Closed jaraco closed 8 years ago
I can see addressing this issue in a couple of different ways:
Run the fuzzer against the library, identify failure modes, file bugs, write tests, and fix the bugs.
We could integrate the fuzzing into the test suite such that tests are repeatedly run against random inputs (and could fail at some point in the future).
Some other things to consider:
Overall, I feel like the value of this fuzzing is minimal, as it will under most circumstances only find bugs that will never be encountered. On the other hand, it might expose security vulnerabilities, which should be addressed. In the example above, I believe the behavior of the library is reasonable (raising a traceback when invalid arguments are passed on the command line) and not worth fixing.
Given these considerations, feel free to respond or put together a pull request if you believe the value justifies the effort.
Original comment by: Jason R. Coombs
There's nothing to fix here, though I welcome specific reports or pull requests to improve the robustness of the library.
Original comment by: Jason R. Coombs
ircfuzz is a nice little program written by Ilja van Sprundel, available here.
Basically, it throws (mostly) random data at a given client connection, and sees what breaks under load. This is useful if, for instance, somebody wants to shut your connection down and does this, crashing whatever process is running, or if a server legitimately (accidentally) sends you crap for whatever reason.
I'm wondering whether jaraco would be interested in me running through, fuzzing the hay out of this library, and tryna fix/point out whatever issues come up?
First off, here's one that crashed on my machine: