Skip to content

Commit

Permalink
fuzzing: add fuzzers for multiple packages (#3834)
Browse files Browse the repository at this point in the history
Signed-off-by: Adam Korczynski <[email protected]>
  • Loading branch information
AdamKorcz authored Aug 19, 2024
1 parent 3694644 commit 9c0c81c
Show file tree
Hide file tree
Showing 5 changed files with 261 additions and 0 deletions.
56 changes: 56 additions & 0 deletions pkg/cosign/attestation/fuzz_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
//
// Copyright 2024 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package attestation

import (
"bytes"
"testing"
)

func FuzzGenerateStatement(f *testing.F) {
f.Fuzz(func(_ *testing.T, predicate []byte, digest, repo string, stmttType int) {
var statementType string
switch stmttType % 9 {
case 0:
statementType = "slsaprovenance"
case 1:
statementType = "slsaprovenance02"
case 2:
statementType = "slsaprovenance1"
case 3:
statementType = "spdx"
case 4:
statementType = "spdxjson"
case 5:
statementType = "cyclonedx"
case 6:
statementType = "link"
case 7:
statementType = "vuln"
case 8:
statementType = "openvex"
default:
statementType = ""
}
opts := GenerateOpts{
Predicate: bytes.NewReader(predicate),
Type: statementType,
Digest: digest,
Repo: repo,
}
GenerateStatement(opts)
})
}
26 changes: 26 additions & 0 deletions pkg/cosign/cue/fuzz_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
//
// Copyright 2024 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package cue

import (
"testing"
)

func FuzzValidateJSON(f *testing.F) {
f.Fuzz(func(_ *testing.T, jsonBody []byte, entrypoint string) {
ValidateJSON(jsonBody, []string{entrypoint})
})
}
123 changes: 123 additions & 0 deletions pkg/cosign/fuzz_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
//
// Copyright 2024 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package cosign

import (
"context"
"os"
"path/filepath"
"testing"

"github.com/google/go-containerregistry/pkg/name"
v1 "github.com/google/go-containerregistry/pkg/v1"

"github.com/sigstore/cosign/v2/pkg/oci/mutate"
)

var (
defaultFuzzRef = "fuzz/test"
)

func fuzzPass(s string) PassFunc {
return func(_ bool) ([]byte, error) {
return []byte(s), nil
}
}

func FuzzImportKeyPairLoadPrivateKey(f *testing.F) {
f.Add([]byte(validrsa), []byte("password"))
f.Add([]byte(validrsapkcs1), []byte("password"))
f.Add([]byte(validrsapkcs8), []byte("password"))
f.Add([]byte(validecp256), []byte("password"))
f.Add([]byte(validecp384), []byte("password"))
f.Add([]byte(validecp521), []byte("password"))
f.Add([]byte(validecpkcs8), []byte("password"))
f.Add([]byte(ed25519key), []byte("password"))
f.Add([]byte(pemcosignkey), []byte("password"))
f.Add([]byte(pemcosigneckey), []byte("password"))
f.Add([]byte(pemsigstorekey), []byte("password"))
f.Fuzz(func(t *testing.T, pemData, password []byte) {
path := t.TempDir()
keyFilePath := filepath.Join(path, "fuzzKey")
err := os.WriteFile(keyFilePath, pemData, 0x755)
if err != nil {
return
}
keyBytes, err := ImportKeyPair(keyFilePath, fuzzPass(string(password)))
if err != nil {
return
}
// Loading the private key should also work.
_, err = LoadPrivateKey(keyBytes.PrivateBytes, password)
if err != nil {
t.Fatal(err)
}
})
}

func FuzzSigVerify(f *testing.F) {
f.Fuzz(func(t *testing.T, sigData, payloadData []byte, verificationTest int) {
path := t.TempDir()
sigPath := filepath.Join(path, "sigFile")
err := os.WriteFile(sigPath, sigData, 0x755)
if err != nil {
return
}
payloadPath := filepath.Join(path, "payloadFile")
err = os.WriteFile(payloadPath, payloadData, 0x755)
if err != nil {
return
}
ref, err := name.ParseReference(defaultFuzzRef)
if err != nil {
panic(err)
}
sigs, err := loadSignatureFromFile(context.Background(), sigPath, ref, &CheckOpts{PayloadRef: payloadPath})
if err != nil {
return
}
switch verificationTest % 5 {
case 0:
VerifyImageAttestation(context.Background(), sigs, v1.Hash{}, &CheckOpts{IgnoreTlog: true})
case 1:
verifySignatures(context.Background(), sigs, v1.Hash{}, &CheckOpts{IgnoreTlog: true})
case 2:
sl, err := sigs.Get()
if err != nil {
t.Fatal(err)
}
for _, sig := range sl {
VerifyBlobSignature(context.Background(), sig, &CheckOpts{IgnoreTlog: true})
}
case 3:
sl, err := sigs.Get()
if err != nil {
t.Fatal(err)
}
for _, sig := range sl {
VerifyImageSignature(context.Background(), sig, v1.Hash{}, &CheckOpts{IgnoreTlog: true})
}
case 4:
sl, err := sigs.Get()
if err != nil {
t.Fatal(err)
}
for _, sig := range sl {
mutate.Signature(sig)
}
}
})
}
26 changes: 26 additions & 0 deletions pkg/cosign/rego/fuzz_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
//
// Copyright 2024 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package rego

import (
"testing"
)

func FuzzValidateJSON(f *testing.F) {
f.Fuzz(func(_ *testing.T, jsonBody []byte, entrypoint string) {
ValidateJSON(jsonBody, []string{entrypoint})
})
}
30 changes: 30 additions & 0 deletions pkg/policy/fuzz_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
//
// Copyright 2024 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package policy

import (
"context"
"testing"
)

var policyTypes = []string{"cue", "rego"}

func FuzzEvaluatePolicyAgainstJSON(f *testing.F) {
f.Fuzz(func(_ *testing.T, name, policyBody string, jsonBytes []byte, policyType uint8) {
choosePolicyType := policyTypes[int(policyType)%len(policyTypes)]
EvaluatePolicyAgainstJSON(context.Background(), name, choosePolicyType, policyBody, jsonBytes)
})
}

0 comments on commit 9c0c81c

Please sign in to comment.