From d712844a0677cb07bfadbca6f8e937dd4f47ea63 Mon Sep 17 00:00:00 2001
From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Date: Tue, 20 Aug 2024 23:48:45 +0100
Subject: [PATCH] add oss-fuzz build script, seeds and dictionaries (#3843)

Signed-off-by: Adam Korczynski <adam@adalogics.com>
---
 .../FuzzEvaluatePolicyAgainstJSON.dict        | 45 +++++++++++++++++++
 .../FuzzImportKeyPairLoadPrivateKey.dict      | 14 ++++++
 test/fuzz/oss_fuzz_build.sh                   | 35 +++++++++++++++
 .../seeds/FuzzEvaluatePolicyAgainstJSON_seed1 | 18 ++++++++
 .../seeds/FuzzEvaluatePolicyAgainstJSON_seed2 | 18 ++++++++
 5 files changed, 130 insertions(+)
 create mode 100644 test/fuzz/dictionaries/FuzzEvaluatePolicyAgainstJSON.dict
 create mode 100644 test/fuzz/dictionaries/FuzzImportKeyPairLoadPrivateKey.dict
 create mode 100755 test/fuzz/oss_fuzz_build.sh
 create mode 100644 test/fuzz/seeds/FuzzEvaluatePolicyAgainstJSON_seed1
 create mode 100644 test/fuzz/seeds/FuzzEvaluatePolicyAgainstJSON_seed2

diff --git a/test/fuzz/dictionaries/FuzzEvaluatePolicyAgainstJSON.dict b/test/fuzz/dictionaries/FuzzEvaluatePolicyAgainstJSON.dict
new file mode 100644
index 00000000000..e2f79355339
--- /dev/null
+++ b/test/fuzz/dictionaries/FuzzEvaluatePolicyAgainstJSON.dict
@@ -0,0 +1,45 @@
+"{\"authorityMatches\":{\"keyatt\":{\"signatures\":null,\"attestations\":{\"vuln-key\":[{\"subject\":\"PLACEHOLDER\",\"issuer\":\"PLACEHOLDER\"}]}},\"keysignature\":{\"signatures\":[{\"subject\":\"PLACEHOLDER\",\"issuer\":\"PLACEHOLDER\"}],\"attestations\":null},\"keylessatt\":{\"signatures\":null,\"attestations\":{\"custom-keyless\":[{\"subject\":\"PLACEHOLDER\",\"issuer\":\"PLACEHOLDER\"}]}}}}"
+# Below is from https://github.com/rc0r/afl-fuzz/blob/master/dictionaries/json.dict
+"0"
+",0"
+":0"
+"0:"
+"-1.2e+3"
+
+"true"
+"false"
+"null"
+
+"\"\""
+",\"\""
+":\"\""
+"\"\":"
+
+"{}"
+",{}"
+":{}"
+"{\"\":0}"
+"{{}}"
+
+"[]"
+",[]"
+":[]"
+"[0]"
+"[[]]"
+
+"''"
+"\\"
+"\\b"
+"\\f"
+"\\n"
+"\\r"
+"\\t"
+"\\u0000"
+"\\x00"
+"\\0"
+"\\uD800\\uDC00"
+"\\uDBFF\\uDFFF"
+
+"\"\":0"
+"//"
+"/**/"
diff --git a/test/fuzz/dictionaries/FuzzImportKeyPairLoadPrivateKey.dict b/test/fuzz/dictionaries/FuzzImportKeyPairLoadPrivateKey.dict
new file mode 100644
index 00000000000..09426fc644a
--- /dev/null
+++ b/test/fuzz/dictionaries/FuzzImportKeyPairLoadPrivateKey.dict
@@ -0,0 +1,14 @@
+"-----BEGIN RSA PRIVATE KEY-----"
+"-----END RSA PRIVATE KEY-----"
+"-----BEGIN PRIVATE KEY-----"
+"-----END PRIVATE KEY-----"
+"-----BEGIN PUBLIC KEY-----"
+"-----END PUBLIC KEY-----"
+"-----BEGIN PGP PRIVATE KEY BLOCK-----"
+"Version: BCPG C# v1.6.1.0"
+"-----END PGP PRIVATE KEY BLOCK-----"
+"-----BEGIN EC PRIVATE KEY-----"
+"-----END EC PRIVATE KEY-----"
+"-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----"
+"-----END ENCRYPTED COSIGN PRIVATE KEY-----"
+
diff --git a/test/fuzz/oss_fuzz_build.sh b/test/fuzz/oss_fuzz_build.sh
new file mode 100755
index 00000000000..0c0c949fd5c
--- /dev/null
+++ b/test/fuzz/oss_fuzz_build.sh
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+# Copyright 2024 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+go get github.com/AdamKorcz/go-118-fuzz-build/testing
