[fuzzing] cifuzz, update fuzzers, bug fix

Signed-off-by: Arjun Singh <[email protected]>

Author: 0x34d

.github/workflows/cifuzz.yml

@@ -0,0 +1,35 @@
+name: CIFuzz
+on: [pull_request]
+permissions: {}
+jobs:
+ Fuzzing:
+   runs-on: ubuntu-latest
+   permissions:
+     security-events: write
+   steps:
+   - name: Build Fuzzers
+     id: build
+     uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+     with:
+       oss-fuzz-project-name: 'go-git'
+       language: go
+   - name: Run Fuzzers
+     uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+     with:
+       oss-fuzz-project-name: 'go-git'
+       language: go
+       fuzz-seconds: 300
+       output-sarif: true
+   - name: Upload Crash
+     uses: actions/upload-artifact@v3
+     if: failure() && steps.build.outcome == 'success'
+     with:
+       name: artifacts
+       path: ./out/artifacts
+   - name: Upload Sarif
+     if: always() && steps.build.outcome == 'success'
+     uses: github/codeql-action/upload-sarif@v2
+     with:
+      # Path to SARIF file relative to the root of the repository
+      sarif_file: cifuzz-sarif/results.sarif
+      checkout_path: cifuzz-sarif

Makefile

@@ -45,10 +45,9 @@ clean:
 
 fuzz:
 	@go test -fuzz=FuzzParser				$(PWD)/internal/revision
-	@go test -fuzz=FuzzParseSignedByte		$(PWD)/plumbing/object
-	@go test -fuzz=FuzzDecode				$(PWD)/plumbing/object
-	@go test -fuzz=FuzzNewEndpoint			$(PWD)/plumbing/transport
-	@go test -fuzz=FuzzDecoder				$(PWD)/plumbing/protocol/packp
 	@go test -fuzz=FuzzDecoder				$(PWD)/plumbing/format/config
 	@go test -fuzz=FuzzPatchDelta			$(PWD)/plumbing/format/packfile
-	@go test -fuzz=FuzzDecodeFile			$(PWD)/utils/merkletrie/internal/fsnoder
+	@go test -fuzz=FuzzParseSignedBytes		$(PWD)/plumbing/object
+	@go test -fuzz=FuzzDecode				$(PWD)/plumbing/object
+	@go test -fuzz=FuzzDecoder				$(PWD)/plumbing/protocol/packp
+	@go test -fuzz=FuzzNewEndpoint			$(PWD)/plumbing/transport

oss-fuzz.sh

@@ -0,0 +1,35 @@
+#!/bin/bash -eu
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+
+go mod download
+go get github.com/AdamKorcz/go-118-fuzz-build/testing
+
+if [ "$SANITIZER" != "coverage" ]; then
+    sed -i '/func (s \*DecoderSuite) TestDecode(/,/^}/ s/^/\/\//' plumbing/format/config/decoder_test.go
+    sed -n '35,$p' plumbing/format/packfile/common_test.go >> plumbing/format/packfile/delta_test.go
+    sed -n '20,53p' plumbing/object/object_test.go >> plumbing/object/tree_test.go
+    sed -i 's|func Test|// func Test|' plumbing/transport/common_test.go
+fi
+
+compile_native_go_fuzzer $(pwd)/internal/revision                       FuzzParser              fuzz_parser
+compile_native_go_fuzzer $(pwd)/plumbing/format/config                  FuzzDecoder             fuzz_decoder_config
+compile_native_go_fuzzer $(pwd)/plumbing/format/packfile                FuzzPatchDelta          fuzz_patch_delta
+compile_native_go_fuzzer $(pwd)/plumbing/object                         FuzzParseSignedBytes    fuzz_parse_signed_bytes
+compile_native_go_fuzzer $(pwd)/plumbing/object                         FuzzDecode              fuzz_decode
+compile_native_go_fuzzer $(pwd)/plumbing/protocol/packp                 FuzzDecoder             fuzz_decoder_packp
+compile_native_go_fuzzer $(pwd)/plumbing/transport                      FuzzNewEndpoint         fuzz_new_endpoint

utils/merkletrie/internal/fsnoder/new_test.go

@@ -1,8 +1,6 @@
 package fsnoder
 
 import (
-	"testing"
-
 	"github.com/go-git/go-git/v5/utils/merkletrie/noder"
 
 	. "gopkg.in/check.v1"
@@ -354,10 +352,3 @@ func (s *FSNoderSuite) TestHashEqual(c *C) {
 	c.Assert(HashEqual(t3, t1), Equals, false)
 	c.Assert(HashEqual(t1, t3), Equals, false)
 }
-
-func FuzzDecodeFile(f *testing.F) {
-
-	f.Fuzz(func(t *testing.T, input []byte) {
-		decodeFile(input)
-	})
-}