Enhancing AppSec through Fuzzing in CI/CD Pipelines

Kondukto Security Team01 Aug 2024
Secure CodingAppSec
name: fuzz

on:
  push:
    branches:
      - main
  pull_request:

jobs:
  fuzz:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Set up Go
        uses: actions/setup-go@v2
        with:
          go-version: <version>

      - name: Install dependencies
        run: go mod tidy

      - name: Run Fuzzing
        run: go test -fuzz=<fuzz-function> -fuzztime=60s
stages:
  - fuzz

fuzz:
  stage: fuzz
  image: golang:<version>
  script:
    - go mod tidy
    - go test -fuzz=<fuzz-function> -fuzztime=60s
package main

import (
    "log"
    "net/http"
    "net/url"
)

func handleUserURL(input string) {
    parsedURL, err := url.Parse(input)
    if err != nil {
        log.Printf("Failed to parse URL: %v", err)
        return
    }
    log.Printf("Parsed URL: Host=%s, Hostname=%s, Port=%s", parsedURL.Host, parsedURL.Hostname(), parsedURL.Port())
}

func main() {
    http.HandleFunc("/example", func(w http.ResponseWriter, r *http.Request) {
        input := r.URL.Query().Get("input")
        handleUserURL(input)
    })
    http.ListenAndServe(":8080", nil)
}
package main

import (
    "net/url"
    "testing"
)

func FuzzURLParse(f *testing.F) {
    f.Add("javascript://alert(1)")

    f.Fuzz(func(t *testing.T, input string) {
        parsedURL, err := url.Parse(input)
        if err != nil {
            t.Logf("Failed to parse URL: %v", err)
            return
        }
        host := parsedURL.Hostname()
        port := parsedURL.Port()

        switch parsedURL.Host {
        case host + ":" + port:
            return
        case "[" + host + "]" + port:
            return
        case host:
            fallthrough
        case "[" + host + "]":
            if port != "" {
                panic("unexpected Port()")
            }
            return
        }
        t.Logf("Parsed URL: Host=%s, Hostname=%s, Port=%s", parsedURL.Host, parsedURL.Hostname(), parsedURL.Port())
    })
}
go test -fuzz=FuzzURLParse -fuzztime=60s
// ParseRequestURI parses a raw url into a [URL] structure. It assumes that
// url was received in an HTTP request, so the url is interpreted
// only as an absolute URI or an absolute path.
// The string url is assumed not to have a #fragment suffix.
// (Web browsers strip #fragment before sending the URL to a web server.)
func ParseRequestURI(rawURL string) (*URL, error) {
    url, err := parse(rawURL, true)
    if err != nil {
        return nil, &Error{"parse", rawURL, err}
    }
    return url, nil
}

Get A Demo