diff options
| author | David Korczynski <david@adalogics.com> | 2022-11-30 06:47:10 -0800 |
|---|---|---|
| committer | Ned Batchelder <ned@nedbatchelder.com> | 2023-01-26 21:07:20 -0500 |
| commit | 17043980d75ce7e4c5807933759f5ca581386b16 (patch) | |
| tree | ba35765e6c34546b4eeea05c7ee91f0540f45f5b | |
| parent | 2d628d40d60f967f135a8c21a62a000716c45054 (diff) | |
| download | python-coveragepy-git-17043980d75ce7e4c5807933759f5ca581386b16.tar.gz | |
test: add fuzzing set up
Signed-off-by: David Korczynski <david@adalogics.com>
| -rw-r--r-- | requirements/dev.pip | 28 | ||||
| -rw-r--r-- | requirements/pytest.pip | 2 | ||||
| -rw-r--r-- | requirements/tox.pip | 12 | ||||
| -rw-r--r-- | tests/test_fuzz_parser.py | 65 |
4 files changed, 107 insertions, 0 deletions
diff --git a/requirements/dev.pip b/requirements/dev.pip index c2f80a44..e1d735e5 100644 --- a/requirements/dev.pip +++ b/requirements/dev.pip @@ -630,4 +630,32 @@ zipp==3.11.0 \ # -r requirements/pip.pip # -r requirements/pytest.pip # importlib-metadata +<<<<<<< HEAD # importlib-resources +||||||| parent of 3ef3fd0c (test: add fuzzing set up) + # pep517 + +# The following packages are considered to be unsafe in a requirements file: +pip==22.3.1 \ + --hash=sha256:65fd48317359f3af8e593943e6ae1506b66325085ea64b706a998c6e83eeaf38 \ + --hash=sha256:908c78e6bc29b676ede1c4d57981d490cb892eb45cd8c214ab6298125119e077 + # via -r requirements/pip.pip +setuptools==65.6.3 \ + --hash=sha256:57f6f22bde4e042978bcd50176fdb381d7c21a9efa4041202288d3737a0c6a54 \ + --hash=sha256:a7620757bf984b58deaf32fc8a4577a9bbc0850cf92c20e1ce41c38c19e5fb75 + # via check-manifest +======= + # pep517 + +# The following packages are considered to be unsafe in a requirements file: +pip==22.3.1 \ + --hash=sha256:65fd48317359f3af8e593943e6ae1506b66325085ea64b706a998c6e83eeaf38 \ + --hash=sha256:908c78e6bc29b676ede1c4d57981d490cb892eb45cd8c214ab6298125119e077 + # via -r requirements/pip.pip +setuptools==65.6.3 \ + --hash=sha256:57f6f22bde4e042978bcd50176fdb381d7c21a9efa4041202288d3737a0c6a54 \ + --hash=sha256:a7620757bf984b58deaf32fc8a4577a9bbc0850cf92c20e1ce41c38c19e5fb75 + # via check-manifest +atheris==2.1.1 \ + --hash=sha256:97d5111b9de4d581b8a51cac3ebcacd81b2d2a69661f99b9316194ea6a01f6c7 +>>>>>>> 3ef3fd0c (test: add fuzzing set up) diff --git a/requirements/pytest.pip b/requirements/pytest.pip index a57e8ae6..740b04cd 100644 --- a/requirements/pytest.pip +++ b/requirements/pytest.pip @@ -76,3 +76,5 @@ zipp==3.11.0 \ --hash=sha256:83a28fcb75844b5c0cdaf5aa4003c2d728c77e05f5aeabe8e95e56727005fbaa \ --hash=sha256:a7a22e05929290a67401440b39690ae6563279bced5f314609d9d03798f56766 # via importlib-metadata +atheris==2.1.1 \ + --hash=sha256:97d5111b9de4d581b8a51cac3ebcacd81b2d2a69661f99b9316194ea6a01f6c7 diff --git a/requirements/tox.pip b/requirements/tox.pip index 202228c7..49b71931 100644 --- a/requirements/tox.pip +++ b/requirements/tox.pip @@ -85,4 +85,16 @@ virtualenv==20.17.1 \ zipp==3.11.0 \ --hash=sha256:83a28fcb75844b5c0cdaf5aa4003c2d728c77e05f5aeabe8e95e56727005fbaa \ --hash=sha256:a7a22e05929290a67401440b39690ae6563279bced5f314609d9d03798f56766 +<<<<<<< HEAD # via importlib-metadata +||||||| parent of 3ef3fd0c (test: add fuzzing set up) + # via + # importlib-metadata + # importlib-resources +======= + # via + # importlib-metadata + # importlib-resources +atheris==2.1.1 \ + --hash=sha256:97d5111b9de4d581b8a51cac3ebcacd81b2d2a69661f99b9316194ea6a01f6c7 +>>>>>>> 3ef3fd0c (test: add fuzzing set up) diff --git a/tests/test_fuzz_parser.py b/tests/test_fuzz_parser.py new file mode 100644 index 00000000..db55d0d5 --- /dev/null +++ b/tests/test_fuzz_parser.py @@ -0,0 +1,65 @@ +# Licensed under the Apache License: http://www.apache.org/licenses/LICENSE-2.0 + +"""Fuzz test PythonParser.parse_source + +This runs on OSS-Fuzz where coveragepy's set is located at: +https://github.com/google/oss-fuzz/tree/master/projects/coveragepy + +It is configured to be a unit test as well, which makes it easier to test +during development, e.g. to catch breaking changes. + +The goal of the fuzzing by way of OSS-Fuzz is to: +- Find any uncaught illegitimate exceptions. +- Find any security vulnerabilities as identified by pysecsan: + https://pypi.org/project/pysecsan/ + Notice, pysecsan will be enabled by OSS-Fuzz and is not explicitly enabled + here. +""" + +import sys +import atheris +import pytest + +from coverage.exceptions import NotPython +from coverage.parser import PythonParser + + +@pytest.mark.parametrize( + "data", + [ + b"random_data", + b"more random data" + ] +) +def TestOneInput(data): + """Fuzzer for PythonParser.""" + fdp = atheris.FuzzedDataProvider(data) + + t = fdp.ConsumeUnicodeNoSurrogates(1024) + if not t: + return + + try: + p = PythonParser(text = t) + p.parse_source() + except (NotPython, MemoryError) as e2: + # Catch Memory error to avoid reporting stack overflows. + # Catch NotPython issues as these do not signal a bug. + pass + except ValueError as e: + if "source code string cannot contain null bytes" in str(e): + # Not interesting + pass + else: + raise e + + +def main(): + """Launch fuzzing campaign.""" + atheris.instrument_all() + atheris.Setup(sys.argv, TestOneInput, enable_python_coverage=True) + atheris.Fuzz() + + +if __name__ == "__main__": + main() |