feat: modernize fuzzing

.github/workflows/nodejs.yml

@@ -140,6 +140,26 @@ jobs:
       - name: Run tests
         run: npm run test:javascript:withoutintl
 
+  test-fuzzing:
+    name: Fuzzing
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        with:
+          node-version: lts/*
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Run fuzzing tests
+        run: npm run test:fuzzing
+
   test-types:
     name: Test TypeScript types
     timeout-minutes: 15
@@ -169,6 +189,7 @@ jobs:
       - test
       - test-types
       - test-without-intl
+      - test-fuzzing
       - lint
     runs-on: ubuntu-latest
     permissions:

package.json

@@ -74,6 +74,7 @@
     "test:node-fetch": "borp -p \"test/node-fetch/**/*.js\"",
     "test:eventsource": "npm run build:node && npm run test:eventsource:nobuild",
     "test:eventsource:nobuild": "borp --expose-gc -p \"test/eventsource/*.js\"",
+    "test:fuzzing": "node test/fuzzing/fuzzing.test.js",
     "test:fetch": "npm run build:node && npm run test:fetch:nobuild",
     "test:fetch:nobuild": "borp --expose-gc -p \"test/fetch/*.js\" && borp -p \"test/webidl/*.js\" && borp -p \"test/busboy/*.js\"",
     "test:jest": "cross-env NODE_V8_COVERAGE= jest",
@@ -92,8 +93,7 @@
     "coverage:report:ci": "c8 report",
     "bench": "echo \"Error: Benchmarks have been moved to '/benchmarks'\" && exit 1",
     "serve:website": "echo \"Error: Documentation has been moved to '/docs'\" && exit 1",
-    "prepare": "husky install && node ./scripts/platform-shell.js",
-    "fuzz": "jsfuzz test/fuzzing/fuzz.js corpus"
+    "prepare": "husky install && node ./scripts/platform-shell.js"
   },
   "devDependencies": {
     "@matteo.collina/tspl": "^0.1.1",
@@ -104,13 +104,13 @@
     "c8": "^9.1.0",
     "cross-env": "^7.0.3",
     "dns-packet": "^5.4.0",
+    "fast-check": "^3.17.1",
     "form-data": "^4.0.0",
     "formdata-node": "^6.0.3",
     "https-pem": "^3.0.0",
     "husky": "^9.0.7",
     "jest": "^29.0.2",
     "jsdom": "^24.0.0",
-    "jsfuzz": "^1.0.15",
     "node-forge": "^1.3.1",
     "pre-commit": "^1.2.2",
     "proxy": "^2.1.1",

test/fuzzing/client/client-fuzz-body.js

@@ -6,20 +6,18 @@ const acceptableCodes = [
   'ERR_INVALID_ARG_TYPE'
 ]
 
-// TODO: could make this a class with some inbuilt functionality that we can inherit
-async function fuzz (netServer, results, buf) {
+async function fuzz (address, results, buf) {
   const body = buf
   results.body = body
   try {
-    const data = await request(`http://localhost:${netServer.address().port}`, { body })
+    const data = await request(address, { body })
     data.body.destroy().on('error', () => {})
   } catch (err) {
     results.err = err
     // Handle any undici errors
     if (Object.values(errors).some(undiciError => err instanceof undiciError)) {
       // Okay error
     } else if (!acceptableCodes.includes(err.code)) {
-      console.log(`=== Headers: ${JSON.stringify(body)} ===`)
       throw err
     }
   }

test/fuzzing/client/client-fuzz-headers.js

@@ -6,19 +6,18 @@ const acceptableCodes = [
   'ERR_INVALID_ARG_TYPE'
 ]
 
