Skip to content

[Security] Implement fuzzing for tar parsing and patching #87

Open
Open
[Security] Implement fuzzing for tar parsing and patching#87
@djach7

Description

@djach7
djach7
opened on May 1, 2026

Issue

OpenSSF Scorecard identified that the project does not implement fuzzing, scoring 0/10.

Risk Level

Medium - Fuzzing helps discover edge cases, crashes, and potential security vulnerabilities in parsing logic before they reach production.

Current State

  • No fuzzing tests implemented
  • Tar parsing and patching logic not fuzz-tested
  • Missing automated vulnerability discovery for malformed inputs

Recommendation

Implement fuzzing for critical attack surfaces:

Priority Areas for Fuzzing:

  1. Tar file parsing - Test with malformed/malicious tar archives
  2. Diff generation - Fuzz tar-diff logic with edge cases
  3. Patch application - Test tar-patch with corrupted tardiff files
  4. Multi-file scenarios - Fuzz overlapping/conflicting tar entries

Implementation Options:

Option 1: Go Native Fuzzing (Recommended)
Go 1.18+ includes built-in fuzzing support:

func FuzzTarParser(f *testing.F) {
    f.Fuzz(func(t *testing.T, data []byte) {
        // Test tar parsing with arbitrary input
        ParseTar(bytes.NewReader(data))
    })
}

Option 2: OSS-Fuzz Integration

  • Submit project to OSS-Fuzz
  • Provides continuous fuzzing infrastructure
  • Automatic bug reporting and regression testing
  • Free for open-source projects

Benefits:

  • Discover crashes and panics before users do
  • Find edge cases that manual testing misses
  • Improve robustness against malicious inputs
  • Continuous security testing

Steps to Implement

  1. Add fuzz tests to pkg/tar-diff and pkg/tar-patch
  2. Create corpus of valid tar files for seed inputs
  3. Run fuzz tests locally: go test -fuzz=. -fuzztime=10m
  4. (Optional) Apply to OSS-Fuzz for continuous fuzzing
  5. Add fuzzing to CI pipeline

Example Fuzz Targets

  • FuzzTarDiff - Test diff generation with random tar inputs
  • FuzzTarPatch - Test patch application with corrupted tardiff files
  • FuzzMultiLayerTar - Test multi-file scenarios with overlapping entries

References

Related

Part of OpenSSF Scorecard evaluation THEEDGE-4717 (overall score: 6.8/10)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions