[mapserver-dev] Fuzzing MapServer

[Jeff McKenna]

Here are the specific requirements to join Google's OSS-Fuzz infrastructure:

- To be accepted to OSS-Fuzz, an open-source project must have a 
significant user base and/or be critical to the global IT infrastructure

- To apply:

   - Create a pull request with a new 
projects/<project_name>/project.yaml file (example) : 
https://github.com/google/oss-fuzz/tree/master/projects/libarchive/project.yaml

     - In the file, provide the following information:
          - Your project’s homepage.
          - An email address for the engineering contact to be CCed on 
new issues, satisfying the following:
               - The address belongs to an established project committer 
(according to VCS logs). If the address isn’t you, or if the address 
differs from VCS, we’ll require an informal email verification.
               - The address is associated with a Google account (why?). 
       If you use an alternate email address linked to a Google Account, 
you’ll only get access to filed bugs in the issue tracker, not to the 
ClusterFuzz dashboard. This is due to appengine API limitations.

source: 
https://google.github.io/oss-fuzz/getting-started/accepting-new-projects/


Worth a try!  -jeff




On 2021-04-15 2:56 p.m., Jeff McKenna wrote:
> Hi Steve, I've followed other projects closely as they work through 
> this, count me in as well, I think a team effort is needed for this as 
> it seems to be a lot of work.  Google's "OSS-Fuzz" was launched in 2017 
> and most of the big players jumped on board. I'm all for using Google's 
> tools for this, use the elephant in the room.
> 
> For some readers out there who might not understand what this 'fuzz' 
> thing means, I like this basic description:
> 
> "Fuzzing has been around for donkeys’ years and can best be described as 
> a way of robotically bombarding software with random data in an attempt 
> to cause the sort of unusual crashes and errors that mimic how programs 
> behave under real-world use."  source: 
> https://nakedsecurity.sophos.com/2017/05/17/how-big-fuzzing-helps-find-holes-in-open-source-projects/ 
> 
> 
> -jeff
> 
> 
> 
> 
> On 2021-04-15 2:28 p.m., Steve Lime wrote:
>> I hear what you're saying from a release standpoint. I guess I could 
>> have said "initiate a fuzzing effort" as part of the 8.0 release. I 
>> like your idea to concentrate on the query string, that represents a 
>> pretty big surface depending what the fixed mapfile contains. With 
>> oss-fuzz there's a time limit on certain types of bugs before 
>> public disclosure, correct? That's a bit worrisome if you got slammed 
>> and nobody was available to address bugs.
>>
>> Are there alternatives to oss-fuzz that could be considered (Seth 
>> referenced one of them)?
>>
>> Funding would be great although our only source of $'s at the moment 
>> is the OSGeo project budget which is really small and partially 
>> committed to the TravisCI subscription. Unless there's someone out 
>> there that's listening that would like to fund an effort like this. 
>> It's definitely something I'd like to work on.
>>
>> --Steve
>>