+
+mv ./pkg/cosign/keys_test.go ./pkg/cosign/keys_test_keep_in_fuzz_scope.go
+compile_native_go_fuzzer github.com/sigstore/cosign/v2/pkg/cosign/attestation FuzzGenerateStatement FuzzGenerateStatement
+compile_native_go_fuzzer github.com/sigstore/cosign/v2/pkg/cosign/cue FuzzValidateJSON FuzzValidateJSON_cue
+compile_native_go_fuzzer github.com/sigstore/cosign/v2/pkg/cosign/rego FuzzValidateJSON FuzzValidateJSON_rego
+compile_native_go_fuzzer github.com/sigstore/cosign/v2/pkg/cosign FuzzImportKeyPairLoadPrivateKey FuzzImportKeyPairLoadPrivateKey
+compile_native_go_fuzzer github.com/sigstore/cosign/v2/pkg/cosign FuzzSigVerify FuzzSigVerify
+compile_native_go_fuzzer github.com/sigstore/cosign/v2/pkg/policy FuzzEvaluatePolicyAgainstJSON FuzzEvaluatePolicyAgainstJSON
+
+zip -j $OUT/FuzzEvaluatePolicyAgainstJSON_seed_corpus.zip test/fuzz/seeds/FuzzEvaluatePolicyAgainstJSON_seed*
+zip -j $OUT/FuzzEvaluatePolicyAgainstJSON_seed_corpus.zip $SRC/go-fuzz-corpus/json/corpus/*
+zip -j $OUT/FuzzValidateJSON_cue_seed_corpus.zip $SRC/go-fuzz-corpus/json/corpus/*
+zip -j $OUT/FuzzValidateJSON_rego_seed_corpus.zip $SRC/go-fuzz-corpus/json/corpus/*
+zip -j $OUT/FuzzGenerateStatement_seed_corpus.zip $SRC/go-fuzz-corpus/json/corpus/*
+cp $SRC/afl-fuzz/dictionaries/json.dict $OUT/FuzzValidateJSON_cue.dict
+cp $SRC/afl-fuzz/dictionaries/json.dict $OUT/FuzzValidateJSON_rego.dict
+cp $SRC/afl-fuzz/dictionaries/json.dict $OUT/FuzzGenerateStatement.dict
+cp test/fuzz/dictionaries/FuzzImportKeyPairLoadPrivateKey.dict $OUT/
diff --git a/test/fuzz/seeds/FuzzEvaluatePolicyAgainstJSON_seed1 b/test/fuzz/seeds/FuzzEvaluatePolicyAgainstJSON_seed1
new file mode 100644
index 00000000000..1efef3030bf
--- /dev/null
+++ b/test/fuzz/seeds/FuzzEvaluatePolicyAgainstJSON_seed1
@@ -0,0 +1,18 @@
+package sigstore
+isCompliant[response] {
+    attestationsKeylessATT := input.authorityMatches.keylessatt.attestations
+    result = (count(attestationsKeylessATT) == 1)
+    attestationsKeyATT := input.authorityMatches.keyatt.attestations
+    result = (count(attestationsKeyATT) == 1)
+    keySignature := input.authorityMatches.keysignature.signatures
+    result = (count(keySignature) == 1)
+
+    errorMsg = ""
+    warnMsg = "Throw warning error even if succeeded"
+
+    response := {
+        "result" : result,
+        "error" : errorMsg,
+        "warning" : warnMsg
+    }
+}
diff --git a/test/fuzz/seeds/FuzzEvaluatePolicyAgainstJSON_seed2 b/test/fuzz/seeds/FuzzEvaluatePolicyAgainstJSON_seed2
new file mode 100644
index 00000000000..a83e5d45c41
--- /dev/null
+++ b/test/fuzz/seeds/FuzzEvaluatePolicyAgainstJSON_seed2
@@ -0,0 +1,18 @@
+package sigstore
+import "struct"
+import "list"
+authorityMatches: {
+  keyatt: {
+      attestations: struct.MaxFields(1) & struct.MinFields(1)
+  },
+  keysignature: {
+      signatures: list.MaxItems(1) & list.MinItems(1)
+  },
+  if( len(authorityMatches.keylessatt.attestations) < 2) {
+      keylessattMinAttestations: 2
+      keylessattMinAttestations: "Error"
+  },
+  keylesssignature: {
+      signatures: list.MaxItems(1) & list.MinItems(1)
+  }
+}