Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OSS-Fuzz Integration #1195

Open
ennamarie19 opened this issue Jun 5, 2024 · 10 comments
Open

OSS-Fuzz Integration #1195

ennamarie19 opened this issue Jun 5, 2024 · 10 comments
Labels
code-quality question testing

Comments

@ennamarie19
Copy link

My name is McKenna Dallmeyer and I would like to submit fpdf2 to OSS-Fuzz.

If you are not familiar with the project, OSS-Fuzz is Google's platform for continuous fuzzing of Open Source Software.

In order to get the most out of this program, it would be greatly beneficial to be able to merge-in my fuzz harness and build scripts into the upstream repository and contribute bug fixes if they come up. Is this something that you would support me putting the effort into?

Thank you!
@andersonhc
Copy link
Collaborator

It seems very interesting. You can submit your PR and we'll go from there.

@ennamarie19
Copy link
Author

ennamarie19 commented Jun 6, 2024
edited
Loading

Wonderful! Thank you! Could you share an email address with me that I can include in my submission to OSS-Fuzz so that you are notified should any vulnerabilities be uncovered? I have to submit a project's maintainer's email with my project.yaml submission to OSS-Fuzz.
@andersonhc

@andersonhc
Copy link
Collaborator

Wonderful! Thank you! Could you share an email address with me that I can include in my submission to OSS-Fuzz so that you are notified should any vulnerabilities be uncovered? I have to submit a project's maintainer's email with my project.yaml submission to OSS-Fuzz. @andersonhc

you can start with [email protected]

@ennamarie19 ennamarie19 mentioned this issue Jun 10, 2024
Open
@Lucas-C
Copy link
Member

Lucas-C commented Jun 13, 2024
edited
Loading

Hi.

My name is McKenna Dallmeyer and I would like to submit fpdf2 to OSS-Fuzz.

Welcome and good idea!
I tried to add CPython to OSS-Fuzz a few years ago (google/oss-fuzz#731 (comment)), but that attempt did not succeed at the time... 😅

In order to get the most out of this program, it would be greatly beneficial to be able to merge-in my fuzz harness

What exactly is your "fuzz harness"?

Another naive question: should we provide fuzz targets?

Thank you for this intent to contribute to fpdf2 @ennamarie19 🙂 👍

@ennamarie19
Copy link
Author

ennamarie19 commented Jun 13, 2024
edited
Loading

Hi @Lucas-C !
Thanks for the response!
By fuzz harness, I mean I will need to host python scripts in this repository that fuzz various entry points into fpdf2.

While it is not required, it would be helpful if you could provide potential entry points that you think would benefit the most from fuzz testing.

Thank you for your help!

@Lucas-C
Copy link
Member

Lucas-C commented Jun 13, 2024
edited
Loading

By fuzz harness, I mean I will need to host python scripts in this repository that fuzz various entry points into fpdf2.

👍

While it is not required, it would be helpful if you could provide potential entry points that you think would benefit the most from fuzz testing.

fpdf2 is a PDF producer, so bascially input is code, and output is a PDF document.

We have various PDF-checkers in our CI pipeline that ensure that PDFs produced in our test suite are valid:
https://github.com/py-pdf/fpdf2/blob/master/.github/workflows/continuous-integration-workflow.yml#L45
Maybe they could be useful when fuzzing, to check that the output is valid, or not (meaning a probable bug)?

Regarding the input, I don't really know how what the best entry point / fuzzing target would be...
Should it be a single program?
Maybe one of our tutorial scripts, or one of our unit tests?

Do you have guidelines or documentation to help setting up Python fuzzing targets?

@gmischler
Copy link
Collaborator

Regarding the input, I don't really know how what the best entry point / fuzzing target would be...
Should it be a single program?
Maybe one of our tutorial scripts, or one of our unit tests?

The complete test suite?
If it's worth testing, it's worth fuzzing. 🤡

@ennamarie19
Copy link
Author

ennamarie19 commented Jun 18, 2024 via email
edited by Lucas-C
Loading

@Lucas-C
Copy link
Member

Lucas-C commented Aug 27, 2024

Juste in order to clarify the status of this issue: is anyone working or planning to work on integrating fpdf2 with OSS-Fuzz? 🙂

@ennamarie19
Copy link
Author

ennamarie19 commented Aug 27, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
code-quality question testing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Lucas-C @andersonhc @gmischler @ennamarie19