feat: fuzz testing infrastructure + Timespan::parse fix#70
Merged
Conversation
7 fuzz targets covering parser (YAML, conditions, field modifiers), eval (JSON event matching, regex compilation, pipeline YAML), and runtime (syslog/CEF/logfmt/auto input formats). Includes seed corpora, weekly CI workflow, and per-target max_len configuration. Roadmap item 8b.
Two issues found by fuzz_field_modifiers: 1. `split_at(s.len() - 1)` panics on multibyte UTF-8 because byte length != char count. Fixed by splitting at the last char boundary via `char_indices().next_back()`. 2. `count * multiplier` overflows for large numeric values, panicking in debug builds and silently wrapping in release. Fixed with `checked_mul` that returns InvalidTimespan on overflow.
Move hand-crafted seeds to fuzz/seeds/ (tracked) and gitignore fuzz/corpus/ (generated at runtime, cached in CI). This keeps the repo clean while preserving meaningful starting inputs.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
These build artifacts were accidentally committed; already covered by fuzz/.gitignore.
- Move matrix.target, matrix.max_len, and github.event.inputs.duration to step-level env vars to avoid template injection in run blocks. - Add concurrency group to prevent duplicate scheduled runs.
Resolves the last zizmor superfluous-actions finding; the runner already ships rustup so we use it directly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Timespan::parsediscovered by the fuzzer: string slicing on non-char boundary with multibyte UTF-8, and integer overflow in duration calculation.Test plan
cargo test --workspacepasses (11 value tests including 2 new regression tests)cargo clippy --workspace --all-targets --all-features -- -D warningsclean