Fuzz #27
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Nightly cargo-fuzz run. | |
| # | |
| # Maps to: | |
| # - NIST SP 800-218 PW.8 (executable testing) | |
| # - NIST IR 8397 minimum-verification practice §9 (fuzzing) | |
| # - OWASP A05 (Injection) — fuzz the parser surface | |
| name: Fuzz | |
| on: | |
| schedule: | |
| - cron: '53 1 * * *' # nightly 01:53 UTC | |
| workflow_dispatch: | |
| inputs: | |
| target: | |
| description: 'fuzz target name' | |
| required: false | |
| default: '' | |
| duration_seconds: | |
| description: 'per-target fuzz duration' | |
| required: false | |
| default: '300' | |
| permissions: | |
| contents: read | |
| jobs: | |
| fuzz: | |
| name: cargo-fuzz | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| # `fuzz/Cargo.toml` is committed; per-target presence is enforced by | |
| # the matrix below + the `actions-rs/install` step probing the target | |
| # at runtime. | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| target: | |
| - fuzz_manifest_parse | |
| - fuzz_capability_parse | |
| - fuzz_ipc_frame | |
| - fuzz_path_canon | |
| - fuzz_url_allowlist | |
| steps: | |
| - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - uses: dtolnay/rust-toolchain@nightly | |
| - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 | |
| - run: cargo install cargo-fuzz --locked | |
| - name: Run fuzz target | |
| # `${{...}}` context data is never interpolated directly into the | |
| # script — it's passed through `env:` and referenced as quoted shell | |
| # variables so untrusted input can't break out into the runner | |
| # (CWE-78 / semgrep run-shell-injection / zizmor template-injection). | |
| env: | |
| FUZZ_TARGET: ${{ matrix.target }} | |
| FUZZ_DURATION: ${{ inputs.duration_seconds || '300' }} | |
| run: | | |
| cd fuzz | |
| cargo +nightly fuzz run "$FUZZ_TARGET" -- -max_total_time="$FUZZ_DURATION" | |
| - uses: actions/upload-artifact@v4 | |
| if: failure() | |
| with: | |
| name: fuzz-crash-${{ matrix.target }} | |
| path: fuzz/artifacts/${{ matrix.target }}/ | |
| retention-days: 30 |