THRIFT-5855: Add netstd fuzzers

Author: mhlakhani

FUZZING.md

@@ -23,10 +23,7 @@ We currently maintain fuzzers for the following languages:
 - Python
 - Rust
 - Swift
-
-We are working on adding fuzzers for the following languages:
-
-- netstd
+- netstd (only supported locally, and not on oss-fuzz)
 
 ## Fuzzer Types
 

lib/netstd/Makefile.am

@@ -28,6 +28,21 @@ check-local:
 	$(DOTNETCORE) test Tests/Thrift.Compile.Tests/Thrift.Compile.netstd2/Thrift.Compile.netstd2.csproj
 	$(DOTNETCORE) test Tests/Thrift.Tests/Thrift.Tests.csproj
 	$(DOTNETCORE) test Tests/Thrift.IntegrationTests/Thrift.IntegrationTests.csproj
+	$(MAKE) build-fuzzers
+
+build-fuzzers:
+	$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Binary -p:FuzzerType=Parse -p:Engine=AFL
+	$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Binary -p:FuzzerType=Parse -p:Engine=Libfuzzer
+	$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Binary -p:FuzzerType=Roundtrip -p:Engine=AFL
+	$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Binary -p:FuzzerType=Roundtrip -p:Engine=Libfuzzer
+	$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Compact -p:FuzzerType=Parse -p:Engine=AFL
+	$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Compact -p:FuzzerType=Parse -p:Engine=Libfuzzer
+	$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Compact -p:FuzzerType=Roundtrip -p:Engine=AFL
+	$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Compact -p:FuzzerType=Roundtrip -p:Engine=Libfuzzer
+	$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Json -p:FuzzerType=Parse -p:Engine=AFL
+	$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Json -p:FuzzerType=Parse -p:Engine=Libfuzzer
+	$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Json -p:FuzzerType=Roundtrip -p:Engine=AFL
+	$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Json -p:FuzzerType=Roundtrip -p:Engine=Libfuzzer
 
 clean-local:
 	$(RM) -r Thrift/bin
@@ -44,6 +59,8 @@ clean-local:
 	$(RM) -r Tests/Thrift.Compile.Tests/Thrift.Compile.net9/obj
 	$(RM) -r Tests/Thrift.Compile.Tests/Thrift.Compile.netstd2/bin
 	$(RM) -r Tests/Thrift.Compile.Tests/Thrift.Compile.netstd2/obj
+	$(RM) -r Tests/Thrift.FuzzTests/bin
+	$(RM) -r Tests/Thrift.FuzzTests/obj
 
 distdir:
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
@@ -60,6 +77,7 @@ EXTRA_DIST = \
 	Tests/Thrift.Compile.Tests/Thrift.Compile.net8/Thrift.Compile.net8.csproj \
 	Tests/Thrift.Compile.Tests/Thrift.Compile.net9/Thrift.Compile.net9.csproj \
 	Tests/Thrift.Compile.Tests/Thrift.Compile.netstd2/Thrift.Compile.netstd2.csproj \
+	Tests/Thrift.FuzzTests \
 	Tests/Thrift.Tests/Collections \
 	Tests/Thrift.Tests/DataModel \
 	Tests/Thrift.Tests/Protocols \

lib/netstd/README.md

@@ -53,3 +53,14 @@ Because of the different environment requirements, migration from C# takes sligh
 - In case you are using Thrift server event handlers: the `SetEventHandler` method now starts with an uppercase letter
 - and you will also have to revise the method names of all `TServerEventHandler` descendants you have in your code
 
+# Fuzzing
+
+We use SharpFuzz (and its libfuzzer variant) for fuzzing. This is **not** supported on oss-fuzz, so all fuzzing must be run locally (currently only tested on a linux machine)
+
+To get started:
+
+* Install https://github.com/Metalnem/sharpfuzz
+* Install https://github.com/Metalnem/libfuzzer-dotnet
+* Create a directory which contains the executable `libfuzzer-dotnet` and set $SHARPFUZZ_DIR to point to it.
+
+Then you can run `buildfuzzers.sh` to build the fuzzers and `runfuzzer.sh` to run a given fuzzer.

lib/netstd/Tests/Thrift.FuzzTests/ProtocolFuzzerBase.cs

@@ -0,0 +1,84 @@
+using System;
+using System.IO;
+using SharpFuzz;
+using Thrift.Protocol;
+using Thrift.Transport;
+using Thrift.Transport.Client;
+
+namespace Thrift.Tests.Protocols.Fuzzers
+{
+    /// <summary>
+    /// Base class for protocol fuzzers that handles the common fuzzing logic.
+    /// </summary>
+    /// <typeparam name="FuzzProtocol">The type of protocol to use for deserialization.</typeparam>
+    public abstract class ProtocolFuzzerBase<FuzzProtocol> where FuzzProtocol : TProtocol
+    {
+        /// <summary>
+        /// Environment variable that controls whether to use in-process fuzzing for AFL.
+        /// When set to "1", uses Fuzzer.Run instead of Fuzzer.OutOfProcess.Run.
+        /// </summary>
+        protected const string UseInProcessFuzzingEnvVar = "THRIFT_AFL_IN_PROCESS";
+
+        /// <summary>
+        /// 10MB message size limit to prevent over-allocation during fuzzing
+        /// </summary>
+        protected const int FUZZ_MAX_MESSAGE_SIZE = 10 * 1024 * 1024;
+
+        /// <summary>
+        /// Creates a new instance of the protocol for the given transport.
+        /// </summary>
+        protected abstract FuzzProtocol CreateProtocol(TTransport transport);
+
+        /// <summary>
+        /// Helper method that contains the core fuzzing logic.
+        /// </summary>
+        private void ProcessFuzzStream(Stream stream)
+        {
+            try
+            {
+                var config = new TConfiguration();
+                config.MaxMessageSize = FUZZ_MAX_MESSAGE_SIZE;
+                var transport = new TStreamTransport(stream, null, config);
+                var protocol = CreateProtocol(transport);
+
+                var obj = new FuzzTest();
+                obj.ReadAsync(protocol, default).GetAwaiter().GetResult();
+            }
+            catch (TException) { /* Expected for malformed input */ }
+            catch (Exception) { /* Expected for malformed input */ }
+        }
+
+        /// <summary>
+        /// The core fuzzing logic that processes a single input.
+        /// </summary>
+        protected void ProcessFuzzInput(ReadOnlySpan<byte> span)
+        {
+            using var stream = new MemoryStream(span.ToArray());
+            ProcessFuzzStream(stream);
+        }
+
+        /// <summary>
+        /// Runs the fuzzer with LibFuzzer.
+        /// </summary>
+        protected void RunLibFuzzer()
+        {
+            Fuzzer.LibFuzzer.Run(ProcessFuzzInput);
+        }
+
+        /// <summary>
+        /// Runs the fuzzer with AFL.
+        /// </summary>
+        protected void RunAFL()
+        {
+            var useInProcess = Environment.GetEnvironmentVariable(UseInProcessFuzzingEnvVar) == "1";
+            if (useInProcess)
+            {
+                Fuzzer.Run(ProcessFuzzStream);
+            }
+            else
+            {
+                Fuzzer.OutOfProcess.Run(ProcessFuzzStream);
+            }
+        }
+    }
+} 

