Issue when running with go-fuzz

[jveiga]

Hi, I was learning how to use go-fuzz with a project and tested with this project in commit dae41bde9ef91c12e78863f0299348612f2d6214.
When testing query.Parse I found a program hanged (timeout 10 seconds) , similar to #4,
with input

query($"\344\334\234\344\334\344\234�d44\201"

PS: I also found 2 other issues but they panic with Invalid UTF-8 encoding, which I assume is the correct behaviour.

I can try to look into debugging it with delve

[pavelnikolov]

This is something that I've wanted to do for quite some time. Unit tests, PRs are more than welcome. Fuzzy testing is extremely important from security point of view.

[jveiga]

From what I'm seeing in the Go ecosystem there are two ways to fuzzy test and they have a small overlap. One is to run fuzz unit tests with gofuzz and the other is to run with go-fuzz (yes naming...).

Gofuzz works by writing unit test like tests, similar to

func TestFuzzQueryNonASCII(t *testing.T) {
  t.Parallel()
  f := fuzz.New()
  var query string
  for i := 0; i < 100000; i++{
    f.Fuzz(&query)
    require.NotPanics(t, func() {
      Parse(query)
    }, "panicked with input %s", string(query))
  }
}

for each go test call, it will try to call query.Parse with random inputs for X amount of times.
I would suggest keeping crash input and create a test harness to avoid regressions.

Now Go-fuzz requires some more work as it requires packaging a callback function into a function with some ceremony like

package query

func Fuzz(data []byte) int {
	Parse(string(data))
	return 0
}

This also requires some thought as you can "direct" the fuzzer to test certain inputs.

There are also some SaaS that fuzz and support open source projects, I assure you that I do not represent or work for any of these, like https://fuzzit.dev/ and https://fuzzbuzz.io/.

Now, I can create a PR with some gofuzz unit tests and a regression with the mentioned query and will also try to get a fix.