[mapserver-dev] Fuzzing MapServer

[Jeff McKenna]

Hi Steve, I've followed other projects closely as they work through 
this, count me in as well, I think a team effort is needed for this as 
it seems to be a lot of work.  Google's "OSS-Fuzz" was launched in 2017 
and most of the big players jumped on board. I'm all for using Google's 
tools for this, use the elephant in the room.

For some readers out there who might not understand what this 'fuzz' 
thing means, I like this basic description:

"Fuzzing has been around for donkeys’ years and can best be described as 
a way of robotically bombarding software with random data in an attempt 
to cause the sort of unusual crashes and errors that mimic how programs 
behave under real-world use."  source: 
https://nakedsecurity.sophos.com/2017/05/17/how-big-fuzzing-helps-find-holes-in-open-source-projects/

-jeff




On 2021-04-15 2:28 p.m., Steve Lime wrote:
> I hear what you're saying from a release standpoint. I guess I could 
> have said "initiate a fuzzing effort" as part of the 8.0 release. I like 
> your idea to concentrate on the query string, that represents a pretty 
> big surface depending what the fixed mapfile contains. With oss-fuzz 
> there's a time limit on certain types of bugs before public disclosure, 
> correct? That's a bit worrisome if you got slammed and nobody was 
> available to address bugs.
> 
> Are there alternatives to oss-fuzz that could be considered (Seth 
> referenced one of them)?
> 
> Funding would be great although our only source of $'s at the moment is 
> the OSGeo project budget which is really small and partially committed 
> to the TravisCI subscription. Unless there's someone out there that's 
> listening that would like to fund an effort like this. It's definitely 
> something I'd like to work on.
> 
> --Steve
>