Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gix-url fix #1402

Merged
merged 2 commits into from
Jun 19, 2024
Merged

gix-url fix #1402

merged 2 commits into from
Jun 19, 2024

Conversation

Byron
Copy link
Member

@Byron Byron commented Jun 16, 2024
edited
Loading

Reproduce a URL parsing overflow when using the latest version of the url crate.

This one probably needs to be fixed in idna.

Ideally, this would be solved by adding clusterfuzz support to the idna crate, for which gitoxide is acting like a proxy now.

Tasks

  • wait for the upstream PR to be merged
  • wait for new release.
  • rerun CI with updated version of idna crate.

@Byron
reproduce url parsing issue discovered by cluserfuzz.
594b488 
It's notable that this happens with `url` 2.5.1 which comes with
`idna` 1.0. It contains many fixes, for instance it seems to not
be vulnerable anymore to long input, but it fails with a seemingly
simple URL.
@Byron Byron mentioned this pull request Jun 16, 2024
Merged
@Byron
Copy link
Member Author

Byron commented Jun 16, 2024

@DaveLak This is a wonderful example of gitoxide being a proxy-fuzz-target for the upstream url crate. Maybe this crate would be a great place to start fuzzing an incredibly high-value Rust crate - nearly 200m downloads and something that naturally has to deal with untrusted input all the time.

That would also help gitoxide as it might not be a proxy anymore, and if clusterfuzz would start fuzzing the url crate (and related crates), those would get much more fuzzing time to increase the chances of finding issues in the parser.

@Byron Byron linked an issue Jun 16, 2024 that may be closed by this pull request
OSS-Fuzz issue 69636 #1401
Closed
@Byron Byron added the blocked Issue can't progress due to external dependencies label Jun 16, 2024
@Byron Byron merged commit 34eb0c9 into main Jun 19, 2024
19 checks passed
@Byron Byron deleted the fix-url-parse branch June 19, 2024 12:56
@DaveLak
Copy link

DaveLak commented Jul 27, 2024

@Byron , thanks for the ping and the insight! This is very interesting to me!

I'm planning on taking my first shot at fuzzing contributions on this repo in the second half of August, so I may very well start here!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
blocked Issue can't progress due to external dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OSS-Fuzz issue 69636
2 participants
@Byron @DaveLak