Closed Bug 1496427 Opened 7 years ago Closed 5 years ago

[meta] Implement fuzztest for feature policy parser

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla79
Tracking Flags:
Tracking Status
firefox79 --- fixed

People

(Reporter: freddy, Assigned: freddy)

References

Details

(Keywords: meta, sec-other, Whiteboard: [domsecurity-active][post-critsmash-triage][adv-main79-])

Attachments

(1 file)

Bug 1496427 - fuzzing target for featurepolicy parser r=decoder
47 bytes, text/x-phabricator-request
Details | Review
Looking at <https://searchfox.org/mozilla-central/source/dom/security/featurepolicy/test/gtest/TestFeaturePolicyParser.cpp>, it seems useful and relatively easy to incorporate the parser in our fuzzing attempts. Decoder tells me this is something he could do and asked me to make this bug private. (DOM specific / webapp security problems will occur in in bug 1495619.)
Priority: -- → P3
Whiteboard: [domsecurity-active]
Keywords: meta, sec-other

The meta keyword is there, the bug doesn't depend on other bugs and there is no activity for 12 months.
:decoder, maybe it's time to close this bug?

Flags: needinfo?(choller)
Summary: Implement fuzztest for feature policy parser → [meta] Implement fuzztest for feature policy parser

I think this would be a good first fuzzing bug for someone who wants to implement a libFuzzer target. The targeted parser code does not very complicated to I don't expect a lot of bugs to fall out of this, but since it is low effort, it might still be worth trying. I think we should leave this open and find someone who wants to try this.

Flags: needinfo?(choller)

this is still work-in-progress, but I figured I might give it a shot while I'm waiting on this other thing..

Assignee: choller → fbraun

decoder is there anything else needed for fuzzing bugs in particular or can this be checked into central?

Flags: needinfo?(choller)

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:freddy, could you have a look please?
For more information, please visit auto_nag documentation.

Flags: needinfo?(fbraun)

Waiting for decoder's reply in comment 5
I've ran it locally and didn't find anything. What are the best next steps?
Run longer? Improve fuzzing? WONTFIX?

Flags: needinfo?(fbraun)

I think we can just go ahead and land this and we might be able to scale it in oss-fuzz.

@freddy, if you want to try, you can add it to https://github.com/google/oss-fuzz/tree/master/projects/firefox and send them a PR.

Flags: needinfo?(choller)

I'll have a couple of follow-up questions regarding the oss-fuzz work.
Who's maintaining the docker image https://github.com/google/oss-fuzz/blob/master/projects/firefox/Dockerfile#L18, specifically who is <pdknsk@gmail.com>? Do you have a link to a patch or even a doc on how to add new targets here?

https://hg.mozilla.org/mozilla-central/rev/4992d58d861d

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox79: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla79

(In reply to Frederik Braun [:freddy] from comment #9)

I'll have a couple of follow-up questions regarding the oss-fuzz work.
Who's maintaining the docker image https://github.com/google/oss-fuzz/blob/master/projects/firefox/Dockerfile#L18, specifically who is <pdknsk@gmail.com>? Do you have a link to a patch or even a doc on how to add new targets here?

First question is obviously out of curiosity. Second is more important going forward.

Flags: needinfo?(choller)

(In reply to Frederik Braun [:freddy] from comment #12)

(In reply to Frederik Braun [:freddy] from comment #9)

I'll have a couple of follow-up questions regarding the oss-fuzz work.
Who's maintaining the docker image https://github.com/google/oss-fuzz/blob/master/projects/firefox/Dockerfile#L18, specifically who is <pdknsk@gmail.com>? Do you have a link to a patch or even a doc on how to add new targets here?

First question is obviously out of curiosity. Second is more important going forward.

The usual process is to send a PR to the oss-fuzz repository, previous patches doing so are in the Github history. Adding the target to build.sh should be sufficient at first glance.

The oss-fuzz documentation is here: https://google.github.io/oss-fuzz/

And in particular this part is relevant to check locally that the build process works: https://google.github.io/oss-fuzz/advanced-topics/reproducing/#building-using-docker

Let me know if you hit any problems :)

Flags: needinfo?(choller)

This landed and is now enabled in oss-fuzz. I suppose we can lift security flags from this bug quite soon?

See Also: → https://github.com/google/oss-fuzz/pull/3959
Flags: qe-verify-
Whiteboard: [domsecurity-active] → [domsecurity-active][post-critsmash-triage]
Whiteboard: [domsecurity-active][post-critsmash-triage] → [domsecurity-active][post-critsmash-triage][adv-main79-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: