PythonFuzz is coverage-guided fuzzer for testing python packages.
Fuzzing for safe languages like python is a powerful strategy for finding bugs like unhandled exceptions, logic bugs, security bugs that arise from both logic bugs and Denial-of-Service caused by hangs and excessive memory usage.
Fuzzing can be seen as a powerful and efficient strategy in real-world software in addition to classic unit-tests.
The first step is to implement the following function (also called a fuzz
target). Here is an example of a simple fuzz function for the built-in
from html.parser import HTMLParser from pythonfuzz.main import PythonFuzz def fuzz(buf): try: string = buf.decode("ascii") parser = HTMLParser() parser.feed(string) except UnicodeDecodeError: pass if __name__ == '__main__': fuzz()
Features of the fuzz target:
buf( in a separate process).
The next step is to download pythonfuzz and then run your fuzzer
pip install pythonfuzz python examples/htmlparser/fuzz.py #394378 NEW cov: 608 corp: 24 exec/s: 1119 rss: 10.73828125 MB subclasses of ParserBase must override error() Traceback (most recent call last): File "/Users/yevgenyp/fuzzitdev/pythonfuzz/pythonfuzz/fuzzer.py", line 21, in worker target(buf) File "examples/htmlparser/fuzz.py", line 12, in fuzz pass File "/usr/local/Cellar/python/3.7.4/Frameworks/Python.framework/Versions/3.7/lib/python3.7/html/parser.py", line 111, in feed self.goahead(0) File "/usr/local/Cellar/python/3.7.4/Frameworks/Python.framework/Versions/3.7/lib/python3.7/html/parser.py", line 179, in goahead k = self.parse_html_declaration(i) File "/usr/local/Cellar/python/3.7.4/Frameworks/Python.framework/Versions/3.7/lib/python3.7/html/parser.py", line 264, in parse_html_declaration return self.parse_marked_section(i) File "/usr/local/Cellar/python/3.7.4/Frameworks/Python.framework/Versions/3.7/lib/python3.7/_markupbase.py", line 159, in parse_marked_section self.error('unknown status keyword %r in marked section' % rawdata[i+3:j]) File "/usr/local/Cellar/python/3.7.4/Frameworks/Python.framework/Versions/3.7/lib/python3.7/_markupbase.py", line 34, in error "subclasses of ParserBase must override error()") NotImplementedError: subclasses of ParserBase must override error() crash was written to crash-dbfa437e5956643645681fe6a3ac76997be0b29a7c7af82d88c8c390f379502d crash = 3c215b63612121
This example quickly finds an an unhandled exception/flow in a few minutes.
PythonFuzz will generate and test various inputs in an infinite loop.
corpus is optional directory and will be used to
save the generated testcases so later runs can be started from the same point and provided as seed corpus.
PythonFuzz can also start with an empty directory (i.e no seed corpus) though some valid test-cases in the seed corpus may speed up the fuzzing substantially.
PythonFuzz tries to mimic some of the arguments and output style from libFuzzer.
More fuzz targets examples (for real and popular libraries) are located under the examples directory and bugs that were found using those targets are listed in the trophies section.
PythonFuzz is a port of fuzzitdev/jsfuzz
Contributions are welcome!:) There are still a lot of things to improve, and tests and features to add. We will slowly post those in the issues section. Before doing any major contribution please open an issue so we can discuss and help guide the process before any unnecessary work is done.
Feel free to add bugs that you found with pythonfuzz to this list via pull-request