Fuzzing RequestFromRekor API

[naveensrinivasan]

Summary

The first steps into fuzzing rekor.
Fuzzing the RequestFromRekor API call using go-fuzz is the standard for fuzzing within go. Until go 1.18 is out and until when it is upgraded this could be a good start IMO.

The goal is to integrate this into oss-fuzz using libfuzzer https://google.github.io/oss-fuzz/getting-started/new-project-guide/go-lang/ cc @inferno-chromium

 Fuzzing API RequestFromRekor 

The PR isn't done, I wanted to get some feedback.

[naveensrinivasan]

@bobcallaway @dlorenc

[naveensrinivasan]

Now that I think of it we can probably run it as part of the CI as Fuzzlite https://security.googleblog.com/2021/11/clusterfuzzlite-continuous-fuzzing-for.html

[naveensrinivasan]

An immediate crash within 0s after running the fuzz

➜  rekor git:(naveen/feat/fuzz) go-fuzz -bin=fuzz-fuzz.zip
2021/11/12 21:49:52 workers: 4, corpus: 10 (0s ago), crashers: 1, restarts: 1/0, execs: 0 (0/sec), cover: 0, uptime: 3s
2021/11/12 21:49:55 workers: 4, corpus: 14 (1s ago), crashers: 1, restarts: 1/0, execs: 0 (0/sec), cover: 150, uptime: 6s

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x58 pc=0x105f8b1]

goroutine 1 [running]:
github.com/sigstore/rekor/pkg/api.RequestFromRekor(0x13e90e8, 0xc00003e208, 0x30, 0xc0001d0040, 0x1, 0x1, 0x30, 0x30, 0x0, 0x1a95b58, ...)
	/home/sammy/go/src/github.com/naveensrinivasan/rekor/pkg/api/timestamp.go:35 +0x51
github.com/sigstore/rekor/tests/fuzz.FuzzTimeStamp(0x7fa2b1bdc000, 0xb, 0xb, 0x3)
	/home/sammy/go/src/github.com/naveensrinivasan/rekor/tests/fuzz/timestamp_fuzzer.go:38 +0x1f8
go-fuzz-dep.Main(0xc0006bff70, 0x1, 0x1)
	go-fuzz-dep/main.go:36 +0x1b8
main.main()
	github.com/sigstore/rekor/tests/fuzz/go.fuzz.main/main.go:15 +0x52

goroutine 6 [select]:
go.opencensus.io/stats/view.(*worker).start(0xc000240500)
	/home/sammy/go/pkg/mod/go.opencensus.io@v0.23.0/stats/view/worker.go:276 +0xfd
created by go.opencensus.io/stats/view.init.0
	/home/sammy/go/pkg/mod/go.opencensus.io@v0.23.0/stats/view/worker.go:34 +0x68

goroutine 35 [chan receive]:
github.com/golang/glog.(*loggingT).flushDaemon(0x1a66f00)
	/home/sammy/go/pkg/mod/github.com/golang/glog@v0.0.0-20210429001901-424d2337a529/glog.go:882 +0xbd
created by github.com/golang/glog.init.0
	/home/sammy/go/pkg/mod/github.com/golang/glog@v0.0.0-20210429001901-424d2337a529/glog.go:410 +0x2ad
exit status 2%

[bobcallaway]

Can we put go-fuzz-build into hack/tools as we did with swagger?

[naveensrinivasan]

Can we put go-fuzz-build into hack/tools as we did with swagger?

Thanks, Didn't see that. It would help to have it in the CONTRIBUTING.md. I have changed it to use the tools directory. It should be good now.

[naveensrinivasan]

@bobcallaway A friendly ping.