Add url fuzz target

benalleng · benalleng · commit eeb65e05a900 · 2026-04-20T19:49:30.000-04:00
diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml
@@ -28,3 +28,9 @@ name = "uri_deserialize_pjuri"
 path = "fuzz_targets/uri/deserialize_pjuri.rs"
 doc = false
 bench = false
+
+[[bin]]
+name = "url_decode_url"
+path = "fuzz_targets/url/decode_url.rs"
+doc = false
+bench = false
diff --git a/fuzz/cycle.sh b/fuzz/cycle.sh
@@ -2,11 +2,13 @@
 
 # Continuously cycle over fuzz targets running each for 1 hour.
 # It uses chrt SCHED_IDLE so that other process takes priority.
+# A number of concurrent forks can be applied for parallelization. Be sure to leave one or two available CPUs open for the OS.
 #
 # For cargo-fuzz usage see https://github.com/rust-fuzz/cargo-fuzz?tab=readme-ov-file#usage
 
 set -euo pipefail
 
+FORKS=${1:-1}
 REPO_DIR=$(git rev-parse --show-toplevel)
 # can't find the file because of the ENV var
 # shellcheck source=/dev/null
@@ -17,7 +19,7 @@ while :; do
         targetName=$(targetFileToName "$targetFile")
         echo "Fuzzing target $targetName ($targetFile)"
         # fuzz for one hour
-        cargo +nightly fuzz run "$targetName" -- -max_total_time=3600
+        cargo +nightly fuzz run "$targetName" -- -max_total_time=3600 -fork="$FORKS"
         # minimize the corpus
         cargo +nightly fuzz cmin "$targetName"
     done
diff --git a/fuzz/fuzz.sh b/fuzz/fuzz.sh
@@ -1,16 +1,23 @@
 #!/usr/bin/env bash
 
 # This script is used to briefly fuzz every target when no target is provided. Otherwise, it will briefly fuzz the provided target
+# When fuzzing with a specific target a number of concurrent forks can be applied. Be sure to leave one or two available CPUs open for the OS.
 
 set -euo pipefail
 
 TARGET=""
+FORKS=1
 
 if [[ $# -gt 0 ]]; then
     TARGET="$1"
     shift
 fi
 
+if [[ $# -gt 0 ]]; then
+    FORKS="$1"
+    shift
+fi
+
 REPO_DIR=$(git rev-parse --show-toplevel)
 
 # can't find the file because of the ENV var
@@ -26,5 +33,5 @@ fi
 for targetFile in $targetFiles; do
     targetName=$(targetFileToName "$targetFile")
     echo "Fuzzing target $targetName ($targetFile)"
-    cargo fuzz run "$targetName" -- -max_total_time=30
+    cargo fuzz run "$targetName" -- -max_total_time=30 -fork="$FORKS"
 done
diff --git a/fuzz/fuzz_targets/url/decode_url.rs b/fuzz/fuzz_targets/url/decode_url.rs
@@ -0,0 +1,68 @@
+#![no_main]
+
+use std::str;
+
+use libfuzzer_sys::fuzz_target;
+// Adjust this path to wherever your Url module lives in your crate.
+use payjoin::Url;
+
+fn do_test(data: &[u8]) {
+    let Ok(s) = str::from_utf8(data) else { return };
+
+    let Ok(mut url) = Url::parse(s) else { return };
+
+    let _ = url.scheme();
+    let _ = url.domain();
+    let _ = url.port();
+    let _ = url.path();
+    let _ = url.query();
+    let _ = url.fragment();
+    let _ = url.as_str();
+    let _ = url.to_string();
+    if let Some(segs) = url.path_segments() {
+        let _ = segs.collect::<Vec<_>>();
+    }
+
+    // Cross-check IPv4/IPv6 parsing against std::net
+    let host_str = url.host_str();
+    if let Ok(std_addr) = host_str.parse::<std::net::Ipv4Addr>() {
+        assert!(url.domain().is_none(), "domain() must be None for IPv4 host");
+        let _ = std_addr.octets();
+    }
+    let bracketed = host_str.trim_start_matches('[').trim_end_matches(']');
+    if let Ok(std_addr) = bracketed.parse::<std::net::Ipv6Addr>() {
+        assert!(url.domain().is_none(), "domain() must be None for IPv6 host");
+        let _ = std_addr.segments();
+    }
+
+    let raw = url.as_str().to_owned();
+    if let Ok(reparsed) = Url::parse(&raw) {
+        assert_eq!(
+            reparsed.as_str(),
+            raw,
+            "round-trip mismatch: first={raw:?} second={:?}",
+            reparsed.as_str()
+        );
+    }
+
+    url.set_port(Some(8080));
+    url.set_port(None);
+    url.set_fragment(Some("fuzz"));
+    url.set_fragment(None);
+    url.query_pairs_mut().append_pair("k", "v");
+    url.clear_query();
+    url.query_pairs_mut().append_pair("fuzz_key", "fuzz_val");
+
+    if let Some(mut segs) = url.path_segments_mut() {
+        segs.push("fuzz_segment");
+    }
+
+    let _ = url.join("relative/path");
+    let _ = url.join("/absolute/path");
+    let _ = url.join("../dotdot");
+    let _ = url.join("https://other.example.com/new");
+}
+
+fuzz_target!(|data| {
+    do_test(data);
+});
