Skip to content

Fuzz

Fuzz #27

Workflow file for this run

# Nightly cargo-fuzz run.
#
# Maps to:
# - NIST SP 800-218 PW.8 (executable testing)
# - NIST IR 8397 minimum-verification practice §9 (fuzzing)
# - OWASP A05 (Injection) — fuzz the parser surface
name: Fuzz
on:
schedule:
- cron: '53 1 * * *' # nightly 01:53 UTC
workflow_dispatch:
inputs:
target:
description: 'fuzz target name'
required: false
default: ''
duration_seconds:
description: 'per-target fuzz duration'
required: false
default: '300'
permissions:
contents: read
jobs:
fuzz:
name: cargo-fuzz
runs-on: ubuntu-latest
permissions:
contents: read
# `fuzz/Cargo.toml` is committed; per-target presence is enforced by
# the matrix below + the `actions-rs/install` step probing the target
# at runtime.
strategy:
fail-fast: false
matrix:
target:
- fuzz_manifest_parse
- fuzz_capability_parse
- fuzz_ipc_frame
- fuzz_path_canon
- fuzz_url_allowlist
steps:
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
with:
egress-policy: audit
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: dtolnay/rust-toolchain@nightly
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
- run: cargo install cargo-fuzz --locked
- name: Run fuzz target
# `${{...}}` context data is never interpolated directly into the
# script — it's passed through `env:` and referenced as quoted shell
# variables so untrusted input can't break out into the runner
# (CWE-78 / semgrep run-shell-injection / zizmor template-injection).
env:
FUZZ_TARGET: ${{ matrix.target }}
FUZZ_DURATION: ${{ inputs.duration_seconds || '300' }}
run: |
cd fuzz
cargo +nightly fuzz run "$FUZZ_TARGET" -- -max_total_time="$FUZZ_DURATION"
- uses: actions/upload-artifact@v4
if: failure()
with:
name: fuzz-crash-${{ matrix.target }}
path: fuzz/artifacts/${{ matrix.target }}/
retention-days: 30