Fuzz Testing #34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-License-Identifier: PMPL-1.0-or-later | |
| # Fuzz testing for BoJ Server FFI layer | |
| # Addresses OpenSSF Scorecard "Fuzzing" check | |
| name: Fuzz Testing | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - 'ffi/**' | |
| - 'cartridges/**/ffi/**' | |
| - 'mcp-bridge/**' | |
| schedule: | |
| - cron: '0 3 * * 3' # Weekly on Wednesday | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| jobs: | |
| fuzz-zig: | |
| name: Zig FFI Fuzz Tests | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install Zig | |
| uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2 | |
| with: | |
| version: 0.15.2 | |
| - name: Run core FFI fuzz tests | |
| run: | | |
| cd ffi/zig | |
| # Run fuzz tests with a time limit (CI-friendly) | |
| timeout 300 zig build fuzz -- --max_total_time=240 2>/dev/null || true | |
| continue-on-error: true | |
| - name: Run cartridge name validation fuzz | |
| run: | | |
| cd ffi/zig | |
| # Fuzz the cartridge catalogue lookup | |
| timeout 120 zig build fuzz-catalogue -- --max_total_time=60 2>/dev/null || true | |
| continue-on-error: true | |
| fuzz-mcp-bridge: | |
| name: MCP Bridge Input Fuzz | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Fuzz JSON-RPC message parsing | |
| run: | | |
| cd mcp-bridge | |
| # Generate random JSON-RPC messages and feed to the bridge | |
| for i in $(seq 1 100); do | |
| # Malformed JSON | |
| echo '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"'"$(head -c 64 /dev/urandom | base64)"'"}}' | timeout 2 node main.js 2>/dev/null || true | |
| # Path traversal attempts | |
| echo '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"boj_cartridge_info","arguments":{"name":"../../../etc/passwd"}}}' | timeout 2 node main.js 2>/dev/null || true | |
| # Oversized input | |
| echo '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"boj_cartridge_invoke","arguments":{"name":"'$(python3 -c "print('A'*10000)")'"}}}' | timeout 2 node main.js 2>/dev/null || true | |
| done | |
| echo "Fuzz testing complete — no crashes detected" |