Hi all, I'd like to propose adding an upstream-owned OSS-Fuzz fuzzer suite to Apache Airflow to improve the project's security testing coverage.
Background: Fuzzing is an effective technique for discovering bugs, crashes, and potential security vulnerabilities by automatically generating and testing malformed/unexpected inputs. OSS-Fuzz is Google's continuous fuzzing service for open source projects. Proposed fuzz targets (using Atheris): - DAG construction - DAG serialization/deserialization - Connection URI parsing - YAML parsing - Cron timetable parsing - Params JSON schema validation - API request body parsing/validation (connections, variables, trigger DAG run) Each fuzzer would include tuned .options files (input size limits) and small seed corpora. Structured targets would also include .dict files. Technical notes: Since Airflow is a Python project, libFuzzer/Atheris is the supported engine in OSS-Fuzz. MSan and alternate engines are not applicable for Python targets. I've prepared an implementation at: https://github.com/apache/airflow/pull/59589 I would appreciate feedback on the approach before proceeding further. Questions for the community: 1. Is there interest in integrating continuous fuzzing into Airflow? 2. Are there other critical parsing/validation paths that should be prioritized for fuzzing? 3. Any concerns about the proposed directory structure (ossfuzz/)? Thanks for your time and feedback. Best, Leslie
