Add cpp-httplib to oss-fuzz

[omjego]

Hey @yhirose !

Fuzz testing is a well-known technique for uncovering programming errors. Many of these detectable errors, like buffer overflow, parsing errors, etc can have serious security implications.

Few of the bugs that we recently fixed e.g. PR-I and PR-II were in-fact found during the fuzz testing of the library.
It would be great if we can add cpp_httplib to oss-fuzz for capturing security vulnerabilities and stability bugs.

More info here

Would love to get your thoughts on this 😄

[yhirose]

@omjego, it sounds good. Is it easily possible to add the process to the existing test/Makefile, so that we can do the fuzz testing simply with make fuzz?

[omjego]

@yhirose
Have a look at this guideline on setting up a new project.
oss-fuzz uses the build.sh created inside of oss-fuzz/projects/cpp-httplib (with env variables like $SRC, $OUT, $LIB_FUZZING_ENGINE ) to create fuzz targets and copy them to $OUT along with fuzz inputs and also copy src files in $SRC. Which it will use afterwards to do fuzz testing on its own infrastructure. (Have skipped Dockerfile stuff for simplicity).

Although testing it on local environment is bit involved. Refer this

Adding the step of building fuzz targets to Makefile (something like make fuzz-target) will save us from duplicating the compiler options in build.sh file, but I'm not sure if it will help us run fuzz tests on local machine.

[yhirose]

@omjego, thanks for the detail! I'll take a look the documentation to get familiar to oss-fuzz when I have time.

[omjego]

Hey @yhirose I'm trying to run test binary in docker container. What's the appropriate way to run tests by linking all the dependent libraries statically on local machine? What changes do I have to make in the Makefile ? I was trying to do it but ran into some weird linking issues.

[yhirose]

@omjego, I probably don't fully understand what you are asking... Anyway, httplib.h depends on openssl, zlib, brotli libraries. (You can see more information in .github/workflows/test.yaml).

I'll check your pull request #684 soon. Right now, I see some conflicts on the branch, and unit tests are failing. Could you fix those first? Then, I'll check the pull request. (Hopefully, I'll probably take your PR as it is unless it breaks existing unit tests.)
Thanks!

[omjego]

@yhirose Hey sorry I should've added some context.
So, currently all the dependencies for the test binary generated using make test are linked dynamically. So while running the binary, openssl, brotli and zlib should present on your machine.
I wanted to use existing Makefile to generate fuzz target binary as well.
Oss-fuzz does following:

1. Build fuzz target binary: Create a docker image from this Dockerfile, which will have all the dependencies (openssl, brotli, zlib) installed in it and it will run build.sh to generate the fuzz target binary. For this binary, oss-fuzz asks you to link all of its dependencies(openssl, brotli, zlib) statically. So that it can just pick the binary and run it within a container directly without worrying about its dependencies.

2. Run fuzz binary: Take binary generated in the previous step and run it within a isolated docker container with different fuzzing engines.

So I was able to statically link openssl, but faced issues while linking brotli. (zlib was already present within the container(from step 2) within which fuzz binaries are run so it got linked dynamically) So wanted to know is there any clean way to link brotli statically?

[sum01]

In reference to #684 (comment) I'm not too sure how helpful I can really be. I didn't bother to implement test support for the Cmake file, so you'll have to build them with the makefile or manually.

You should be able to link against libbrotlidec-static.a though, as I think it comes with the base distribution of Brotli.