-async function fuzz (netServer, results, buf) {
+async function fuzz (address, results, buf) {
   const headers = { buf: buf.toString() }
   results.body = headers
   try {
-    const data = await request(`http://localhost:${netServer.address().port}`, { headers })
+    const data = await request(address, { headers })
     data.body.destroy().on('error', () => {})
   } catch (err) {
     results.err = err
     // Handle any undici errors
     if (Object.values(errors).some(undiciError => err instanceof undiciError)) {
       // Okay error
     } else if (!acceptableCodes.includes(err.code)) {
-      console.log(`=== Headers: ${JSON.stringify(headers)} ===`)
       throw err
     }
   }

test/fuzzing/client/client-fuzz-options.js

@@ -8,10 +8,9 @@ const acceptableCodes = [
   'ENOTFOUND',
   'EAI_AGAIN',
   'ECONNREFUSED'
-  // ----
 ]
 
-async function fuzz (netServer, results, buf) {
+async function fuzz (address, results, buf) {
   const optionKeys = ['body', 'path', 'method', 'opaque', 'upgrade', buf]
   const options = {}
   for (const optionKey of optionKeys) {
@@ -21,15 +20,14 @@ async function fuzz (netServer, results, buf) {
   }
   results.options = options
   try {
-    const data = await request(`http://localhost:${netServer.address().port}`, options)
+    const data = await request(address, options)
     data.body.destroy().on('error', () => {})
   } catch (err) {
     results.err = err
     // Handle any undici errors
     if (Object.values(errors).some(undiciError => err instanceof undiciError)) {
       // Okay error
     } else if (!acceptableCodes.includes(err.code)) {
-      console.log(`=== Options: ${JSON.stringify(options)} ===`)
       throw err
     }
   }

test/fuzzing/fuzzing.test.js

@@ -0,0 +1,64 @@
+'use strict'
+
+const { once } = require('node:events')
+const fc = require('fast-check')
+const netServer = require('./server')
+const { describe, before, after, test } = require('node:test')
+const {
+  clientFuzzBody,
+  clientFuzzHeaders,
+  clientFuzzOptions
+} = require('./client')
+
+// Detect if running in CI (here we use GitHub Workflows)
+// https://docs.github.com/en/actions/learn-github-actions/variables#default-environment-variables
+const isCI = process.env.CI === 'true'
+
+fc.configureGlobal({
+  interruptAfterTimeLimit: isCI ? 60_000 /* 1 minute */ : 10_000 /* 10 seconds */,
+  numRuns: Number.MAX_SAFE_INTEGER
+})
+
+describe('fuzzing', { timeout: 600_000 /* 10 minutes */ }, () => {
+  before(async () => {
+    netServer.listen(0)
+    await once(netServer, 'listening')
+  })
+
+  after(() => {
+    netServer.close()
+  })
+
+  test('body', async () => {
+    const address = `http://localhost:${netServer.address().port}`
+    await fc.assert(
+      fc.asyncProperty(fc.uint8Array(), async (body) => {
+        body = Buffer.from(body)
+        const results = {}
+        await clientFuzzBody(address, results, body)
+      })
+    )
+  })
+
+  test('headers', async () => {
+    const address = `http://localhost:${netServer.address().port}`
+    await fc.assert(
+      fc.asyncProperty(fc.uint8Array(), async (body) => {
+        body = Buffer.from(body)
+        const results = {}
+        await clientFuzzHeaders(address, results, body)
+      })
+    )
+  })
+
+  test('options', async () => {
+    const address = `http://localhost:${netServer.address().port}`
+    await fc.assert(
+      fc.asyncProperty(fc.uint8Array(), async (body) => {
+        body = Buffer.from(body)
+        const results = {}
+        await clientFuzzOptions(address, results, body)
+      })
+    )
+  })
+})

test/fuzzing/server/index.js

@@ -1,6 +1,15 @@
 'use strict'
 
-module.exports = {
-  splitData: require('./server-fuzz-split-data'),
-  appendData: require('./server-fuzz-append-data')
-}
+const net = require('node:net')
+const serverFuzzFns = [
+  require('./server-fuzz-append-data'),
+  require('./server-fuzz-split-data')
+]
+
+const netServer = net.createServer(socket => {
+  socket.on('data', data => {
+    serverFuzzFns[(Math.random() * 2) | 0](socket, data)
+  })
+})
+
+module.exports = netServer