Add comprehensive fuzz targets for all workspace crates#1100
Open
jrey8343 wants to merge 2 commits intoservo:mainfrom
Open
Add comprehensive fuzz targets for all workspace crates#1100jrey8343 wants to merge 2 commits intoservo:mainfrom
jrey8343 wants to merge 2 commits intoservo:mainfrom
Conversation
Add 7 fuzz targets covering the entire rust-url workspace: - fuzz_url_parse_roundtrip: URL parse/serialize roundtrip invariant checking - fuzz_url_differential: relative URL resolution and make_relative roundtrip - fuzz_url_setters: URL mutation via setters with validity invariant checks - fuzz_idna: IDNA domain_to_ascii/domain_to_unicode roundtrip + Punycode - fuzz_data_url: data: URL processing and base64 decoding - fuzz_form_urlencoded: form-urlencoded parse/serialize roundtrip - fuzz_percent_encoding: percent encode/decode roundtrip across ASCII sets Also includes: - Seed corpus with representative URL samples - Fuzzing dictionary for URL/IDNA/data-url tokens - CIFuzz workflow to fuzz all pull requests automatically
- fuzz_percent_encoding: use NON_ALPHANUMERIC for roundtrip assertions since it encodes '%', preventing spurious decode mismatches - fuzz_url_differential: use char_indices() to split UTF-8 input on valid character boundaries, preventing panics on multi-byte chars - fuzz.dict: replace C-style escapes (\t, \n, \r, \\) with \xHH hex escapes required by libfuzzer dictionary format
This was referenced Feb 7, 2026
Author
|
Hi — apologies for pushing this PR without coordinating more closely first. I should have discussed with you before adding fuzzing infrastructure. That said, the fuzz targets did uncover a couple of bugs (#1101, #1102) which I've submitted a fix for in #1103. Hopefully that demonstrates some value. If you'd prefer a lighter-weight approach, I'd be happy to set up ClusterFuzzLite instead — it runs in your GitHub Actions CI so you'd have full control. Just let me know what works best for the project and I'm happy to help however I can. |
Member
|
Thank you for doing all this! I don't have time to review this soon but I appreciate the effort! I'm in favor of merging these. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fuzz Targets
fuzz_url_parse_roundtripurlfuzz_url_differentialurljoin/make_relativeroundtripfuzz_url_settersurlfuzz_idnaidnadomain_to_ascii↔domain_to_unicoderoundtrip, Punycode roundtripfuzz_data_urldata-urlDataUrl::process+ decode, forgiving base64fuzz_form_urlencodedform_urlencodedfuzz_percent_encodingpercent-encodingAsciiSetsMotivation
This is part of an effort to integrate rust-url into OSS-Fuzz for continuous fuzzing. URL parsing is a classic fuzzing target — it processes untrusted input, implements a complex spec (WHATWG URL Standard), and the workspace includes several sub-crates (IDNA, Punycode, percent-encoding, form-urlencoded, data-url) that each independently parse untrusted data.
The existing
url/fuzz/targets only cover theurlcrate itself. These new workspace-level targets extend coverage to all sub-crates with invariant-checking strategies that are most likely to surface real bugs.Test plan
cargo checkinfuzz/cargo fuzz run <target> -- -max_total_time=60