[
https://issues.apache.org/jira/browse/THRIFT-5855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17948361#comment-17948361
]
Hasnain Lakhani commented on THRIFT-5855:
-----------------------------------------
Hi [~jensg] ,
> Can we add c# as well or what is the rational behind leaving it out? Or, to
>ask in another way, how hard will it be to add other language bindings later?
I initially focused on the list of languages supported by OSS-fuzz
([https://google.github.io/oss-fuzz/getting-started/new-project-guide/#language])]
as those are languages I am comfortable with and know how to fuzz, and most
importantly the project would get continuous fuzzing for free potentially
(which is nice).
I've updated the ticket and added a TODO for also adding support for other
languages that aren't as well supported yet. I can look into those in the
future. We *should* fuzz these (quite sure they'd unearth bugs), but without
continuous fuzzing infrastructure there may be bit-rot (or we'd need a
volunteer to periodically run them).
To implement them (mostly as a note to self): 1) research the right fuzzer
(e.g. for .net I found a potential lead), 2) confirm it works with thrift, and
3) actually write the fuzzers.
>From experience it took me a full workday (6-8 hours) per language after the
>first one (which took significantly longer) as there's a lot of copy-paste.
>But I was familiar with the fuzzing tools for these languages. For a new
>language/tool, plus for someone without experience with fuzzing, I expect it
>may take 3-4 days of work to add new language bindings. Not impossible, but
>for a volunteer effort it may take a bit.
> For any information that potentially might not be shared on a public channel
> feel free to post to the private mailing list. Would that work for you?
Just to confirm, were you referring to the security@ mailing list, or is there
a private one for the thrift PMC/committers? The lists I saw on
[https://thrift.apache.org/mailing] were public.
> Improve fuzzing support
> ------------------------
>
> Key: THRIFT-5855
> URL: https://issues.apache.org/jira/browse/THRIFT-5855
> Project: Thrift
> Issue Type: Epic
> Reporter: Hasnain Lakhani
> Assignee: Hasnain Lakhani
> Priority: Major
>
> Improve fuzzing support so we can make the generated code more robust. In
> particular, thrift is currently fuzzed on oss-fuzz, but:
> * the build is failing
> * it only supports go
> * and that fuzzer isn't optimal either
> This ticket will be considered complete when there are fuzzers for all the
> supported languages on oss-fuzz:
> * c
> * c++
> * Rust
> * Go
> * Swift
> * Python
> * Javascript
> * Java/JVM (and all of the supported thrift JVM languages here)
>
> Other languages are _initially_ out of scope. As a follow up, do investigate
> fuzzing (even if not on oss-fuzz) for other languages, e.g. C#/ruby (TODO: Do
> a thorough investigation).
>
> For each language, we want at bare minimum:
> * a fuzzer that just deserializes a structure from fuzzer input
> * one that ensures things round trip properly
> ... for each of the supported protocols (e.g. binary/compact).
> For languages where this is easy, we should add structure aware fuzzing
> support, and/or also test the networking code.
> Then, further improve the fuzzers by adding corpora, dictionaries, and doing
> fuzz introspector inspection.
>
> I'll update this ticket/file sub-tickets as the work progresses.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
