Dear group, I've built a Django fuzzer that can be used with Google OSS-Fuzz [1].
The current fuzzer harness calls a host of django.util.* and related functions with pseudo-random inputs. Fuzzing these functions can be useful to see if any untrusted input can cause slowdowns, hangs, excessive memory consumption, or unexpected exceptions. There have been several of such issues in recent years (CVE-2018-7537, CVE-2018-7536, CVE-2019-6975 [2]), and it is quite likely that my fuzzer would detect these vulnerabilities automatically. In addition to these general vulnerability classes, the harness can be easily extended to raise a warning on any custom condition. Are the Django developers interested in OSS-Fuzz integration? If so, I will need one or more email addresses linked to a Google account that will receive the automated bug reports generated by OSS-Fuzz. Because these reports may contain security-sensitive information, it is recommended that only developers who ordinarily deal with security reports are included in this list. Guido [1] https://github.com/google/oss-fuzz [2] https://docs.djangoproject.com/en/dev/releases/security/ -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/08c201eb-e43d-4535-88b5-625ed3dfc89b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
