directly.