Fuzzing candidates

[mschwager]

• https://github.com/msgpack/msgpack-ruby
• https://github.com/flori/json
• https://github.com/ruby/psych (YAML)
• https://github.com/cabo/cbor-ruby
• https://github.com/mongodb/bson-ruby
• https://github.com/ruby/date
• https://github.com/ruby/zlib

EDIT: more:

• https://github.com/puma/puma/tree/master/ext/puma_http11
• https://github.com/k0kubun/hamlit
• https://github.com/jgarber/redcloth
• https://github.com/ruby/strscan
• https://github.com/ruby/etc
• https://github.com/ruby/openssl/blob/master/ext/openssl/ossl_asn1.c
• https://github.com/ruby/openssl/blob/master/ext/openssl/ossl_config.c
• https://github.com/kgiszczak/tomlib
• https://github.com/jm/toml
• https://github.com/emancu/toml-rb
• https://github.com/fluent/fluentd
• https://github.com/slim-template/slim
• https://github.com/ruby/rbs
• https://github.com/protocolbuffers/protobuf/tree/main/ruby

[mschwager]

It looks like json, psych, and date are already fuzzed here: https://github.com/google/oss-fuzz/tree/master/projects/ruby.

zlib could be interesting, although that extension appears to be a direct copy of the ubiquitous Zlib C library, so it's probably already been fuzzed extensively.

[woodruffw]

nokogiri (especially the SAX parser) is also worth fuzzing, they have a long track record of NPEs and other memory violations: https://www.cvedetails.com/vulnerability-list/vendor_id-20514/product_id-59208/Nokogiri-Nokogiri.html

Edit: Fuzzed here: https://github.com/google/oss-fuzz/tree/master/projects/nokogiri

[mschwager]

nokogiri (especially the SAX parser) is also worth fuzzing, they have a long track record of NPEs and other memory violations: https://www.cvedetails.com/vulnerability-list/vendor_id-20514/product_id-59208/Nokogiri-Nokogiri.html

Edit: Fuzzed here: https://github.com/google/oss-fuzz/tree/master/projects/nokogiri

Good call, looks like they're only doing UBSAN though? https://github.com/google/oss-fuzz/blob/master/projects/nokogiri/project.yaml#L9-L10

[woodruffw]

Yeah, interesting choice 🤔

[woodruffw]

The ffi gem might also be worth fuzzing: https://github.com/ffi/ffi

[mschwager]

Here's a useful GH query for finding repositories with a extconf.rb file (indicates a Ruby C extension): https://github.com/search?q=lang%3Aruby+path%3Aextconf.rb+NOT+is%3Aarchived&type=code.

[mschwager]

Ruby C code that accepts Marshal'ed data:

• https://github.com/search?q=repo%3Aruby%2Fruby+marshal_load+language%3AC&type=code&l=C
• https://github.com/ruby/ruby/blob/53e37953791921b42c3d409b23c488861094f714/time.c#L5846-L5848

Ruby RubyVM::InstructionSequence binary functionality:

• https://ruby-doc.org/3.3.4/RubyVM/InstructionSequence.html#method-c-load_from_binary

[mschwager]

OSS-Fuzz was doing some non-Ruzzy Ruby fuzzing, but that's since been removed: google/oss-fuzz#12715. Here were the stdlibs being fuzzed:

static void init_date_strptime(struct TargetFunction *target) {
  static const enum RubyDataType argTypes[2] = {RDT_CString, RDT_CString};
  init_TargetFunction(target, "date", "Date", "strptime", ARRAYSIZE(argTypes),
                      argTypes);
}

static void init_date_httpdate(struct TargetFunction *target) {
  static const enum RubyDataType argTypes[1] = {RDT_CString};
  init_TargetFunction(target, "date", "Date", "httpdate", ARRAYSIZE(argTypes),
                      argTypes);
}

static void init_date_parse(struct TargetFunction *target) {
  static const enum RubyDataType argTypes[1] = {RDT_CString};
  init_TargetFunction(target, "date", "Date", "parse", ARRAYSIZE(argTypes),
                      argTypes);
}

static void init_regexp_new(struct TargetFunction *target) {
  static const enum RubyDataType argTypes[1] = {RDT_CString};
  init_TargetFunction(target, "regexp", "Regexp", "new",
                      ARRAYSIZE(argTypes), argTypes);
}

static void init_json_parse(struct TargetFunction *target) {
  static const enum RubyDataType argTypes[1] = {RDT_CString};
  init_TargetFunction(target, "json", "JSON", "parse", ARRAYSIZE(argTypes),
                      argTypes);
}

static void init_psych_parse(struct TargetFunction *target) {
  static const enum RubyDataType argTypes[1] = {RDT_CString};
  init_TargetFunction(target, "psych", "Psych", "parse", ARRAYSIZE(argTypes),
                      argTypes);
}

static void init_openssl_read(struct TargetFunction *target) {
  static const enum RubyDataType argTypes[1] = {RDT_CString};
  init_TargetFunction(target, "openssl", "OpenSSL::PKey", "read",
                      ARRAYSIZE(argTypes), argTypes);
}

static void init_openssl_read_smime(struct TargetFunction *target) {
  static const enum RubyDataType argTypes[1] = {RDT_CString};
  init_TargetFunction(target, "openssl", "OpenSSL::PKCS7", "read_smime",
                      ARRAYSIZE(argTypes), argTypes);
}

static void init_openssl_sprintf(struct TargetFunction *target) {
  static const enum RubyDataType argTypes[2] = {RDT_CString, RDT_CString};
  init_TargetFunction(target, "openssl", "Kernel", "sprintf",
                      ARRAYSIZE(argTypes), argTypes);
}

static void init_CGI_unescapeHTML(struct TargetFunction *target) {
  static const enum RubyDataType argTypes[1] = {RDT_CString};
  init_TargetFunction(target, "cgi", "CGI", "unescapeHTML", ARRAYSIZE(argTypes),
                      argTypes);
}

We could pick up where it left off.