[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Guido Vranken]

Guido Vranken  added the comment:

Hi,

I've built a generic Python fuzzer and submitted it to OSS-Fuzz.

It works by implementing a "def FuzzerRunOne(FuzzerInput):" function in Python 
in which some arbitrary code is run based on FuzzerInput, which is a bytes 
object.

This is a more versatile solution than the current re, json, csv fuzzers as it 
requires no custom C code and adding more fuzzing targets is as easy as writing 
a new harness in Python and adding a build rule.

Code coverage is measured at both the CPython level (*.c) and the Python level 
(*.py). CPython is compiled with AddressSanitizer. What this means is that both 
CPython memory bugs and Python library bugs (excessive memory consumption, 
hangs, slowdowns, unexpected exceptions) are expected to transpire.

You can see my current set of fuzzers here: 
https://github.com/guidovranken/python-library-fuzzers

The PR to OSS-Fuzz is https://github.com/google/oss-fuzz/pull/2567

Currently, the only Python maintainer who will be receiving automated bug 
reports is gpshead. Are there any other developers who normally process Python 
security bug reports and would like to receive notifications?

Feel free to respond directly in the OSS-Fuzz PR thread.

--
nosy: +Guido

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[miss-islington]

miss-islington  added the comment:


New changeset ffcc161c753a72e7c4237c1e3c433d47b020978e by Miss Islington (bot) 
in branch '3.8':
bpo-29505: Add more fuzzing for re.compile, re.load and csv.reader (GH-14255)
https://github.com/python/cpython/commit/ffcc161c753a72e7c4237c1e3c433d47b020978e


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[miss-islington]

Change by miss-islington :


--
pull_requests: +14296
pull_request: https://github.com/python/cpython/pull/14479

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Gregory P. Smith]

Gregory P. Smith  added the comment:


New changeset 5cbbbd73a6acb6f96f5d6646aa7498d3dfb1706d by Gregory P. Smith 
(Ammar Askar) in branch 'master':
bpo-29505: Add more fuzzing for re.compile, re.load and csv.reader (GH-14255)
https://github.com/python/cpython/commit/5cbbbd73a6acb6f96f5d6646aa7498d3dfb1706d


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[miss-islington]

Change by miss-islington :


--
pull_requests: +14295
pull_request: https://github.com/python/cpython/pull/14478

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Ammar Askar]

Change by Ammar Askar :


--
pull_requests: +14085
pull_request: https://github.com/python/cpython/pull/14255

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[miss-islington]

miss-islington  added the comment:


New changeset 878227e7217f3363f9c095b7fb8c1dbdde1ec34f by Miss Islington (bot) 
in branch '3.8':
bpo-29505: Fuzz json module, enforce size limit on int(x) fuzz (GH-13991)
https://github.com/python/cpython/commit/878227e7217f3363f9c095b7fb8c1dbdde1ec34f


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[miss-islington]

miss-islington  added the comment:


New changeset 534136ac6790a701e24f364a9b7f1e34bf5f3ce7 by Miss Islington (bot) 
in branch '3.7':
bpo-29505: Fuzz json module, enforce size limit on int(x) fuzz (GH-13991)
https://github.com/python/cpython/commit/534136ac6790a701e24f364a9b7f1e34bf5f3ce7


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Gregory P. Smith]

Gregory P. Smith  added the comment:


New changeset a6e190e94b47324f14e22a09200c68b722d55699 by Gregory P. Smith 
(Ammar Askar) in branch 'master':
bpo-29505: Fuzz json module, enforce size limit on int(x) fuzz (GH-13991)
https://github.com/python/cpython/commit/a6e190e94b47324f14e22a09200c68b722d55699


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[miss-islington]

Change by miss-islington :


--
pull_requests: +13869
pull_request: https://github.com/python/cpython/pull/14006

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[miss-islington]

Change by miss-islington :


--
pull_requests: +13868
pull_request: https://github.com/python/cpython/pull/14005

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Ammar Askar]

Change by Ammar Askar :


--
pull_requests: +13854
pull_request: https://github.com/python/cpython/pull/13991

