Implement fuzztesting.

.github/workflows/run-ci-cd.yaml

@@ -289,6 +289,49 @@ jobs:
         run: |
           docker run --env-file frontend/.env.example ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-frontend-e2e:latest pnpm run test:e2e
 
+  run-fuzz-tests:
+    name: Run fuzz tests
+    needs:
+      - scan-code
+      - scan-ci-dependencies
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
+      - name: Set up Docker buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
+
+      - name: Create .env file for fuzz tests
+        run: |
+          touch backend/fuzz_tests/.env
+          echo "DJANGO_DB_HOST=None" >> backend/fuzz_tests/.env
+          echo "DJANGO_DB_NAME=None" >> backend/fuzz_tests/.env
+          echo "DJANGO_DB_PASSWORD=None" >> backend/fuzz_tests/.env
+          echo "DJANGO_DB_PORT=None" >> backend/fuzz_tests/.env
+          echo "DJANGO_DB_USER=None" >> backend/fuzz_tests/.env
+          echo "DJANGO_SETTINGS_MODULE=settings.fuzz" >> backend/fuzz_tests/.env
+          echo "DJANGO_CONFIGURATION=Fuzz" >> backend/fuzz_tests/.env
+          echo "DJANGO_ALGOLIA_APPLICATION_ID=None" >> backend/fuzz_tests/.env
+          echo "DJANGO_ALGOLIA_EXCLUDED_LOCAL_INDEX_NAMES=None" >> backend/fuzz_tests/.env
+          echo "DJANGO_ALGOLIA_WRITE_API_KEY=None" >> backend/fuzz_tests/.env
+          echo "DJANGO_ALLOWED_HOSTS=*" >> backend/fuzz_tests/.env
+          echo "DJANGO_AWS_ACCESS_KEY_ID=None" >> backend/fuzz_tests/.env
+          echo "DJANGO_AWS_SECRET_ACCESS_KEY=None" >> backend/fuzz_tests/.env
+          echo "DJANGO_OPEN_AI_SECRET_KEY=None" >> backend/fuzz_tests/.env
+          echo "DJANGO_PUBLIC_IP_ADDRESS=127.0.0.1" >> backend/fuzz_tests/.env
+          echo "DJANGO_RELEASE_VERSION=None" >> backend/fuzz_tests/.env
+          echo "DJANGO_SECRET_KEY=None" >> backend/fuzz_tests/.env
+          echo "DJANGO_SENTRY_DSN=None" >> backend/fuzz_tests/.env
+          echo "DJANGO_SLACK_BOT_TOKEN=None" >> backend/fuzz_tests/.env
+          echo "DJANGO_SLACK_SIGNING_SECRET=None" >> backend/fuzz_tests/.env
+          echo "GITHUB_TOKEN=None" >> backend/fuzz_tests/.env
+          echo "DJANGO_REDIS_HOST=None" >> backend/fuzz_tests/.env
+          echo "DJANGO_REDIS_PASSWORD=None" >> backend/fuzz_tests/.env
+
+      - name: Run fuzz tests
+        run: make fuzz-test-backend
+
   build-staging-images:
     name: Build Staging Images
     environment: staging

.github/workflows/update-nest-test-images.yaml

@@ -124,3 +124,23 @@ jobs:
         run: |
           rm -rf /tmp/buildx-schema-poetry-cache
           mv /tmp/buildx-schema-poetry-cache-new /tmp/buildx-schema-poetry-cache
+
+      - name: Build and push fuzz-test-backend image
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
+        with:
+          cache-from: type=registry,ref=${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-fuzz-backend:cache
+          cache-to: type=registry,ref=${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-fuzz-backend:cache,mode=max
+          context: backend
+          file: backend/docker/Dockerfile.fuzz_tests
+          push: true
+          tags: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-fuzz-backend:latest
+
+      - name: Build and push fuzz-test-graphql image
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
+        with:
+          cache-from: type=registry,ref=${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-fuzz-graphql:cache
+          cache-to: type=registry,ref=${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-fuzz-graphql:cache,mode=max
+          context: backend
+          file: backend/docker/Dockerfile.graphql_fuzz
+          push: true
+          tags: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-fuzz-graphql:latest

Makefile

@@ -53,6 +53,9 @@ run:
 	docker compose -f docker/docker-compose-local.yaml build && \
 	docker compose -f docker/docker-compose-local.yaml up --remove-orphans
 
+fuzz-test-backend:
+	@COMPOSE_BAKE=true docker compose -f docker/docker-compose-fuzz.yaml up --build --abort-on-container-exit --remove-orphans
+
 test: \
 	test-nest-app \
 	test-schema

backend/Makefile

@@ -168,6 +168,7 @@ test-backend:
 		-t nest-test-backend
 	@docker run -e DJANGO_CONFIGURATION=Test --rm nest-test-backend pytest
 
