Continuous fuzzing through OSS-fuzz

[AdamKorcz]

Is your feature request related to a problem? Please describe. I see that the apm agent has two fuzzers already. It is highly recommended to run fuzzers continuously. I have written an article about a project that had an extensive fuzzing infrastructure for a year, and after setting up continuous fuzzing, a critical DoS bug was found: https://adalogics.com/blog/the-importance-of-continuity-in-fuzzing-cve-2020-28362

Describe the solution you'd like I suggest setting up continuous fuzzing through Googles OSS-fuzz project. When integrating with OSS-fuzz, open source projects can have their fuzzers run continuously free of charge, and in case bugs are found, maintainers get notified with a detailed bug report.

I will be happy to set up an integration application for the apm agent (and other elastic projects that accept untrusted input. Suggestions are highly appreciated). In terms of the current fuzzers, they seem to be currently broken, and I would need to rewrite those which should not be an issue. Once the project is integrated into OSS-fuzz, any number of fuzzers can be added to run continuously.

[axw]

@AdamKorcz thanks for opening the issue!

The fuzzing program I wrote a long time felt into disarray precisely because we haven't been running it continuously. I'm not entirely convinced it's worthwhile for this particular project, but I guess we'll never know if we don't run it :)

I was planning to take another look once https://github.com/golang/go/issues/44551 became reality, but I suppose OSS-Fuzz will be updated to work with that.

I will be happy to set up an integration application for the apm agent (and other elastic projects that accept untrusted input. Suggestions are highly appreciated).

If you're happy to set it up, that would be great :heart:

As for other Elastic projects: I'm not sure if Elasticsearch qualifies with its new licensing, but if it does then that would be the main one. Otherwise I would suggest https://github.com/elastic/beats.