Add vault fuzzers #458
Add vault fuzzers #458
Conversation
|
Hi @AdamKorcz, While it does seem reasonable to expand the fuzzing surface here, I don't think it's appropriate for HCL to be importing packages from the Vault module to do it. I see there was already some discussion in hashicorp/vault#10475 about the fact that HCL 2 already has fuzzer implementations (in With that said, I think it would be fine to add new fuzzer implementations to HCL 1 too, since there are applications like Vault still using it, but we'd need to rework it to talk directly to the HCL API rather than indirectly through the Vault API, because it's not the HCL codebase's responsibility to fuzz test code in the Vault repository. It seems like Vault is calling into The Vault team might still be interested in including what you originally contributed as an additional layer of fuzzing that covers the extra steps Vault takes after HCL parsing and decoding, but I'm not on the Vault team so I'll have to leave them to decide how to integrate that. |
|
|
This PR adds two fuzzers that were originally submitted directly to Vault: hashicorp/vault#10475. It was suggested on the PR to submit the fuzzers here.
As mentioned on the Vault PR, one of the fuzzers found a bug that was fixed here: #410. The bug was submitted privately.
I am therefore committing these two fuzzers with the suggestion of setting up continuous fuzzing for HCL through OSS-fuzz - This is something I will be happy to do. This will allow Google to run the fuzzers continuously and notify maintainers in case bugs are found. The service is offered free of charge to open source projects with the implied expectation that bugs are fixed so that the resources spent on running Vaults fuzzers are put to good use.
I have recently published an article about the importance of running fuzzers continuously.