Open niklasmohrin opened 2 years ago
For whoever cares: I have atheris set up as a management command on https://github.com/He3lixxx/EvaP/tree/fuzzing, based on the following ideas:
It reaches around 40% to 45% coverage without any special input, testing around 20 requests per second.
One limit it reaches is that many views begin similarly to this:
def my_view(some_instance_id: int):
instance = get_object_or_404(SomeModel, id=some_instance_id)
and since the IDs that would work here are only known to the database, the fuzzer struggles in providing IDs that don't result in 404s.
Currently considering two approaches for that:
semester/X/course/Y/evaluation/Z
and only the correct combination will work. With dictionaries, we'd still have a way-too-high count of options.
Some components of EvaP could benefit from fuzzing. The particular components that triggered this thought are the excel importers that sometimes suffer from errors like #1711.
The fuzzer used should be coverage-guided. It should find programming mistakes such as #1711 in little time and not be too hard to integrate into the development (and CI?) setup.
A fuzzer that looks promising on first sight is
pythonfuzz
, but we are not fixed on any choice. A result of this issue could also be the investigation that no satisfying library exists at all.