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[miss-islington]

miss-islington  added the comment:


New changeset 6692d35317a45905a043dccae3940ea5d5d84352 by Miss Islington (bot) 
in branch '3.7':
bpo-29505: Fix interpreter in fuzzing targets to be relocatable (GH-13907)
https://github.com/python/cpython/commit/6692d35317a45905a043dccae3940ea5d5d84352


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[miss-islington]

miss-islington  added the comment:


New changeset 22b69da4c38042e923d633530bdafc1b5fb94928 by Miss Islington (bot) 
in branch '3.8':
bpo-29505: Fix interpreter in fuzzing targets to be relocatable (GH-13907)
https://github.com/python/cpython/commit/22b69da4c38042e923d633530bdafc1b5fb94928


--
nosy: +miss-islington

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[miss-islington]

Change by miss-islington :


--
pull_requests: +13788
pull_request: https://github.com/python/cpython/pull/13915

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[miss-islington]

Change by miss-islington :


--
pull_requests: +13787
pull_request: https://github.com/python/cpython/pull/13914

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Gregory P. Smith]

Gregory P. Smith  added the comment:


New changeset a15a7bcaea54e1845ab2abe27e6f583294cd715b by Gregory P. Smith 
(Ammar Askar) in branch 'master':
bpo-29505: Fix interpreter in fuzzing targets to be relocatable (GH-13907)
https://github.com/python/cpython/commit/a15a7bcaea54e1845ab2abe27e6f583294cd715b


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Ammar Askar]

Change by Ammar Askar :


--
pull_requests: +13780
pull_request: https://github.com/python/cpython/pull/13907

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[R. David Murray]

R. David Murray added the comment:

Seems like it ought to be possible to use the same hooks that venv uses to make 
this work, but I haven't looked at the details of how those work.

--
nosy: +r.david.murray

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Devin Jeanpierre]

Devin Jeanpierre added the comment:

Oops, so it is. I can't read apparently.

I'll spend my time on making more fuzz tests in the meantime.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Gregory P. Smith]

Gregory P. Smith added the comment:

misquote.  that was me objecting to running it internally. :)

i believe this is solvable, i haven't had time to spend on this part yet.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Devin Jeanpierre]

Devin Jeanpierre added the comment:

kcc strongly disagrees though. Copying latest comment:

"""
fwiw - I object to us running any of this internally at Google. We need to be 
part of the main oss-fuzz project pulling from upstream revisions. Doing this 
testing within our blackhole of internal stuff adds more work for us internally 
(read: which we're not going to do) and wouldn't provide results feedback to 
the upstream CPython project in a useful timely manner.

We must figure out how to get this to build and run on the external oss-fuzz 
infrastructure
"""

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Devin Jeanpierre]

Devin Jeanpierre added the comment:

> i'd rather make this work in oss-fuzz on cpython.  can you point me to how 
> oss-fuzz works and what it wants to do so i can better understand what it 
> needs?

I don't have any details except for what's in the PR to oss-fuzz 
(https://github.com/google/oss-fuzz/pull/731)  My understanding is matches what 
you've said so far:

Python is built to one directory (/out/), but then needs to be run from another 
directory (/out/ is renamed to /foo/bar/baz/out/). We need python to still 
work. I have no idea how to do this.

The only suggestion on #python-dev IRC was to statically link a libpython.a, 
but this doesn't avoid needing to import libraries like "encodings" 
dynamically, so they still need to be locatable on disk.

