f51ef1b52e
This commit introduces a fuzz test for the `Decode` function in the `trix` package. This test immediately uncovered a critical out-of-memory (OOM) vulnerability. - Adds a new fuzz test, `FuzzDecode`, to `pkg/trix/fuzz_test.go` to continuously test the `Decode` function with a wide range of malformed inputs. - Fixes a denial-of-service vulnerability where a malicious input could specify an extremely large header length, causing the application to crash due to an out-of-memory error. - Introduces a `MaxHeaderSize` constant (16MB) and a check in the `Decode` function to ensure that the header length does not exceed this limit. - Adds a new error, `ErrHeaderTooLarge`, to provide clear feedback when the header size limit is exceeded.
34 lines
933 B
Go
34 lines
933 B
Go
package trix
|
|
|
|
import (
|
|
"testing"
|
|
)
|
|
|
|
func FuzzDecode(f *testing.F) {
|
|
// Seed with a valid encoded Trix object
|
|
validTrix := &Trix{
|
|
Header: map[string]interface{}{"content_type": "text/plain"},
|
|
Payload: []byte("hello world"),
|
|
}
|
|
validEncoded, _ := Encode(validTrix, "FUZZ")
|
|
f.Add(validEncoded)
|
|
|
|
// Seed with the corrupted header length from the ugly test
|
|
var buf []byte
|
|
buf = append(buf, []byte("UGLY")...)
|
|
buf = append(buf, byte(Version))
|
|
buf = append(buf, []byte{0, 0, 3, 232}...) // BigEndian representation of 1000
|
|
buf = append(buf, []byte("{}")...)
|
|
buf = append(buf, []byte("payload")...)
|
|
f.Add(buf)
|
|
|
|
// Seed with a short, invalid input
|
|
f.Add([]byte("short"))
|
|
|
|
f.Fuzz(func(t *testing.T, data []byte) {
|
|
// The fuzzer will generate random data here.
|
|
// We just need to call our function and make sure it doesn't panic.
|
|
// The fuzzer will report any crashes as failures.
|
|
_, _ = Decode(data, "FUZZ")
|
|
})
|
|
}
|