lib/netstd/Tests/Thrift.FuzzTests/ProtocolRoundtripFuzzerBase.cs

@@ -0,0 +1,107 @@
+using System;
+using System.IO;
+using SharpFuzz;
+using Thrift.Protocol;
+using Thrift.Transport;
+using Thrift.Transport.Client;
+
+namespace Thrift.Tests.Protocols.Fuzzers
+{
+    /// <summary>
+    /// Base class for protocol round-trip fuzzers that handles the common fuzzing logic.
+    /// </summary>
+    /// <typeparam name="FuzzProtocol">The type of protocol to use for serialization/deserialization.</typeparam>
+    public abstract class ProtocolRoundtripFuzzerBase<FuzzProtocol> where FuzzProtocol : TProtocol
+    {
+        /// <summary>
+        /// Environment variable that controls whether to use in-process fuzzing for AFL.
+        /// When set to "1", uses Fuzzer.Run instead of Fuzzer.OutOfProcess.Run.
+        /// </summary>
+        protected const string UseInProcessFuzzingEnvVar = "THRIFT_AFL_IN_PROCESS";
+
+        /// <summary>
+        /// 10MB message size limit to prevent over-allocation during fuzzing
+        /// </summary>
+        protected const int FUZZ_MAX_MESSAGE_SIZE = 10 * 1024 * 1024;
+
+        /// <summary>
+        /// Creates a new instance of the protocol for the given transport.
+        /// </summary>
+        protected abstract FuzzProtocol CreateProtocol(TTransport transport);
+
+        /// <summary>
+        /// Helper method that contains the core fuzzing logic.
+        /// </summary>
+        private void ProcessFuzzStream(Stream stream)
+        {
+            try
+            {
+                // First deserialize the input
+                var config = new TConfiguration();
+                config.MaxMessageSize = FUZZ_MAX_MESSAGE_SIZE;
+                var inputTransport = new TStreamTransport(stream, null, config);
+                var inputProtocol = CreateProtocol(inputTransport);
+
+                var inputObj = new FuzzTest();
+                inputObj.ReadAsync(inputProtocol, default).GetAwaiter().GetResult();
+
+                // Now serialize it back
+                using var outputStream = new MemoryStream();
+                var outputTransport = new TStreamTransport(null, outputStream, config);
+                var outputProtocol = CreateProtocol(outputTransport);
+                inputObj.WriteAsync(outputProtocol, default).GetAwaiter().GetResult();
+                outputTransport.FlushAsync(default).GetAwaiter().GetResult();
+
+                // Get the serialized bytes and deserialize again
+                var serialized = outputStream.ToArray();
+                using var reStream = new MemoryStream(serialized);
+                var reTransport = new TStreamTransport(reStream, null, config);
+                var reProtocol = CreateProtocol(reTransport);
+
+                var outputObj = new FuzzTest();
+                outputObj.ReadAsync(reProtocol, default).GetAwaiter().GetResult();
+
+                // Compare the objects
+                if (!inputObj.Equals(outputObj))
+                {
+                    throw new Exception("Round-trip objects are not equal");
+                }
+            }
+            catch (TException) { /* Expected for malformed input */ }
+            catch (Exception) { /* Expected for malformed input */ }
+        }
+
+        /// <summary>
+        /// The core fuzzing logic that processes a single input.
+        /// </summary>
+        protected void ProcessFuzzInput(ReadOnlySpan<byte> span)
+        {
+            using var stream = new MemoryStream(span.ToArray());
+            ProcessFuzzStream(stream);
+        }
+
+        /// <summary>
+        /// Runs the fuzzer with LibFuzzer.
+        /// </summary>
+        protected void RunLibFuzzer()
+        {
+            Fuzzer.LibFuzzer.Run(ProcessFuzzInput);
+        }
+
+        /// <summary>
+        /// Runs the fuzzer with AFL.
+        /// </summary>
+        protected void RunAFL()
+        {
+            var useInProcess = Environment.GetEnvironmentVariable(UseInProcessFuzzingEnvVar) == "1";
+            if (useInProcess)
+            {
+                Fuzzer.Run(ProcessFuzzStream);
+            }
+            else
+            {
+                Fuzzer.OutOfProcess.Run(ProcessFuzzStream);
+            }
+        }
+    }
+} 

