- Notifications
You must be signed in to change notification settings - Fork30
Quality assurance testing for the curl project
License
curl/curl-fuzzer
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Code and corpora for curl and libcurl fuzzing.
This is the curl fuzzingOSS-Fuzz runs for us, non-stop.
Great! Run./mainline.sh. It will download you a fresh copy of curl, compileit withclang, install it to a temporary directory, then compile the fuzzeragainst curl. It'll also run the regression testcases.
If you have a local copy of curl that you want to use instead, pass the path asan argument to./mainline.sh. It will compile and install that curl to atemporary directory instead.
./mainline.sh is run regressibly by Github Actions.
Setting theFUZZ_VERBOSE environment variable turns on curl verbose logging.This can be useful when debugging a single testcase.
The public corpus links for each target should be accessible here:
- curl_fuzzer_dict
- curl_fuzzer_file
- curl_fuzzer_ftp
- curl_fuzzer_gopher
- curl_fuzzer_http
- curl_fuzzer_https
- curl_fuzzer_imap
- curl_fuzzer_ldap
- curl_fuzzer_mqtt
- curl_fuzzer_pop3
- curl_fuzzer_rtmp
- curl_fuzzer_rtsp
- curl_fuzzer_scp
- curl_fuzzer_sftp
- curl_fuzzer_smb
- curl_fuzzer_smtp
- curl_fuzzer_tftp
- curl_fuzzer_ws
- curl_fuzzer
- fuzz_url: no public link yet.
Check outREPRODUCING.md for more detailed instructions.
- Create a virtual environment using your favourite method.
- For example:
python3 -m venv .venv
- For example:
- Within that virtual environment, from the root directory of this repository, install the tooling with
pip install. - Alternatively you can use
uv; eitherto sync your environment, oruv syncuv pip install -e.directly.uv run<tool>
To look at the contents of a testcase, run
read_corpus<path/to/file>
This will print out a list of contents inside the file.
To generate a new testcase, run
generate_corpus
with appropriate options - pass--help for all options.
Wonderful! Here's a bit of information you may need to know.
Testcases are written in a Type-Length-Value or TLV format. Each TLV has:
- 16 bits for the Type
- 32 bits for the Length of the TLV data
- 0 - length bytes of data.
TLV type numbers are defined in both corpus.py and curl_fuzzer.h.
To add a new TLV:
- Add support for it in the Python scripts:
generate_corpus.py,corpus.py.This means adding options for reading the value of the TLV from the user (orfrom a file, or from test data) - Add support for it in the fuzzer:
curl_fuzzer.cc,curl_fuzzer.h. Thislikely means adding handling of the TLV tofuzz_parse_tlv(). - Ensure that
FUZZ_CURLOPT_TRACKER_SPACEcan encompass your additional TLVs! - If you decide to change a TLV number after you have created it and havegenerated test cases before you changed the TLV, rerun the test casegeneration to ensure your current TLV numbering maps your test cases as youexpect.