+
 update-backend-dependencies:
 	@cd backend && poetry update
 

backend/docker/Dockerfile.fuzz_tests

@@ -0,0 +1,74 @@
+FROM python:3.13-alpine AS builder
+
+SHELL ["/bin/sh", "-o", "pipefail", "-c"]
+
+ENV APK_CACHE_DIR="/home/owasp/.cache/apk" \
+    APK_SYMLINK_DIR="/etc/apk/cache" \
+    OWASP_GID=1000 \
+    OWASP_UID=1000 \
+    PIP_CACHE_DIR="/home/owasp/.cache/pip" \
+    POETRY_CACHE_DIR="/home/owasp/.cache/pypoetry" \
+    POETRY_VIRTUALENVS_IN_PROJECT=true \
+    PYTHONUNBUFFERED=1
+
+RUN mkdir -p ${APK_CACHE_DIR} ${POETRY_CACHE_DIR} && \
+    ln -fns ${APK_CACHE_DIR} ${APK_SYMLINK_DIR}
+
+RUN --mount=type=cache,target=${APK_CACHE_DIR} \
+    apk update && apk upgrade && \
+    addgroup -S -g ${OWASP_GID} owasp && \
+    adduser -S -h /home/owasp -u ${OWASP_UID} -G owasp owasp && \
+    chown -R owasp:owasp /home/owasp
+
+RUN --mount=type=cache,target=${PIP_CACHE_DIR} \
+    python -m pip install poetry --cache-dir ${PIP_CACHE_DIR}
+
+WORKDIR /home/owasp
+USER owasp
+
+# Copy Poetry configuration and install dependencies
+COPY --chmod=444 poetry.lock pyproject.toml ./
+RUN --mount=type=cache,target=${POETRY_CACHE_DIR},uid=${OWASP_UID},gid=${OWASP_GID} \
+    poetry install --no-root
+
+# Copy application files
+COPY apps apps
+COPY manage.py wsgi.py ./
+COPY settings settings
+COPY static static
+COPY templates templates
+COPY fuzz_tests fuzz_tests
+COPY data data
+COPY fuzz_tests/.env .env
+COPY docker/entrypoint_fuzz.sh entrypoint.sh
+
+FROM python:3.13-alpine
+
+SHELL ["/bin/sh", "-o", "pipefail", "-c"]
+
+# Install runtime dependencies
+RUN addgroup -S owasp && \
+    adduser -S -h /home/owasp -G owasp owasp && \
+    mkdir -p /home/owasp && \
+    chown owasp:owasp /home/owasp
+
+ENV FORCE_COLOR=1 \
+    PATH="/home/owasp/.venv/bin:$PATH" \
+    PYTHONUNBUFFERED=1
+
+WORKDIR /home/owasp
+USER owasp
+
+# Copy built application from the builder stage
+COPY --from=builder --chmod=555 --chown=owasp:owasp /home/owasp /home/owasp
+
+RUN touch /home/owasp/fuzz_tests.db && \
+    chmod +x /home/owasp/fuzz_tests.db /home/owasp/entrypoint.sh
+
+
+# Expose the running port
+EXPOSE 8000
+
+# Run fuzz tests
+
+CMD ["/home/owasp/entrypoint.sh"]

backend/docker/Dockerfile.graphql_fuzz

@@ -0,0 +1,41 @@
+FROM python:3.12-alpine
+
+ENV APK_CACHE_DIR="/home/owasp/.cache/apk" \
+    APK_SYMLINK_DIR="/etc/apk/cache" \
+    OWASP_GID=1000 \
+    OWASP_UID=1000 \
+    PIP_CACHE_DIR="/home/owasp/.cache/pip" \
+    POETRY_VIRTUALENVS_IN_PROJECT=true \
+    PYTHONUNBUFFERED=1
+
+RUN mkdir -p ${APK_CACHE_DIR} && \
+    ln -fns ${APK_CACHE_DIR} ${APK_SYMLINK_DIR}
+
+RUN --mount=type=cache,target=${APK_CACHE_DIR} \
+    apk update && apk upgrade && \
+    addgroup -S -g ${OWASP_GID} owasp && \
+    adduser -S -h /home/owasp -u ${OWASP_UID} -G owasp owasp && \
+    chown -R owasp:owasp /home/owasp
+
+RUN --mount=type=cache,target=${APK_CACHE_DIR},uid=${OWASP_UID},gid=${OWASP_GID} \
+    apk add curl jq gcc musl-dev libffi-dev linux-headers
+
+RUN --mount=type=cache,target=${PIP_CACHE_DIR} \
+    pip install graphqler --cache-dir ${PIP_CACHE_DIR}
+
+WORKDIR /home/owasp
+
+COPY docker/entrypoint_graphql_fuzz.sh entrypoint.sh
+
+RUN touch /home/owasp/config.toml && \
+    chmod +x /home/owasp/config.toml && \
+    chown owasp:owasp /home/owasp/config.toml
+
+# Create the graphql output dir and give permissions to the owasp user
+RUN mkdir -p /home/owasp/fuzzing_results && \
+    chmod +x /home/owasp/fuzzing_results /home/owasp/entrypoint.sh && \
+    chown owasp:owasp /home/owasp/fuzzing_results /home/owasp/entrypoint.sh
+
+USER owasp
+
+CMD ["/home/owasp/entrypoint.sh"]

