Update fuzz tests to use go fuzz features (#148)

* added two fuzz tests for parser functionality

* ran test for v7 generation that was accidentally excluded

* added fuzz tests for FromBinary family of functions, moved to the codec_tests.go file

* refined logic for FromX fuzz functions

* fixed logical errors with fuzz tests

* removed harden from some other github actions workflows

* fix missing codecov token

* Apply suggestions from code review

* fixed code review feedback

* Update .github/workflows/go.yml

.github/workflows/codeql.yml

@@ -40,11 +40,6 @@ jobs:
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
-        with:
-          egress-policy: audit
-
       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 

.github/workflows/dependency-review.yml

@@ -16,11 +16,6 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
-        with:
-          egress-policy: audit
-
       - name: 'Checkout Repository'
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: 'Dependency Review'

.github/workflows/go.yml

@@ -17,12 +17,6 @@ jobs:
     env:
       GO111MODULE: auto
     steps:
-
-    - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
-      with:
-        egress-policy: audit
-
     - name: Build
       uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
@@ -38,20 +32,16 @@ jobs:
       run: go test ./... -race -coverprofile=coverage.txt -covermode=atomic
 
     - name: Coverage
-      uses: codecov/codecov-action@125fc84a9a348dbcf27191600683ec096ec9021c # v4.4.1
+      uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
+      env:
+        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
   build-legacy:
     name: Build + Test Previous Stable
     runs-on: ubuntu-latest
     env:
       GO111MODULE: auto
     steps:
-
-    - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
-      with:
-        egress-policy: audit
-
     - name: Build
       uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:

codec_test.go

@@ -23,10 +23,7 @@ package uuid
 
 import (
 	"bytes"
-	"flag"
-	"fmt"
-	"os"
-	"path/filepath"
+	"regexp"
 	"strings"
 	"testing"
 )
@@ -403,28 +400,110 @@ func BenchmarkParseV4(b *testing.B) {
 	}
 }
 
-var seedFuzzCorpus = flag.Bool("seed_fuzz_corpus", false, "seed fuzz test corpus")
+const uuidPattern = "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}"
 
