fuzzing: Add more fuzzers (istio#41383)

Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: AdamKorcz <adam@adalogics.com>
WillardHu · Oct 12, 2022 · 65478ea · 65478ea
1 parent b8876c8
commit 65478ea
Show file tree

Hide file tree

Showing 6 changed files with 279 additions and 0 deletions.
diff --git a/pkg/bootstrap/fuzz_test.go b/pkg/bootstrap/fuzz_test.go
@@ -0,0 +1,70 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package bootstrap
+
+import (
+	"bytes"
+	"io"
+	"os"
+	"testing"
+
+	fuzz "github.com/AdaLogics/go-fuzz-headers"
+)
+
+func FuzzWriteTo(f *testing.F) {
+	f.Fuzz(func(t *testing.T, data []byte) {
+		ff := fuzz.NewConsumer(data)
+
+		// create config
+		cfg := Config{}
+
+		err := ff.GenerateStruct(&cfg)
+		if err != nil {
+			return
+		}
+
+		if cfg.Metadata == nil {
+			return
+		}
+		if cfg.Metadata.ProxyConfig == nil {
+			return
+		}
+
+		i := New(cfg)
+
+		// create template file
+		templateBytes, err := ff.GetBytes()
+		if err != nil {
+			return
+		}
+
+		tf, err := os.Create("templateFile")
+		if err != nil {
+			return
+		}
+		defer func() {
+			tf.Close()
+			os.Remove("templateFile")
+		}()
+		_, err = tf.Write(templateBytes)
+		if err != nil {
+			return
+		}
+
+		// call target
+		var buf bytes.Buffer
+		i.WriteTo("templateFile", io.Writer(&buf))
+	})
+}
diff --git a/pkg/kube/inject/fuzz_test.go b/pkg/kube/inject/fuzz_test.go
@@ -0,0 +1,45 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package inject
+
+import (
+	"testing"
+
+	fuzz "github.com/AdaLogics/go-fuzz-headers"
+)
+
+func FuzzRunTemplate(f *testing.F) {
+	f.Fuzz(func(t *testing.T, data []byte, v string) {
+		ff := fuzz.NewConsumer(data)
+
+		// create injection parameters
+		IP := InjectionParameters{}
+		err := ff.GenerateStruct(&IP)
+		if err != nil {
+			return
+		}
+		if IP.pod == nil {
+			return
+		}
+		vc, err := NewValuesConfig(v)
+		if err != nil {
+			return
+		}
+		IP.valuesConfig = vc
+
+		// call RunTemplate()
+		_, _, _ = RunTemplate(IP)
+	})
+}
diff --git a/security/pkg/k8s/chiron/fuzz_test.go b/security/pkg/k8s/chiron/fuzz_test.go
@@ -0,0 +1,41 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package chiron
+
+import (
+	"os"
+	"testing"
+)
+
+func FuzzReadCACert(f *testing.F) {
+	f.Fuzz(func(t *testing.T, caCert []byte) {
+		// create ca file
+		caFile, err := os.Create("caFile")
+		if err != nil {
+			return
+		}
+		defer func() {
+			caFile.Close()
+			os.Remove("caFile")
+		}()
+		_, err = caFile.Write(caCert)
+		if err != nil {
+			return
+		}
+
+		// call readCACert()
+		_, _ = readCACert("caFile")
+	})
+}
diff --git a/security/pkg/pki/ca/fuzz_test.go b/security/pkg/pki/ca/fuzz_test.go
@@ -0,0 +1,53 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ca
+
+import (
+	"testing"
+	"time"
+
+	fuzz "github.com/AdaLogics/go-fuzz-headers"
+)
+
+func FuzzIstioCASign(f *testing.F) {
+	f.Fuzz(func(t *testing.T, data, csrPEM []byte) {
+		ff := fuzz.NewConsumer(data)
+		// create ca options
+		opts := &IstioCAOptions{}
+		err := ff.GenerateStruct(opts)
+		if err != nil {
+			return
+		}
+		ca, err := NewIstioCA(opts)
+		if err != nil {
+			return
+		}
+
+		// create cert options
+		certOpts := CertOpts{}
+		err = ff.GenerateStruct(&certOpts)
+		if err != nil {
+			return
+		}
+		TTL, err := time.ParseDuration("800ms")
+		if err != nil {
+			return
+		}
+		certOpts.TTL = TTL
+
+		// call target
+		ca.Sign(csrPEM, certOpts)
+	})
+}
diff --git a/security/pkg/pki/ra/fuzz_test.go b/security/pkg/pki/ra/fuzz_test.go
@@ -0,0 +1,45 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ra
+
+import (
+	"testing"
+
+	fuzz "github.com/AdaLogics/go-fuzz-headers"
+)
+
+func FuzzValidateCSR(f *testing.F) {
+	f.Fuzz(func(t *testing.T, csrPEM, subjectIDsData []byte) {
+		ff := fuzz.NewConsumer(subjectIDsData)
+
+		// create subjectIDs
+		subjectIDs := make([]string, 0)
+		noOfEntries, err := ff.GetUint64()
+		if err != nil {
+			return
+		}
+		var i uint64
+		for i = 0; i < noOfEntries; i++ {
+			newStr, err := ff.GetString()
+			if err != nil {
+				break
+			}
+			subjectIDs = append(subjectIDs, newStr)
+		}
+
+		// call ValidateCSR()
+		ValidateCSR(csrPEM, subjectIDs)
+	})
+}
diff --git a/security/pkg/server/ca/authenticate/fuzz_test.go b/security/pkg/server/ca/authenticate/fuzz_test.go
@@ -0,0 +1,25 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package authenticate
+
+import (
+	"testing"
+)
+
+func FuzzBuildSecurityCaller(f *testing.F) {
+	f.Fuzz(func(t *testing.T, s string) {
+		_, _ = buildSecurityCaller(s)
+	})
+}