backend/docker/entrypoint_fuzz.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+python manage.py migrate
+python manage.py collectstatic --noinput
+
+# Load initial data
+python manage.py load_data
+
+pytest fuzz_tests
+
+python manage.py runserver 0.0.0.0:8000

backend/docker/entrypoint_graphql_fuzz.sh

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+echo "Retrieving CSRF token..."
+
+CSRF_TOKEN=$(curl -s http://backend:8000/csrf/ | jq -r '.csrftoken')
+
+if [ -z "$CSRF_TOKEN" ]; then
+  echo "Failed to retrieve CSRF token"
+  exit 1
+fi
+
+echo "CSRF token retrieved successfully: $CSRF_TOKEN"
+
+cat > /home/owasp/config.toml << EOF
+[CUSTOM_HEADERS]
+X-CSRF-Token = "$CSRF_TOKEN"
+EOF
+
+echo "Custom headers configuration file created successfully"
+
+sleep 5
+
+echo "Starting fuzzing tests..."
+python -m graphqler --config /home/owasp/config.toml --url http://backend:8000/graphql/ --mode run --path /home/owasp/fuzzing_results

backend/fuzz_tests/slack/contribute_test.py

@@ -0,0 +1,43 @@
+"""Test Slack contribute event handler."""
+
+from unittest.mock import MagicMock, patch
+
+from django.conf import settings
+from hypothesis import given
+from hypothesis import strategies as st
+
+from apps.slack.constants import (
+    OWASP_CONTRIBUTE_CHANNEL_ID,
+)
+from apps.slack.events.member_joined_channel.contribute import Contribute
+
+
+class TestContributeEventHandler:
+    """Test cases for the Contribute Slack event handler."""
+
+    @given(
+        events_enabled=st.booleans(),
+        project_count=st.integers(),
+        issue_count=st.integers(),
+    )
+    @patch("apps.owasp.models.project.Project.active_projects_count")
+    @patch("apps.github.models.issue.Issue.open_issues_count")
+    def test_handler_responses(
+        self,
+        mock_open_issues_count,
+        mock_active_projects_count,
+        events_enabled,
+        project_count,
+        issue_count,
+    ):
+        """Test the contribute event handler responses."""
+        settings.SLACK_EVENTS_ENABLED = events_enabled
+        mock_active_projects_count.return_value = project_count
+        mock_open_issues_count.return_value = issue_count
+        mock_slack_event = {"user": "U123456", "channel": OWASP_CONTRIBUTE_CHANNEL_ID}
+        mock_slack_client = MagicMock()
+        mock_slack_client.conversations_open.return_value = {"channel": {"id": "C123456"}}
+
+        contribute = Contribute()
+
+        contribute.handler(event=mock_slack_event, client=mock_slack_client, ack=MagicMock())

backend/fuzz_tests/slack/gsoc_test.py

@@ -0,0 +1,44 @@
+"""Test cases for the GSOC Slack event handler."""
+
+from unittest.mock import MagicMock
+
+from django.conf import settings
+from hypothesis import given
+from hypothesis import strategies as st
+
+from apps.slack.constants import OWASP_GSOC_CHANNEL_ID
+from apps.slack.events.member_joined_channel.gsoc import Gsoc
+
+
+class TestGsocEventHandler:
+    """Test cases for the GSOC Slack event handler."""
+
+    @given(
+        channel_id=st.text(),
+    )
+    def test_check_gsoc_handler(self, channel_id):
+        """Test the check_gsoc_handler function."""
+        gsoc_module = __import__(
+            "apps.slack.events.member_joined_channel.gsoc",
+            fromlist=["gsoc_handler"],
+        )
+        check_gsoc_handler = getattr(
+            gsoc_module,
+            "check_gsoc_handler",
+            lambda x: x.get("channel") == OWASP_GSOC_CHANNEL_ID,
+        )
+
+        check_gsoc_handler({"channel": channel_id})
+
+    @given(
+        events_enabled=st.booleans(),
+    )
+    def test_handler_responses(self, events_enabled):
+        """Test the GSOC event handler responses."""
+        settings.SLACK_EVENTS_ENABLED = events_enabled
+        mock_slack_event = {"user": "U123456", "channel": OWASP_GSOC_CHANNEL_ID}
+        mock_slack_client = MagicMock()
+        mock_slack_client.conversations_open.return_value = {"channel": {"id": "C123456"}}
+
+        gsoc = Gsoc()
+        gsoc.handler(event=mock_slack_event, client=mock_slack_client, ack=MagicMock())