[
https://issues.apache.org/jira/browse/THRIFT-5855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17947701#comment-17947701
]
Hasnain Lakhani commented on THRIFT-5855:
-----------------------------------------
hi [~jensg] – I'm almost complete with the initial work on this task (have
code changes complete, but I need to clean up some documentation + split my
large commit).
Given the security sensitive nature of this work, though, I have some questions
that are best left for a private discussion. Do you know how I can reach the
right folks? Without being too detailed the questions break down into a few
buckets:
* Code style/idiomatic-ness questions (this I'm happy to discuss in public on
the PRs itself)
* What the right time is to put up the fuzzers publicly (following up from
prior email threads that spawned this task) - in particular I think there is
potentially some value to fuzzing before the next releases are cut (even if I
just run them locally). Your call, though.
* Specific questions about bugs that I hit when fuzzing that I don't think are
quite security bugs (but they do block fuzzer progress). Just worried about
getting it wrong and accidentally making a bug public.
Or if this ticket (or some other public channel) is an OK place to discuss it,
happy to discuss here.
> Improve fuzzing support
> ------------------------
>
> Key: THRIFT-5855
> URL: https://issues.apache.org/jira/browse/THRIFT-5855
> Project: Thrift
> Issue Type: Epic
> Reporter: Hasnain Lakhani
> Assignee: Hasnain Lakhani
> Priority: Major
>
> Improve fuzzing support so we can make the generated code more robust. In
> particular, thrift is currently fuzzed on oss-fuzz, but:
> * the build is failing
> * it only supports go
> * and that fuzzer isn't optimal either
>
> This ticket will be considered complete when there are fuzzers for all the
> supported languages on oss-fuzz:
>
> * c
> * c++
> * Rust
> * Go
> * Swift
> * Python
> * Javascript
> * Java/JVM (and all of the supported thrift JVM languages here)
>
> Other languages are out of scope.
>
> For each language, we want at bare minimum:
> * a fuzzer that just deserializes a structure from fuzzer input
> * one that ensures things round trip properly
> ... for each of the supported protocols (e.g. binary/compact).
> For languages where this is easy, we should add structure aware fuzzing
> support, and/or also test the networking code.
> Then, further improve the fuzzers by adding corpora, dictionaries, and doing
> fuzz introspector inspection.
>
> I'll update this ticket/file sub-tickets as the work progresses.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
