Security initiative in December 2023: fuzzing Nodejs: https://github.com/google/oss-fuzz/tree/master/projects/nodejs

[Amir-Montazery]

Per discussion with the security wg at the 11/23/2023 wg meeting, an issue has been created to kick off and help track the fuzzing security initiative scheduled for December 2023. A general description of the work to be done can be found at: https://github.com/nodejs/security-wg/issues/1146.

We plan on working with David Korczynski (https://github.com/DavidKorczynski) on this initiative.

[AdamKorcz]

Hi all, we have started the fuzzing work for Node with the following three PRs:

1. https://github.com/nodejs/node/pull/51080
2. https://github.com/nodejs/node/pull/51088
3. https://github.com/nodejs/node/pull/51120

We plan to add more fuzz coverage of native code primarily for now. In addition, I have added myself to the contact list of Nodes OSS-Fuzz integration: https://github.com/google/oss-fuzz/blob/3c4e2c6724f7d6f090b085f1c28d937bdeaf3918/projects/nodejs/project.yaml#L10 so I can keep track of the feedback from the added fuzzers. We will add new fuzzers in the same manner as the three PRs above.

In addition, we are also looking at the fuzz coverage of Nodes core dependencies to assess which improvements we can make there.

[marco-ippolito]

Hi @AdamKorcz great job, where can we see the reports?

[AdamKorcz]

Hi @AdamKorcz great job, where can we see the reports?

All email addresses in this file have access to findings: https://github.com/google/oss-fuzz/blob/master/projects/nodejs/project.yaml

It will need to be an email address associated with a Google account.

[github-actions[bot]]

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.

[RafaelGSS]

@Amir-Montazery @AdamKorcz Could we have some update about the fuzzing progress?

[Amir-Montazery]

I can provide a quick update in the 2024-04-11 meeting and have also invited AdamKorcz to the next security-wg meeting.

[github-actions[bot]]

This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.

[Amir-Montazery]

Thank you for your patience everyone. I believe we have everything we need to close out the engagement with the updated report from Aug 28th. Shall I join the next meeting to finalize with the group? I believe there is a session scheduled for September 4th. Thank you in advance!