nodejs / security-wg

Node.js Ecosystem Security Working Group
MIT License
498 stars 121 forks source link

Security initiative in December 2023: fuzzing Nodejs: https://github.com/google/oss-fuzz/tree/master/projects/nodejs #1159

Open Amir-Montazery opened 11 months ago

Amir-Montazery commented 11 months ago

Per discussion with the security wg at the 11/23/2023 wg meeting, an issue has been created to kick off and help track the fuzzing security initiative scheduled for December 2023. A general description of the work to be done can be found at: https://github.com/nodejs/security-wg/issues/1146.

We plan on working with David Korczynski (https://github.com/DavidKorczynski) on this initiative.

AdamKorcz commented 10 months ago

Hi all, we have started the fuzzing work for Node with the following three PRs:

  1. https://github.com/nodejs/node/pull/51080
  2. https://github.com/nodejs/node/pull/51088
  3. https://github.com/nodejs/node/pull/51120

We plan to add more fuzz coverage of native code primarily for now. In addition, I have added myself to the contact list of Nodes OSS-Fuzz integration: https://github.com/google/oss-fuzz/blob/3c4e2c6724f7d6f090b085f1c28d937bdeaf3918/projects/nodejs/project.yaml#L10 so I can keep track of the feedback from the added fuzzers. We will add new fuzzers in the same manner as the three PRs above.

In addition, we are also looking at the fuzz coverage of Nodes core dependencies to assess which improvements we can make there.

marco-ippolito commented 10 months ago

Hi @AdamKorcz great job, where can we see the reports?

AdamKorcz commented 10 months ago

Hi @AdamKorcz great job, where can we see the reports?

All email addresses in this file have access to findings: https://github.com/google/oss-fuzz/blob/master/projects/nodejs/project.yaml

It will need to be an email address associated with a Google account.

github-actions[bot] commented 7 months ago

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.

RafaelGSS commented 7 months ago

@Amir-Montazery @AdamKorcz Could we have some update about the fuzzing progress?

Amir-Montazery commented 6 months ago

I can provide a quick update in the 2024-04-11 meeting and have also invited AdamKorcz to the next security-wg meeting.

github-actions[bot] commented 2 months ago

This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.

Amir-Montazery commented 2 months ago

Thank you for your patience everyone. I believe we have everything we need to close out the engagement with the updated report from Aug 28th. Shall I join the next meeting to finalize with the group? I believe there is a session scheduled for September 4th. Thank you in advance!