Fuzz jq before releasing jq 1.7

[nicowilliams]

Procedure:

• install AFL (American Fuzzy Lop)
• build with AFL
  • ./configure CC=afl-gcc (or afl-clang)
  • AFL_HARDEN=1 make
• optionally add a bunch of JSON files to tests/torture/, such as those from https://github.com/dvyukov/go-fuzz-corpus/tree/master/json/corpus
• mkdir ${objdir}/f then afl-fuzz -i ${srcdir}/tests/torture -o ${objdir}/f ${objdir}/jq ., where $srcdir is the directory with jq sources and $objdir is where jq was built
  Out-of-tree builds are supported, after all, e.g., git clone https://github.com/jqlang/jq && cd jq && srcdir=$(pwd) && mkdir build && autoreconf -fi && cd build && ../configure --srcdir="$srcdir" ... && ..., where srcdir is obvious and objdir is ${srcdir}/build.
• let it run for a while -- days, a week even
• inspect results -- we're looking for uniq crashes : 0 and uniq hangs : 0 in the AFL UI
  • if we have any crashes or hangs, inspect the inputs that caused them, root cause, and report a security vulnerability (attaching/including all the inputs that caused those crashes/hangs)

The AFL UI looks like:

(this one has just started, as anyone can see).

[nicowilliams]

@itchyny @emanuele6 @pkoppstein @owenthereal @leonid-s-usov @wtlangford @dtolnay et. al., if you could, please do this yourselves. I'll be running AFL myself starting at the current HEAD of jqlangjq/master.

EDIT: I'm using https://github.com/dvyukov/go-fuzz-corpus/tree/master/json/corpus as well as what we already have in tests/torture. If you find other interesting test data then report that here and use it too.

[nicowilliams]

Fuzzing the language and builtins will require constructing a suitable test corpus.

[emanuele6]

We have been fuzzing with OSS fuzz for a while, and jq 1.7 has been released; closing