Is there a way to build python so that it doesn't use absolute paths to 
everything, and so that the install can be moved at will? Or is there a way to 
tell it that it was moved at runtime? (I am unconvinced PYTHONPATH is a 
maintainable solution, if it works at all...)


oss-fuzz is not going to change away from its model (I asked if they could, 
they said no), so we're stuck with making Python compatible with it one way or 
another.  This is why I am so drawn to running the test internally on Google's 
infrastructure anyway: we already _did_ all this work already, via hermetic 
python. Doing it a second time, but worse, seems annoying.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Gregory P. Smith]

Gregory P. Smith added the comment:

i'd rather make this work in oss-fuzz on cpython.  can you point me to how 
oss-fuzz works and what it wants to do so i can better understand what it needs?

it it has an expectation that the thing being fuzzed is a single binary with no 
data or directory tree layout dependencies that can just be plopped somewhere 
else is not a great assumption to make.

but environment variables _should_ be able to be set to point the python binary 
at what it needs if it must work that way.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Devin Jeanpierre]

Devin Jeanpierre added the comment:

So here's an interesting issue: oss-fuzz requires that the built location be 
movable. IOW, we build Python into $OUT, and then the $OUT directory gets moved 
somewhere else and the fuzz test gets run from there. This causes problems 
because Python can no longer find where the modules it needs are (encodings for 
example).

First thought: wouldn't it be nice if we could make a prepackaged and hermetic 
executable that we can move around freely?

Second thought: isn't that "Hermetic Python", as used within Google?

Third thought: doesn't Google have an internal fuzz testing environment we can 
use, instead of oss-fuzz?

So unless someone says this is a bad idea, I'd propose we not run these in 
oss-fuzz and instead run them in Google proper. The alternative is if there's a 
way to make it easy to move Python around -- is there a way to build it s.t. 
the import path is relative and so on?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Devin Jeanpierre]

Changes by Devin Jeanpierre :


--
keywords: +patch
pull_requests: +3434
stage: test needed -> patch review

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Devin Jeanpierre]

Changes by Devin Jeanpierre :


--
pull_requests: +3412

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Devin Jeanpierre]

Devin Jeanpierre added the comment:

Huh. I would not have predicted that.

https://gcc.gnu.org/onlinedocs/cpp/Defined.html

I'll send a fix.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Christian Heimes]

Christian Heimes added the comment:

GCC complains about the patch:

/home/heimes/dev/python/cpython/Modules/_xxtestfuzz/fuzzer.c: In function 
‘LLVMFuzzerTestOneInput’:
/home/heimes/dev/python/cpython/Modules/_xxtestfuzz/fuzzer.c:109:1: warning: 
this use of "defined" may not be portable [-Wexpansion-to-defined]
 #if _Py_FUZZ_YES(fuzz_builtin_float)
 ^~~
/home/heimes/dev/python/cpython/Modules/_xxtestfuzz/fuzzer.c:109:1: warning: 
this use of "defined" may not be portable [-Wexpansion-to-defined]
/home/heimes/dev/python/cpython/Modules/_xxtestfuzz/fuzzer.c:112:1: warning: 
this use of "defined" may not be portable [-Wexpansion-to-defined]
 #if _Py_FUZZ_YES(fuzz_builtin_int)
 ^
/home/heimes/dev/python/cpython/Modules/_xxtestfuzz/fuzzer.c:112:1: warning: 
this use of "defined" may not be portable [-Wexpansion-to-defined]
/home/heimes/dev/python/cpython/Modules/_xxtestfuzz/fuzzer.c:115:1: warning: 
this use of "defined" may not be portable [-Wexpansion-to-defined]
 #if _Py_FUZZ_YES(fuzz_builtin_unicode)
 ^
/home/heimes/dev/python/cpython/Modules/_xxtestfuzz/fuzzer.c:115:1: warning: 
this use of "defined" may not be portable [-Wexpansion-to-defined]

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Gregory P. Smith]

Gregory P. Smith added the comment:

alright, with that in, feel free to figure out the oss-fuzz configuration side 
and fire things up Devin. :)

--
assignee:  -> gregory.p.smith

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Gregory P. Smith]

Gregory P. Smith added the comment:


New changeset c5bace2bf7874cf47ef56e1d8d19f79ad892eef5 by Gregory P. Smith 
(Devin Jeanpierre) in branch 'master':
bpo-29505: Add fuzz tests for float(str), int(str), unicode(str) (#2878)
https://github.com/python/cpython/commit/c5bace2bf7874cf47ef56e1d8d19f79ad892eef5


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Devin Jeanpierre]

Devin Jeanpierre added the comment:

I think they misspoke, it's normal with fuzzing to test against master. The 
current draft of the code runs this git pull before building/launching any 
tests:

git clone --depth 1 https://github.com/python/cpython.git cpython

Speaking of which, I forgot to update this bug thread with the followup PR to 
actually run CPython's fuzz tests (when they exist): 
https://github.com/google/oss-fuzz/pull/731. That's where I grabbed the git 
clone statement from. I think that will be merged after some version of PR 2878 
lands in CPython (still in code review / broken).



