Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security initiative in December 2023: fuzzing Nodejs: https://github.com/google/oss-fuzz/tree/master/projects/nodejs #1159

Open
Amir-Montazery opened this issue Nov 23, 2023 · 8 comments

Comments

@Amir-Montazery
Copy link

Per discussion with the security wg at the 11/23/2023 wg meeting, an issue has been created to kick off and help track the fuzzing security initiative scheduled for December 2023. A general description of the work to be done can be found at: #1146.

We plan on working with David Korczynski (https://github.com/DavidKorczynski) on this initiative.

@AdamKorcz
Copy link

Hi all, we have started the fuzzing work for Node with the following three PRs:

  1. test: fix broken env fuzzer by initializing process  node#51080
  2. test: add fuzzer for ClientHelloParser node#51088
  3. test: add fuzzer for native/js string conversion node#51120

We plan to add more fuzz coverage of native code primarily for now. In addition, I have added myself to the contact list of Nodes OSS-Fuzz integration: https://github.com/google/oss-fuzz/blob/3c4e2c6724f7d6f090b085f1c28d937bdeaf3918/projects/nodejs/project.yaml#L10 so I can keep track of the feedback from the added fuzzers. We will add new fuzzers in the same manner as the three PRs above.

In addition, we are also looking at the fuzz coverage of Nodes core dependencies to assess which improvements we can make there.

@marco-ippolito
Copy link
Member

Hi @AdamKorcz great job, where can we see the reports?

@AdamKorcz
Copy link

Hi @AdamKorcz great job, where can we see the reports?

All email addresses in this file have access to findings: https://github.com/google/oss-fuzz/blob/master/projects/nodejs/project.yaml

It will need to be an email address associated with a Google account.

Copy link
Contributor

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.

@github-actions github-actions bot added the stale label Mar 14, 2024
@RafaelGSS
Copy link
Member

@Amir-Montazery @AdamKorcz Could we have some update about the fuzzing progress?

@Amir-Montazery
Copy link
Author

I can provide a quick update in the 2024-04-11 meeting and have also invited AdamKorcz to the next security-wg meeting.

Copy link
Contributor

This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.

@github-actions github-actions bot added the stale label Aug 22, 2024
@Amir-Montazery
Copy link
Author

Thank you for your patience everyone. I believe we have everything we need to close out the engagement with the updated report from Aug 28th. Shall I join the next meeting to finalize with the group? I believe there is a session scheduled for September 4th. Thank you in advance!

@github-actions github-actions bot removed the stale label Aug 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants