muesli
commented
1 year ago We actually do have some fuzz testing in https://github.com/charmbracelet/glamour/tree/master/testdata/fuzz. I think we should migrate to Go's own fuzzer however: https://go.dev/security/fuzz/
I'd be curious to hear about the bugs you've found locally!
First of all, thank you for this project, it's been a great help to me in the past.
I'd like to add glamour to the google/oss-fuzz project. OSS-fuzz is a free automated service for continuous fuzz testing. When a bug is found, you'll receive an email notification, with details about what caused a crash during fuzzing. I've put together a draft PR to integrate glamour.
All that I need to complete the PR at this point is an email address (associated with a google/gmail account) for a member of the glamour team. There are some docs about what is required here.
I've already found a couple of bugs in glamour using oss-fuzz locally! So hopefully this will help with the process of making glamour more reliable and secure.