ruzzy icon indicating copy to clipboard operation
ruzzy copied to clipboard
verified publisher icon trailofbits

Fuzzing candidates

Open mschwager opened this issue 1 year ago • 8 comments

  • https://github.com/msgpack/msgpack-ruby
  • https://github.com/flori/json
  • https://github.com/ruby/psych (YAML)
  • https://github.com/cabo/cbor-ruby
  • https://github.com/mongodb/bson-ruby
  • https://github.com/ruby/date
  • https://github.com/ruby/zlib

EDIT: more:

  • https://github.com/puma/puma/tree/master/ext/puma_http11
  • https://github.com/k0kubun/hamlit
  • https://github.com/jgarber/redcloth
  • https://github.com/ruby/strscan
  • https://github.com/ruby/etc
  • https://github.com/ruby/openssl/blob/master/ext/openssl/ossl_asn1.c
  • https://github.com/ruby/openssl/blob/master/ext/openssl/ossl_config.c
  • https://github.com/kgiszczak/tomlib
  • https://github.com/jm/toml
  • https://github.com/emancu/toml-rb
  • https://github.com/fluent/fluentd
  • https://github.com/slim-template/slim
  • https://github.com/ruby/rbs
  • https://github.com/protocolbuffers/protobuf/tree/main/ruby

mschwager avatar Jan 19 '24 21:01 mschwager

It looks like json, psych, and date are already fuzzed here: https://github.com/google/oss-fuzz/tree/master/projects/ruby.

zlib could be interesting, although that extension appears to be a direct copy of the ubiquitous Zlib C library, so it's probably already been fuzzed extensively.

mschwager avatar Jan 30 '24 18:01 mschwager

nokogiri (especially the SAX parser) is also worth fuzzing, they have a long track record of NPEs and other memory violations: https://www.cvedetails.com/vulnerability-list/vendor_id-20514/product_id-59208/Nokogiri-Nokogiri.html

Edit: Fuzzed here: https://github.com/google/oss-fuzz/tree/master/projects/nokogiri

woodruffw avatar Jan 30 '24 18:01 woodruffw

nokogiri (especially the SAX parser) is also worth fuzzing, they have a long track record of NPEs and other memory violations: https://www.cvedetails.com/vulnerability-list/vendor_id-20514/product_id-59208/Nokogiri-Nokogiri.html

Edit: Fuzzed here: https://github.com/google/oss-fuzz/tree/master/projects/nokogiri

Good call, looks like they're only doing UBSAN though? https://github.com/google/oss-fuzz/blob/master/projects/nokogiri/project.yaml#L9-L10

mschwager avatar Jan 30 '24 18:01 mschwager

Yeah, interesting choice 🤔

woodruffw avatar Jan 30 '24 18:01 woodruffw

The ffi gem might also be worth fuzzing: https://github.com/ffi/ffi

woodruffw avatar Jan 30 '24 18:01 woodruffw

Here's a useful GH query for finding repositories with a extconf.rb file (indicates a Ruby C extension): https://github.com/search?q=lang%3Aruby+path%3Aextconf.rb+NOT+is%3Aarchived&type=code.

mschwager avatar Feb 12 '24 16:02 mschwager

Ruby C code that accepts Marshal'ed data:

  • https://github.com/search?q=repo%3Aruby%2Fruby+marshal_load+language%3AC&type=code&l=C
  • https://github.com/ruby/ruby/blob/53e37953791921b42c3d409b23c488861094f714/time.c#L5846-L5848

Ruby RubyVM::InstructionSequence binary functionality:

  • https://ruby-doc.org/3.3.4/RubyVM/InstructionSequence.html#method-c-load_from_binary

mschwager avatar Aug 21 '24 18:08 mschwager