For Python 2 I guess it's different, and we will test against the 2.7 branch, 
right?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Terry J. Reedy]

Terry J. Reedy added the comment:

As I read 583, they are planning to fuzz 3.6.  Why not branch master?  I think 
it more likely that we accidentally add a vulnerability to master then that we 
accidentally close one.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Devin Jeanpierre]

Changes by Devin Jeanpierre :


--
pull_requests: +2929

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Devin Jeanpierre]

Devin Jeanpierre added the comment:

https://github.com/google/oss-fuzz/pull/583 is the PR to oss-fuzz to add the 
project. I'm working on actual tests to be submitted here.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Gregory P. Smith]

Gregory P. Smith added the comment:

you can list me as a oss-fuzz contact.  use my work email address.

simplejson is worthy but as both it and the python standard library ship 
separately people use both so they both ultimately deserve fuzzing and fixing 
on their own so I'd add it to CPython as well.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Devin Jeanpierre]

Devin Jeanpierre added the comment:

Aha, I found an existing issue!

For adding to oss-fuzz, is there a contact email we can use that is connected 
to a google account? I am tempted to just put gregory.p.smith on there if not. 
:)




I can volunteer to fuzz some interesting subset of the stdlib. The list I've 
come up with (by counting uses in my code) is:

the XML parser (which seems to be written in C)
struct (unpack)
the various builtins that parse strings (like int())
hashlib
binascii
datetime's parsing
json


I'd also suggest the ast module, since people do use ast.literal_eval on 
untrusted strings, but I probably won't do that one myself.



I wrote a fuzz test for json via upstream simplejson, but the bug on github is 
getting stale: https://github.com/simplejson/simplejson/issues/163

Should I add it to CPython instead?



> We should investigate creating fuzz targets for the Python re module (_sre.c) 
> at a minimum.

If we prioritize based on security risk, I'd argue that this is lower priority 
than things like json's speedup extension module, because people should 
generally not pass untrusted strings to the re module: it's very easy to DOS a 
service with regexes unless you're using RE2 or similar -- which is fuzzed.  In 
contrast, json is supposed to accept untrusted input and people do that very 
often.

(OTOH, I would be willing to bet that fuzzing re will yield more bugs than 
fuzzing json.)

--
nosy: +Devin Jeanpierre

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Alex Gaynor]

Changes by Alex Gaynor :


--
nosy: +alex

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Terry J. Reedy]

Terry J. Reedy added the comment:

It does not appear to me that targets have to be security critical, though that 
is certainly a good place to start.  The Chrome tests found 100s of "security 
vulnerabilities and stability bugs".

The important thing is that there be someone willing to receive and act on 
reports.  Would 'make public after 90 days' ever be a problem?  AFAIK, most 
Python security issues are already public here on the tracker from day 1.

--
nosy: +terry.reedy

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Brett Cannon]

Changes by Brett Cannon :


--
nosy: +brett.cannon, christian.heimes

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

[Gregory P. Smith]

New submission from Gregory P. Smith:

For reference, read https://github.com/google/oss-fuzz.

We should investigate creating fuzz targets for the Python re module (_sre.c) 
at a minimum.  There are probably other good targets as well such as _json.c 
and _csv.c.

pickle and marshal are not intended to be secure so ignore those.

--
messages: 287363
nosy: gregory.p.smith
priority: normal
severity: normal
stage: test needed
status: open
title: Submit the re, json, & csv modules to oss-fuzz testing
type: security
versions: Python 2.7, Python 3.6, Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com