From 9c0c81cba077a75dcdc137f735e4721cd0ad7538 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Mon, 19 Aug 2024 04:25:28 +0100 Subject: [PATCH] fuzzing: add fuzzers for multiple packages (#3834) Signed-off-by: Adam Korczynski --- pkg/cosign/attestation/fuzz_test.go | 56 +++++++++++++ pkg/cosign/cue/fuzz_test.go | 26 ++++++ pkg/cosign/fuzz_test.go | 123 ++++++++++++++++++++++++++++ pkg/cosign/rego/fuzz_test.go | 26 ++++++ pkg/policy/fuzz_test.go | 30 +++++++ 5 files changed, 261 insertions(+) create mode 100644 pkg/cosign/attestation/fuzz_test.go create mode 100644 pkg/cosign/cue/fuzz_test.go create mode 100644 pkg/cosign/fuzz_test.go create mode 100644 pkg/cosign/rego/fuzz_test.go create mode 100644 pkg/policy/fuzz_test.go diff --git a/pkg/cosign/attestation/fuzz_test.go b/pkg/cosign/attestation/fuzz_test.go new file mode 100644 index 00000000000..70bf517de78 --- /dev/null +++ b/pkg/cosign/attestation/fuzz_test.go @@ -0,0 +1,56 @@ +// +// Copyright 2024 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package attestation + +import ( + "bytes" + "testing" +) + +func FuzzGenerateStatement(f *testing.F) { + f.Fuzz(func(_ *testing.T, predicate []byte, digest, repo string, stmttType int) { + var statementType string + switch stmttType % 9 { + case 0: + statementType = "slsaprovenance" + case 1: + statementType = "slsaprovenance02" + case 2: + statementType = "slsaprovenance1" + case 3: + statementType = "spdx" + case 4: + statementType = "spdxjson" + case 5: + statementType = "cyclonedx" + case 6: + statementType = "link" + case 7: + statementType = "vuln" + case 8: + statementType = "openvex" + default: + statementType = "" + } + opts := GenerateOpts{ + Predicate: bytes.NewReader(predicate), + Type: statementType, + Digest: digest, + Repo: repo, + } + GenerateStatement(opts) + }) +} diff --git a/pkg/cosign/cue/fuzz_test.go b/pkg/cosign/cue/fuzz_test.go new file mode 100644 index 00000000000..1adeb1244f7 --- /dev/null +++ b/pkg/cosign/cue/fuzz_test.go @@ -0,0 +1,26 @@ +// +// Copyright 2024 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package cue + +import ( + "testing" +) + +func FuzzValidateJSON(f *testing.F) { + f.Fuzz(func(_ *testing.T, jsonBody []byte, entrypoint string) { + ValidateJSON(jsonBody, []string{entrypoint}) + }) +} diff --git a/pkg/cosign/fuzz_test.go b/pkg/cosign/fuzz_test.go new file mode 100644 index 00000000000..db56ab11e1f --- /dev/null +++ b/pkg/cosign/fuzz_test.go @@ -0,0 +1,123 @@ +// +// Copyright 2024 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package cosign + +import ( + "context" + "os" + "path/filepath" + "testing" + + "github.com/google/go-containerregistry/pkg/name" + v1 "github.com/google/go-containerregistry/pkg/v1" + + "github.com/sigstore/cosign/v2/pkg/oci/mutate" +) + +var ( + defaultFuzzRef = "fuzz/test" +) + +func fuzzPass(s string) PassFunc { + return func(_ bool) ([]byte, error) { + return []byte(s), nil + } +} + +func FuzzImportKeyPairLoadPrivateKey(f *testing.F) { + f.Add([]byte(validrsa), []byte("password")) + f.Add([]byte(validrsapkcs1), []byte("password")) + f.Add([]byte(validrsapkcs8), []byte("password")) + f.Add([]byte(validecp256), []byte("password")) + f.Add([]byte(validecp384), []byte("password")) + f.Add([]byte(validecp521), []byte("password")) + f.Add([]byte(validecpkcs8), []byte("password")) + f.Add([]byte(ed25519key), []byte("password")) + f.Add([]byte(pemcosignkey), []byte("password")) + f.Add([]byte(pemcosigneckey), []byte("password")) + f.Add([]byte(pemsigstorekey), []byte("password")) + f.Fuzz(func(t *testing.T, pemData, password []byte) { + path := t.TempDir() + keyFilePath := filepath.Join(path, "fuzzKey") + err := os.WriteFile(keyFilePath, pemData, 0x755) + if err != nil { + return + } + keyBytes, err := ImportKeyPair(keyFilePath, fuzzPass(string(password))) + if err != nil { + return + } + // Loading the private key should also work. + _, err = LoadPrivateKey(keyBytes.PrivateBytes, password) + if err != nil { + t.Fatal(err) + } + }) +} + +func FuzzSigVerify(f *testing.F) { + f.Fuzz(func(t *testing.T, sigData, payloadData []byte, verificationTest int) { + path := t.TempDir() + sigPath := filepath.Join(path, "sigFile") + err := os.WriteFile(sigPath, sigData, 0x755) + if err != nil { + return + } + payloadPath := filepath.Join(path, "payloadFile") + err = os.WriteFile(payloadPath, payloadData, 0x755) + if err != nil { + return + } + ref, err := name.ParseReference(defaultFuzzRef) + if err != nil { + panic(err) + } + sigs, err := loadSignatureFromFile(context.Background(), sigPath, ref, &CheckOpts{PayloadRef: payloadPath}) + if err != nil { + return + } + switch verificationTest % 5 { + case 0: + VerifyImageAttestation(context.Background(), sigs, v1.Hash{}, &CheckOpts{IgnoreTlog: true}) + case 1: + verifySignatures(context.Background(), sigs, v1.Hash{}, &CheckOpts{IgnoreTlog: true}) + case 2: + sl, err := sigs.Get() + if err != nil { + t.Fatal(err) + } + for _, sig := range sl { + VerifyBlobSignature(context.Background(), sig, &CheckOpts{IgnoreTlog: true}) + } + case 3: + sl, err := sigs.Get() + if err != nil { + t.Fatal(err) + } + for _, sig := range sl { + VerifyImageSignature(context.Background(), sig, v1.Hash{}, &CheckOpts{IgnoreTlog: true}) + } + case 4: + sl, err := sigs.Get() + if err != nil { + t.Fatal(err) + } + for _, sig := range sl { + mutate.Signature(sig) + } + } + }) +} diff --git a/pkg/cosign/rego/fuzz_test.go b/pkg/cosign/rego/fuzz_test.go new file mode 100644 index 00000000000..4075c638db7 --- /dev/null +++ b/pkg/cosign/rego/fuzz_test.go @@ -0,0 +1,26 @@ +// +// Copyright 2024 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package rego + +import ( + "testing" +) + +func FuzzValidateJSON(f *testing.F) { + f.Fuzz(func(_ *testing.T, jsonBody []byte, entrypoint string) { + ValidateJSON(jsonBody, []string{entrypoint}) + }) +} diff --git a/pkg/policy/fuzz_test.go b/pkg/policy/fuzz_test.go new file mode 100644 index 00000000000..d50fdc2c444 --- /dev/null +++ b/pkg/policy/fuzz_test.go @@ -0,0 +1,30 @@ +// +// Copyright 2024 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package policy + +import ( + "context" + "testing" +) + +var policyTypes = []string{"cue", "rego"} + +func FuzzEvaluatePolicyAgainstJSON(f *testing.F) { + f.Fuzz(func(_ *testing.T, name, policyBody string, jsonBytes []byte, policyType uint8) { + choosePolicyType := policyTypes[int(policyType)%len(policyTypes)] + EvaluatePolicyAgainstJSON(context.Background(), name, choosePolicyType, policyBody, jsonBytes) + }) +}