lib/netstd/Tests/Thrift.FuzzTests/TBinaryProtocolAFL.cs

@@ -0,0 +1,22 @@
+using System;
+using System.IO;
+using SharpFuzz;
+using Thrift.Protocol;
+using Thrift.Transport;
+using Thrift.Transport.Client;
+
+namespace Thrift.Tests.Protocols.Fuzzers
+{
+    public class TBinaryProtocolFuzzer : ProtocolFuzzerBase<TBinaryProtocol>
+    {
+        protected override TBinaryProtocol CreateProtocol(TTransport transport)
+        {
+            return new TBinaryProtocol(transport);
+        }
+
+        public static void Main(string[] args)
+        {
+            new TBinaryProtocolFuzzer().RunAFL();
+        }
+    }
+} 

lib/netstd/Tests/Thrift.FuzzTests/TBinaryProtocolLibfuzzer.cs

@@ -0,0 +1,22 @@
+using System;
+using System.IO;
+using SharpFuzz;
+using Thrift.Protocol;
+using Thrift.Transport;
+using Thrift.Transport.Client;
+
+namespace Thrift.Tests.Protocols.Fuzzers
+{
+    public class TBinaryProtocolFuzzer : ProtocolFuzzerBase<TBinaryProtocol>
+    {
+        protected override TBinaryProtocol CreateProtocol(TTransport transport)
+        {
+            return new TBinaryProtocol(transport);
+        }
+
+        public static void Main(string[] args)
+        {
+            new TBinaryProtocolFuzzer().RunLibFuzzer();
+        }
+    }
+} 

lib/netstd/Tests/Thrift.FuzzTests/TBinaryProtocolRoundtripAFL.cs

@@ -0,0 +1,22 @@
+using System;
+using System.IO;
+using SharpFuzz;
+using Thrift.Protocol;
+using Thrift.Transport;
+using Thrift.Transport.Client;
+
+namespace Thrift.Tests.Protocols.Fuzzers
+{
+    public class TBinaryProtocolRoundtripFuzzer : ProtocolRoundtripFuzzerBase<TBinaryProtocol>
+    {
+        protected override TBinaryProtocol CreateProtocol(TTransport transport)
+        {
+            return new TBinaryProtocol(transport);
+        }
+
+        public static void Main(string[] args)
+        {
+            new TBinaryProtocolRoundtripFuzzer().RunAFL();
+        }
+    }
+} 

lib/netstd/Tests/Thrift.FuzzTests/TBinaryProtocolRoundtripLibfuzzer.cs

@@ -0,0 +1,22 @@
+using System;
+using System.IO;
+using SharpFuzz;
+using Thrift.Protocol;
+using Thrift.Transport;
+using Thrift.Transport.Client;
+
+namespace Thrift.Tests.Protocols.Fuzzers
+{
+    public class TBinaryProtocolRoundtripFuzzer : ProtocolRoundtripFuzzerBase<TBinaryProtocol>
+    {
+        protected override TBinaryProtocol CreateProtocol(TTransport transport)
+        {
+            return new TBinaryProtocol(transport);
+        }
+
+        public static void Main(string[] args)
+        {
+            new TBinaryProtocolRoundtripFuzzer().RunLibFuzzer();
+        }
+    }
+} 

lib/netstd/Tests/Thrift.FuzzTests/TCompactProtocolAFL.cs

@@ -0,0 +1,22 @@
+using System;
+using System.IO;
+using SharpFuzz;
+using Thrift.Protocol;
+using Thrift.Transport;
+using Thrift.Transport.Client;
+
+namespace Thrift.Tests.Protocols.Fuzzers
+{
+    public class TCompactProtocolFuzzer : ProtocolFuzzerBase<TCompactProtocol>
+    {
+        protected override TCompactProtocol CreateProtocol(TTransport transport)
+        {
+            return new TCompactProtocol(transport);
+        }
+
+        public static void Main(string[] args)
+        {
+            new TCompactProtocolFuzzer().RunAFL();
+        }
+    }
+}