-func TestSeedFuzzCorpus(t *testing.T) {
-	// flag.Parse() is called for us by the test binary.
-	if !*seedFuzzCorpus {
-		t.Skip("seeding fuzz test corpus only on demand")
+var fromBytesCorpus = [][]byte{
+	{0x6b, 0xa7, 0xb8, 0x10, 0x9d, 0xad, 0x11, 0xd1, 0x80, 0xb4, 0x00, 0xc0, 0x4f, 0xd4, 0x30, 0xc8},
+	{4, 8, 15, 16, 23, 42},
+}
+
+// FuzzFromBytesFunc is a fuzz testing suite that exercises the FromBytes function
+func FuzzFromBytesFunc(f *testing.F) {
+	for _, seed := range fromBytesCorpus {
+		f.Add(seed)
 	}
-	corpusDir := filepath.Join(".", "testdata", "corpus")
-	writeSeedFile := func(name, data string) error {
-		path := filepath.Join(corpusDir, name)
-		return os.WriteFile(path, []byte(data), os.ModePerm)
+	uuidRegexp, err := regexp.Compile(uuidPattern)
+	if err != nil {
+		f.Fatal("uuid regexp failed to compile")
 	}
-	for _, fst := range fromStringTests {
-		name := "seed_valid_" + fst.variant
-		if err := writeSeedFile(name, fst.input); err != nil {
-			t.Fatal(err)
+	f.Fuzz(func(t *testing.T, payload []byte) {
+		u, err := FromBytes(payload)
+		if len(payload) != Size && err == nil {
+			t.Errorf("%v did not result in an error", payload)
+		}
+		if len(payload) == Size && u == Nil {
+			t.Errorf("%v resulted in Nil uuid", payload)
 		}
+		if len(payload) == Size && !uuidRegexp.MatchString(u.String()) {
+			t.Errorf("%v resulted in invalid uuid %s", payload, u.String())
+		}
+		// otherwise, allow to pass if no panic
+	})
+}
+
+// FuzzFromBytesOrNilFunc is a fuzz testing suite that exercises the FromBytesOrNil function
+func FuzzFromBytesOrNilFunc(f *testing.F) {
+	for _, seed := range fromBytesCorpus {
+		f.Add(seed)
 	}
-	for i, s := range invalidFromStringInputs {
-		name := fmt.Sprintf("seed_invalid_%d", i)
-		if err := writeSeedFile(name, s); err != nil {
-			t.Fatal(err)
+	uuidRegexp, err := regexp.Compile(uuidPattern)
+	if err != nil {
+		f.Error("uuid regexp failed to compile")
+	}
+	f.Fuzz(func(t *testing.T, payload []byte) {
+		u := FromBytesOrNil(payload)
+		if len(payload) != Size && u != Nil {
+			t.Errorf("%v resulted in non Nil uuid %s", payload, u.String())
+		}
+		if len(payload) == Size && u == Nil {
+			t.Errorf("%v resulted Nil uuid", payload)
+		}
+		if len(payload) == Size && !uuidRegexp.MatchString(u.String()) {
+			t.Errorf("%v resulted in invalid uuid %s", payload, u.String())
+		}
+		// otherwise, allow to pass if no panic
+	})
+}
+
+var fromStringCorpus = []string{
+	"6ba7b810-9dad-11d1-80b4-00c04fd430c8",
+	"6BA7B810-9DAD-11D1-80B4-00C04FD430C8",
+	"{6BA7B810-9DAD-11D1-80B4-00C04FD430C8}",
+	"urn:uuid:6BA7B810-9DAD-11D1-80B4-00C04FD430C8",
+	"6BA7B8109DAD11D180B400C04FD430C8",
+	"{6BA7B8109DAD11D180B400C04FD430C8}",
+	"urn:uuid:6BA7B8109DAD11D180B400C04FD430C8",
+}
+
+// FuzzFromStringFunc is a fuzz testing suite that exercises the FromString function
+func FuzzFromStringFunc(f *testing.F) {
+	for _, seed := range fromStringCorpus {
+		f.Add(seed)
+	}
+	uuidRegexp, err := regexp.Compile(uuidPattern)
+	if err != nil {
+		f.Fatal("uuid regexp failed to compile")
+	}
+	f.Fuzz(func(t *testing.T, payload string) {
+		u, err := FromString(payload)
+		if err != nil {
+			if u == Nil {
+				t.Errorf("%s resulted in Nil uuid", payload)
+			}
+			if !uuidRegexp.MatchString(u.String()) {
+				t.Errorf("%s resulted in invalid uuid %s", payload, u.String())
+			}
 		}
+		// otherwise, allow to pass if no panic
+	})
+}
+
+// FuzzFromStringOrNil is a fuzz testing suite that exercises the FromStringOrNil function
+func FuzzFromStringOrNilFunc(f *testing.F) {
+	for _, seed := range fromStringCorpus {
+		f.Add(seed)
+	}
+	uuidRegexp, err := regexp.Compile(uuidPattern)
+	if err != nil {
+		f.Error("uuid regexp failed to compile")
 	}
+	f.Fuzz(func(t *testing.T, payload string) {
+		u := FromStringOrNil(payload)
+		if u != Nil {
+			if !uuidRegexp.MatchString(u.String()) {
+				t.Errorf("%s resulted in invalid uuid %s", payload, u.String())
+			}
+		}
+		// otherwise, allow to pass if no panic
+	})
 }

generator_test.go

@@ -611,6 +611,7 @@ func testNewV7(t *testing.T) {
 	t.Run("FaultyRand", makeTestNewV7FaultyRand())
 	t.Run("FaultyRandWithOptions", makeTestNewV7FaultyRandWithOptions())
 	t.Run("ShortRandomRead", makeTestNewV7ShortRandomRead())
+	t.Run("ShortRandomReadWithOptions", makeTestNewV7ShortRandomReadWithOptions())
 	t.Run("KSortable", makeTestNewV7KSortable())
 	t.Run("ClockSequence", makeTestNewV7ClockSequence())
 }