Here's an idea, but you'll have to ask around if it's eligible for a
patch reward.
Some time ago I wrote fuzzers for Django, which have been running 24/7
on OSS-Fuzz since.
Thanks to this fuzzer, a few DoS bugs were found [2] and it would
likely have caught some historic DoS bugs.
The current fuzzer tests a host of utility functions [3]. If a
time-out, out-of-memory or uncaught exception occurs, the security
team will receive a notification from OSS-Fuzz containing instructions
on how to reproduce the bug, and the bug can be fixed.
Writing additional fuzzers consists of:
- Implement a function 'FuzzerRunOne(FuzzerInput)'
- Do something with FuzzerInput, which is a bytes() object and
consists of pseudo-random data generated by the fuzzing engine
- Raise an (uncaught) exception if something is amiss, eg. a html
escape function that returns valid html tags (try parsing the output
with BeautifulSoup for example) from a crafted input
Some basic constraints: the fuzzer must be:
1. Not very slow
2. Deterministic
3. Preferably not use file/network IO/forking other processes (this
could affect 1 and 2)
If you are keen, I can help you get things set up (and to be clear, I
don't need a cut of the reward for that. Just happy to see my fuzzers
put to good use). You won't need to touch C/C++ or other code;
implementing dynamic tests in Python is sufficient.
[1]
https://github.com/google/oss-fuzz
[2]
https://www.djangoproject.com/weblog/2019/aug/01/security-releases/
[3]
https://github.com/guidovranken/django-fuzzers/blob/master/utils.py
> To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/CAHRQ%3D87016c3XEJSje1i%2BHZBfag%2BiyGVQXr5OX7xKr3QH2i_nA%40mail.gmail.com.