OSS-Fuzz integration

[fuzzy-boiii23a]

Hi all,

Just enquiring to see if there is interest with regards to integrating this project into OSS-Fuzz? this would allow continuous testing of this project in order to identify memory corruption vulnerabilities using google's infrastructure with no monetary cost to this project. Google's OSS-Fuzz has identified 10,000 vulnerabilities and 36,000 bugs in 1000 open source projects as per https://google.github.io/oss-fuzz/#trophies. The process can be seen at https://google.github.io/oss-fuzz/architecture/ and I'm willing to integrate this project into OSS-Fuzz and write harnesses to test key functionalities of this project.

If this is something that everyone would like to see could you please let me know and provide me with an email or two in order to receive new issues found via fuzzing? I'm also happy to support with writing patches for any issues found.

[flavorjones]

@fuzzy-boiii23a Thanks for asking! If you have the time and interest, that would be very valuable and I'd help support it.

Maybe worth noting: the libxml2 library, which Nokogiri is built on, is already in the OSS-Fuzz program; though our libgumbo fork (which we use for HTML5 DOM parsing) is not. So it might be interesting to initially focus on the HTML5 functionality or on our fork of libgumbo specifically.

What do you think about opening github issues (rather than emailing) for anything that fuzzing finds? While I appreciate that what you find might be usable in a denial-of-service type attack, I don't want to have multiple backlogs of work if I can avoid it. Or I could turn on the "security reporting" feature for this repo and use that for reporting. Let me know what you think!

[flavorjones]

@fuzzy-boiii23a Ah, I'm sorry, I misunderstood your question -- I thought you were asking for an email address to securely report triaged findings, but now I realize you're just asking for an email address for OSS-Fuzz to communicate with. Sorry about that.

I can create a google group to act as an inbox, so that it's not your personal email address on file. Would that work?

[fuzzy-boiii23a]

@flavorjones no problem at all, that works just fine thank you :)

[flavorjones]

@fuzzy-boiii23a OK, I've created https://groups.google.com/g/nokogiri-oss-fuzz which is going to be nokogiri-oss-fuzz - at - googlegroups.com

You can ask to join at your preferred address and I'll approve you. Thanks again!

[fuzzy-boiii23a]

@flavorjones thanks! i tried to join but unsure how, could you please add fuzzy.boiiii23a@gmail.com to the group? also for your visibility the pull request for this integration can be found at google/oss-fuzz#11004

[flavorjones]

@fuzzy-boiii23a Done! You should have an email in your inbox now.