feat(fuzz): ClusterFuzzLite fuzzing of the trust-boundary parsers#58
Merged
Conversation
Continuous fuzzing (Jazzer.js via ClusterFuzzLite) of canon's three
hostile-input fail-safe contracts:
- canonicalJson / sha256: never throw on circular / BigInt / prototype-key
input; always return a string and a 64-hex digest
- gateTools: never throw on a hostile tool list (non-array, null/primitive
entries, prototype-named or duplicate twins); always a well-formed
{ report, allowed:Set } with only known statuses, and never allow a hash
it did not report
- scanSkill: never throw on a malformed skill; always a valid verdict whose
flagged/clean state agrees with its findings
Adds .clusterfuzzlite/ (OSS-Fuzz JS base builder + build.sh), the fuzz/
targets with a local `npm run fuzz` runner, and a weekly ClusterFuzzLite
workflow. @jazzer.js/core is a fuzz-only devDependency, so the package keeps
zero runtime deps.
Validated locally: ~215K executions across the three targets, no crashes
(the gate_tools run auto-derived the __proto__/prototype dictionary, so the
duplicate-twin defense was exercised directly). Also moves the OpenSSF
Scorecard Fuzzing check off 0, matching the sibling security repos.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds ClusterFuzzLite continuous fuzzing of canon's three trust-boundary parsers — the hostile-input fail-safe contracts prior audit PRs established (#40 lock/gate hardening, #41 cross-OS hash, the fail-safe pass) but that nothing exercised under a fuzzer:
canonicalJson/sha256(fuzz/canonical_json.fuzz.js) — never throw on circular refs,BigInt, prototype-named keys, or deeply nested junk; always return a string and a 64-hex digest.gateTools(fuzz/gate_tools.fuzz.js) — never throw on a hostile tool list (non-array, null/primitive entries,__proto__/toString-named tools, duplicate-name twins) or a hostile lock entry (parts:null); always a well-formed{ report, allowed:Set }with only known statuses, and never allow a content hash it did not report.scanSkill(fuzz/scan_skill.fuzz.js) — never throw on a malformed skill (null, primitive, non-arrayscanTargets, hostile launch command); always a valid verdict whose flagged/clean state agrees with its findings.How
.clusterfuzzlite/— OSS-Fuzz JavaScript base builder +build.sh(mirrors the sibling repos' setup).fuzz/targets + anpm run fuzzlocal runner (fuzz/run.mjs; isolatesCANON_HOMEand disables the keychain defensively)..github/workflows/cflite.yml— weekly (Mon 03:17 UTC) + on-demand, pinned action SHA, 300s batch,coveragesanitizer (JS has no native sanitizer).@jazzer.js/coreadded as a fuzz-onlydevDependency→ the package keeps zero runtime deps;filesstill ships onlysrc, so nothing new is published to npm.Validation
npm test: 143 tests green — thefuzz/*.fuzz.jsfiles are not discovered bynode --test.npm run fuzzlocally (Windows): ~215K executions across the three targets, no crashes. Thegate_toolsrun auto-derived the__proto__/prototypedictionary, so the prototype-name duplicate-twin defense was exercised directly.Why
Moves the OpenSSF Scorecard Fuzzing check off score 0 — one of the 6 open Scorecard advisories on the repo — matching the sibling security repos (strongroom/redstamp/fieldpass), and adds genuine hostile-input coverage of the trust boundary. No version bump.