Add fuzz testing for query parser and token validator #150
Conversation
Implements cargo-fuzz based fuzzing for security-critical components: - Query parser (URL and path-based request parsing) - Token validator (SSRF token validation and file:// handling) Changes: - Add fuzz/ directory with two fuzz targets - Add GitHub Actions workflow to run fuzz tests on PRs (2 min per target) - Expose internal types via lib.rs for fuzzing - Add fuzz/README.md with usage instructions - Update main README with fuzz testing section The fuzz tests run automatically on every PR to catch parsing vulnerabilities, edge cases, and potential crashes before they reach production.
reyhankoyun
added
the
safe-to-test
github-actions
bot
removed
the
safe-to-test
reyhankoyun
added
the
safe-to-test
github-actions
bot
removed
the
safe-to-test
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #150 +/- ##
=======================================
Coverage 91.88% 91.88%
=======================================
Files 14 14
Lines 2404 2404
Branches 2404 2404
=======================================
Hits 2209 2209
Misses 147 147
Partials 48 48 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
| workflow_dispatch: | ||
|
|
||
| env: | ||
| CARGO_TERM_COLOR: always |
There was a problem hiding this comment.
What's the intent behind this? Don't Actions runners have colors enabled by default?
There was a problem hiding this comment.
The CARGO_TERM_COLOR: always setting forces Cargo to always output colored text, even when it detects it's not running in an interactive terminal. I don't think GitHub Actions runners have colors enabled by default. Without this setting, we'd see plain text output. With it, we get syntax-highlighted errors, warnings, and other Cargo messages that are easier to parse visually when reviewing CI logs.
| steps: | ||
| - uses: actions/checkout@v5 | ||
|
|
||
| - name: Install Rust nightly |
There was a problem hiding this comment.
cargo-fuzz requires the nightly version of Rust. Let's also update other places where the agent is built to use nightly for consistency (different PR).
ThirdEyeSqueegee
left a comment
ThirdEyeSqueegee
left a comment
There was a problem hiding this comment.
Broadly LGTM. Posted an action item in a comment on fuzz.yml
2 participants
Issue #, if available:
Description of changes:
Implements cargo-fuzz based fuzzing for security-critical components:
Changes:
The fuzz tests run automatically on every PR to catch parsing vulnerabilities, edge cases, and potential crashes before they reach production.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.