Add ngx_js_form_fuzzer for HTTP form body parsing#1067
Open
kuranikaran wants to merge 1 commit into
Open
Conversation
|
🎉 Thank you for your contribution! It appears you have not yet signed the F5 Contributor License Agreement (CLA), which is required for your changes to be incorporated into an F5 Open Source Software (OSS) project. Please kindly read the F5 CLA and reply on a new comment with the following text to agree: I have hereby read the F5 CLA and agree to its terms You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot. |
Author
|
I have hereby read the F5 CLA and agree to its terms |
Author
|
Hi @xeioex - this adds a fuzzer for the new form body parser in ngx_js_form.c. Would appreciate your review when you get a chance. The corresponding oss-fuzz integration is at google/oss-fuzz#15533. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
njs 0.9.9 added nginx/ngx_js_form.c, an ~860-line multipart and urlencoded form body parser exposed through the r.readRequestForm() API. The existing njs_process_script_fuzzer only covers the JS engine script path and doesn't reach this parser.
Since this code handles untrusted HTTP request bodies (Content-Type parsing, boundary matching, percent-decoding, Content-Disposition header extraction, quoted-string unescaping), it's a high-value fuzzing target.
This PR adds a dedicated fuzz harness that drives ngx_js_parse_form() directly with both urlencoded and multipart inputs through minimal nginx core stubs (pool, array, string helpers), avoiding the need for a full nginx build.
What's included:
fuzz/ngx_js_form_fuzzer.cc — harness source
fuzz/stubs/ — minimal nginx type/function stubs (ngx_pool, ngx_array, ngx_str)
fuzz/seed_corpus/ — 8 seed inputs covering normal, truncated, oversized-boundary, quoted-filename, and empty-body paths
fuzz/ngx_js_form_fuzzer.dict — fuzzer dictionary
This is being coordinated with a corresponding oss-fuzz integration PR to wire up the new fuzzer in Google's continuous fuzzing infrastructure.
Note: This PR intentionally does not modify auto/make or the build system. The oss-fuzz integration (google/oss-fuzz#15533) injects the build target dynamically. If you'd prefer the target wired into auto/make natively, happy to add that.