Closed Bug 1558638 Opened 6 years ago Closed 4 years ago

Fuzz the RemoteSettings client endpoint

Categories

(Core :: Fuzzing, defect, P1)

Product:
Core
Component:
Fuzzing
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: mconley, Unassigned)

Details

The Remote Settings infrastructure is used to update things like the addons and graphics driver blocklists, the local Firefox Monitor stuff, and some other things as well.

Mathieu Leplatre suggested that we add the client portion of Remote Settings as a fuzzing surface, so that's what this bug tracks.

I've sent an email to fuzzing@mozilla.com as well.

The priority flag is not set for this bug.
:abillings, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(abillings)
Flags: needinfo?(abillings)
Priority: -- → P1

Freddy, we're shipping this in 71, so it'd help if we had (even more) confidence in the endpoints we were using. Who could help get this bug some traction?

Flags: needinfo?(fbraun)

Sylvestre is managing the fuzzing team. I'm confident he will get this triaged speedily :-)

Flags: needinfo?(fbraun) → needinfo?(sledru)

I spoke with Mathieu about this and since the entire API is written in JS, it doesn't appear to be something that would benefit from fuzzing. In fuzzing we're typically looking for crashes and fatal asserts that result from memory corruption issues and none of that would apply here. I would however suggest looking at having a pentest or code review done on the remote endpoint to ensure that it's properly validating it's inputs.

Flags: needinfo?(sledru)

Closing per comment 4.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.