Fuzzing Django at Google OSS-Fuzz

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Fuzzing Django at Google OSS-Fuzz

Guido Vranken
Dear group,

I've built a Django fuzzer that can be used with Google OSS-Fuzz [1].

The current fuzzer harness calls a host of django.util.* and related functions with pseudo-random inputs. Fuzzing these functions can be useful to see if any untrusted input can cause slowdowns, hangs, excessive memory consumption, or unexpected exceptions. There have been several of such issues in recent years (CVE-2018-7537, CVE-2018-7536, CVE-2019-6975 [2]), and it is quite likely that my fuzzer would detect these vulnerabilities automatically. In addition to these general vulnerability classes, the harness can be easily extended to raise a warning on any custom condition.

Are the Django developers interested in OSS-Fuzz integration? If so, I will need one or more email addresses linked to a Google account that will receive the automated bug reports generated by OSS-Fuzz. Because these reports may contain security-sensitive information, it is recommended that only developers who ordinarily deal with security reports are included in this list.

Guido

[1] https://github.com/google/oss-fuzz
[2] https://docs.djangoproject.com/en/dev/releases/security/

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/08c201eb-e43d-4535-88b5-625ed3dfc89b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Fuzzing Django at Google OSS-Fuzz

Florian Apolloner
Hi Guido,

wow. That would be very much appreciated. security@dp is just a google mailing list I fear. If you added me, would it be possible that I manage the other email addresses, or would you have to do that all? Also for now please do not add anyone without my sayso, I'll get in touch with you over a verified channel, so you can be sure you are giving access to someone from the security team.

Thanks,
Florian

On Saturday, July 6, 2019 at 9:06:42 PM UTC+2, Guido Vranken wrote:
Dear group,

I've built a Django fuzzer that can be used with Google OSS-Fuzz [1].

The current fuzzer harness calls a host of django.util.* and related functions with pseudo-random inputs. Fuzzing these functions can be useful to see if any untrusted input can cause slowdowns, hangs, excessive memory consumption, or unexpected exceptions. There have been several of such issues in recent years (CVE-2018-7537, CVE-2018-7536, CVE-2019-6975 [2]), and it is quite likely that my fuzzer would detect these vulnerabilities automatically. In addition to these general vulnerability classes, the harness can be easily extended to raise a warning on any custom condition.

Are the Django developers interested in OSS-Fuzz integration? If so, I will need one or more email addresses linked to a Google account that will receive the automated bug reports generated by OSS-Fuzz. Because these reports may contain security-sensitive information, it is recommended that only developers who ordinarily deal with security reports are included in this list.

Guido

[1] <a href="https://github.com/google/oss-fuzz" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fgoogle%2Foss-fuzz\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHpAV-EwJtzZTYinR_1XuHhqPFyxA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fgoogle%2Foss-fuzz\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHpAV-EwJtzZTYinR_1XuHhqPFyxA&#39;;return true;">https://github.com/google/oss-fuzz
[2] <a href="https://docs.djangoproject.com/en/dev/releases/security/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdocs.djangoproject.com%2Fen%2Fdev%2Freleases%2Fsecurity%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFzEPqu8Mb0l8oWC6faaVDgR7bLaw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdocs.djangoproject.com%2Fen%2Fdev%2Freleases%2Fsecurity%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFzEPqu8Mb0l8oWC6faaVDgR7bLaw&#39;;return true;">https://docs.djangoproject.com/en/dev/releases/security/

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/87432798-f1fe-46cc-aad5-4700b896e690%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Fuzzing Django at Google OSS-Fuzz

Guido Vranken
You can use every email address (like security@dp), including non-Google e-mail addresses, but they will only receive notifications and will not be able to login to the OSS-Fuzz dashboard at https://oss-fuzz.com/. Adding more e-mail addresses is done by making a PR against OSS-Fuzz and changing the project.yaml file. You can do this; we'll tell the admins who approve the PRs that you have the agency to do this.

I've made an initial PR for Django fuzzers here: https://github.com/google/oss-fuzz/pull/2579
The fuzzers and the corpus are still in a private repo.

On Sun, Jul 7, 2019 at 11:14 AM Florian Apolloner <[hidden email]> wrote:
Hi Guido,

wow. That would be very much appreciated. security@dp is just a google mailing list I fear. If you added me, would it be possible that I manage the other email addresses, or would you have to do that all? Also for now please do not add anyone without my sayso, I'll get in touch with you over a verified channel, so you can be sure you are giving access to someone from the security team.

Thanks,
Florian

On Saturday, July 6, 2019 at 9:06:42 PM UTC+2, Guido Vranken wrote:
Dear group,

I've built a Django fuzzer that can be used with Google OSS-Fuzz [1].

The current fuzzer harness calls a host of django.util.* and related functions with pseudo-random inputs. Fuzzing these functions can be useful to see if any untrusted input can cause slowdowns, hangs, excessive memory consumption, or unexpected exceptions. There have been several of such issues in recent years (CVE-2018-7537, CVE-2018-7536, CVE-2019-6975 [2]), and it is quite likely that my fuzzer would detect these vulnerabilities automatically. In addition to these general vulnerability classes, the harness can be easily extended to raise a warning on any custom condition.

Are the Django developers interested in OSS-Fuzz integration? If so, I will need one or more email addresses linked to a Google account that will receive the automated bug reports generated by OSS-Fuzz. Because these reports may contain security-sensitive information, it is recommended that only developers who ordinarily deal with security reports are included in this list.

Guido

[1] https://github.com/google/oss-fuzz
[2] https://docs.djangoproject.com/en/dev/releases/security/

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/87432798-f1fe-46cc-aad5-4700b896e690%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAO5O-EJuW6%2B%2B95C%2B9UH_UTjba2m1kpUgp58Qnq5mytKGar8WNg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.