Content-Length: 3968 | pFad | http://github.com/gitpython-developers/GitPython/pull/1906.patch

thub.com From f4b95cf089706a29396b744b53a4ecdcc924d31c Mon Sep 17 00:00:00 2001 From: David Lakin Date: Mon, 22 Apr 2024 16:07:54 -0400 Subject: [PATCH] Fix Fuzzer Crash in ClusterFuzz Due to Missing Git Executable A Git executable is not globally available in the ClusterFuzz container environment where OSS-Fuzz executes fuzz tests, causing an error in the fuzz harnesses when GitPython attempts to initialize, crashing the tests before they can run. To avoid this issue, we bundle the `git` binary that is available in the OSS-Fuzz build container with the fuzz harness via Pyinstaller's `--add-binary` flag in `build.sh` and use GitPython's `git.refresh()` method inside a Pyinstaller runtime check to initialize GitPython with the bundled Git executable when running from the bundled application. In all other execution environments, we assume a `git` executable is available globally. Fixes: - https://github.com/gitpython-developers/GitPython/issues/1905 - https://github.com/google/oss-fuzz/issues/10600 --- fuzzing/fuzz-targets/fuzz_config.py | 9 +++++++-- fuzzing/fuzz-targets/fuzz_tree.py | 11 +++++++---- fuzzing/oss-fuzz-scripts/build.sh | 2 +- 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/fuzzing/fuzz-targets/fuzz_config.py b/fuzzing/fuzz-targets/fuzz_config.py index 0a06956c8..7623ab98f 100644 --- a/fuzzing/fuzz-targets/fuzz_config.py +++ b/fuzzing/fuzz-targets/fuzz_config.py @@ -20,16 +20,21 @@ import atheris import sys import io +import os from configparser import MissingSectionHeaderError, ParsingError with atheris.instrument_imports(): - from git import GitConfigParser + import git def TestOneInput(data): + if getattr(sys, "frozen", False) and hasattr(sys, "_MEIPASS"): + path_to_bundled_git_binary = os.path.abspath(os.path.join(os.path.dirname(__file__), "git")) + git.refresh(path_to_bundled_git_binary) + sio = io.BytesIO(data) sio.name = "/tmp/fuzzconfig.config" - git_config = GitConfigParser(sio) + git_config = git.GitConfigParser(sio) try: git_config.read() except (MissingSectionHeaderError, ParsingError, UnicodeDecodeError): diff --git a/fuzzing/fuzz-targets/fuzz_tree.py b/fuzzing/fuzz-targets/fuzz_tree.py index 464235098..7187c4a6f 100644 --- a/fuzzing/fuzz-targets/fuzz_tree.py +++ b/fuzzing/fuzz-targets/fuzz_tree.py @@ -24,11 +24,14 @@ import shutil with atheris.instrument_imports(): - from git.objects import Tree - from git.repo import Repo + import git def TestOneInput(data): + if getattr(sys, "frozen", False) and hasattr(sys, "_MEIPASS"): + path_to_bundled_git_binary = os.path.abspath(os.path.join(os.path.dirname(__file__), "git")) + git.refresh(path_to_bundled_git_binary) + fdp = atheris.FuzzedDataProvider(data) git_dir = "/tmp/.git" head_file = os.path.join(git_dir, "HEAD") @@ -46,9 +49,9 @@ def TestOneInput(data): os.mkdir(common_dir) os.mkdir(objects_dir) - _repo = Repo("/tmp/") + _repo = git.Repo("/tmp/") - fuzz_tree = Tree(_repo, Tree.NULL_BIN_SHA, 0, "") + fuzz_tree = git.Tree(_repo, git.Tree.NULL_BIN_SHA, 0, "") try: fuzz_tree._deserialize(io.BytesIO(data)) except IndexError: diff --git a/fuzzing/oss-fuzz-scripts/build.sh b/fuzzing/oss-fuzz-scripts/build.sh index ab46ec7a2..be31ac32a 100644 --- a/fuzzing/oss-fuzz-scripts/build.sh +++ b/fuzzing/oss-fuzz-scripts/build.sh @@ -14,7 +14,7 @@ find "$SEED_DATA_DIR" \( -name '*_seed_corpus.zip' -o -name '*.options' -o -name # Build fuzzers in $OUT. find "$SRC/gitpython/fuzzing" -name 'fuzz_*.py' -print0 | while IFS= read -r -d '' fuzz_harness; do - compile_python_fuzzer "$fuzz_harness" + compile_python_fuzzer "$fuzz_harness" --add-binary="$(command -v git):." common_base_dictionary_filename="$SEED_DATA_DIR/__base.dict" if [[ -r "$common_base_dictionary_filename" ]]; then

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier! Saves Data!