protobuf-go/internal/fuzz
Lasse Folger 3992ea83a2 all: implement depth limit for unmarshaling
+ This change introduce a default and configurable depth limit for
  proto.Unmarshal. If a message is nested deeper than the limit,
  unmarshaling will fail. There are two ways to nest messages. Either by
  having fields which are message types itself or by using groups.
+ The default limit is 10,000 for now. This might change in the future
  to align it with other language implementation (C++ and Java use 100
  as limit).
+ If pure groups (groups that don't contain message fields) are nested
  deeper than the default limit the unmarshaling fails with:
  proto: cannot parse invalid wire-format data
+ Note: the configured limit does not apply to pure groups.
+ This change is introduced to improve security and robustness. Because
  unmarshaling is implemented using recursion it can lead to stack overflows
  for certain inputs. The introduced limit protects against this.
+ A secondary motivation for this limit is the alignment with other
  languages. Protocol buffers are a language interoperability mechanism
  and thus either all implementations should accept the input or all
  implementation should reject the input.

Change-Id: I14bdb44d06e4bd1aa90d6336c2cf6446003b2037
Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/385854
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Trust: Damien Neil <dneil@google.com>
Reviewed-by: Nicolas Hillegeer <aktau@google.com>
Reviewed-by: Chressie Himpel <chressie@google.com>
2022-02-17 17:07:31 +00:00
..
jsonfuzz internal/fuzztest: factor out common fuzzer tests 2019-12-20 22:08:10 +00:00
textfuzz internal/fuzztest: factor out common fuzzer tests 2019-12-20 22:08:10 +00:00
wirefuzz all: implement depth limit for unmarshaling 2022-02-17 17:07:31 +00:00
oss-fuzz-build.sh internal/fuzz: support coverage builds with oss-fuzz 2020-11-24 20:15:59 +00:00
README.md internal/fuzz: update to use native go-fuzz 2020-04-15 01:18:53 +00:00

Fuzzing

Fuzzing support using go-fuzz.

Basic operation:

$ go install github.com/dvyukov/go-fuzz/go-fuzz
$ go install github.com/mdempsky/go114-fuzz-build
$ cd internal/fuzz/{fuzzer}
$ go114-fuzz-build google.golang.org/protobuf/internal/fuzz/{fuzzer}
$ go-fuzz

OSS-Fuzz

Fuzzers are automatically run by OSS-Fuzz.

The OSS-Fuzz configuration currently builds fuzzers in every directory under internal/fuzz. Only add fuzzers (not support packages) in this directory.

Fuzzing results are available at the OSS-Fuzz console, under golang-protobuf.