| Hasnain Lakhani | c51ab5f | 2025-08-25 10:24:14 -0700 | [diff] [blame] | 1 | # Fuzzing Apache Thrift |
| 2 | |
| 3 | This document describes the fuzzing infrastructure and goals for Apache Thrift. |
| 4 | |
| 5 | We use [OSS-Fuzz](https://github.com/google/oss-fuzz) as our primary fuzzing platform to continuously test and improve the robustness of Thrift's hand-written and generated code. |
| 6 | |
| 7 | ## Goals |
| 8 | |
| 9 | With fuzzing, we are focusing on testing the following key aspects across supported languages: |
| 10 | |
| 11 | 1. Security - Testing how the generated code handles malformed/malicious input |
| 12 | 2. Serialization round-trip correctness - Ensuring that data stays identical if we serialize then deserialize it. |
| 13 | |
| 14 | ## Supported Languages |
| 15 | |
| 16 | We currently maintain fuzzers for the following languages: |
| 17 | |
| Hasnain Lakhani | 9b13668 | 2025-08-25 11:54:23 -0700 | [diff] [blame] | 18 | - Go |
| Hasnain Lakhani | cf41a1c | 2025-08-25 10:55:35 -0700 | [diff] [blame] | 19 | - c_glib (partially supported, needs round-trip support) |
| Hasnain Lakhani | 37f4e0d | 2025-08-25 11:21:33 -0700 | [diff] [blame] | 20 | - C++ |
| Hasnain Lakhani | 4f877ca | 2025-08-25 13:24:26 -0700 | [diff] [blame] | 21 | - Java/JVM (and other JVM languages) |
| Hasnain Lakhani | aa18332 | 2025-08-25 13:54:33 -0700 | [diff] [blame] | 22 | - JavaScript |
| Hasnain Lakhani | d274300 | 2025-08-25 14:22:15 -0700 | [diff] [blame] | 23 | - Python |
| Dmytro Shteflyuk | 6041798 | 2026-03-14 02:12:29 -0400 | [diff] [blame] | 24 | - Ruby |
| Hasnain Lakhani | 7ac79ab | 2025-08-25 14:40:43 -0700 | [diff] [blame] | 25 | - Rust |
| Hasnain Lakhani | 4afb7d9 | 2025-08-25 16:09:41 -0700 | [diff] [blame] | 26 | - Swift |
| Hasnain Lakhani | c51ab5f | 2025-08-25 10:24:14 -0700 | [diff] [blame] | 27 | |
| 28 | We are working on adding fuzzers for the following languages: |
| 29 | |
| Hasnain Lakhani | c51ab5f | 2025-08-25 10:24:14 -0700 | [diff] [blame] | 30 | - netstd |
| 31 | |
| 32 | ## Fuzzer Types |
| 33 | |
| 34 | For each supported language, we implement at minimum: |
| 35 | |
| 36 | 1. **Deserializer Fuzzer** |
| 37 | - Takes raw fuzzer input and attempts to deserialize it into Thrift structures |
| 38 | - Tests handling of malformed/unexpected input |
| 39 | - Implemented for each supported protocol (Binary, Compact, JSON where available) |
| 40 | |
| 41 | 2. **Round-Trip Fuzzer** |
| 42 | - Deserializes fuzzer input, then re-serializes and verifies it matches |
| 43 | - Ensures data integrity through serialization cycles |
| 44 | - Tests both serialization and deserialization code paths |
| 45 | |
| 46 | ## Building and Running the Fuzzers |
| 47 | |
| 48 | Each language has its own fuzzers under the `lib/<language>/test/fuzz` directory. |
| Dmytro Shteflyuk | 6041798 | 2026-03-14 02:12:29 -0400 | [diff] [blame] | 49 | Build integration varies by language. C++, c_glib, Go, Rust, and Ruby wire fuzz code into their normal build systems so that code generation and build drift are caught early. Some languages also provide local runner targets or native fuzz binaries. |
| Hasnain Lakhani | c51ab5f | 2025-08-25 10:24:14 -0700 | [diff] [blame] | 50 | |
| 51 | To ensure fuzzing can find issues as soon as possible, we will enable fuzzing support in CI once the fuzzers are stable. |
| 52 | |
| Dmytro Shteflyuk | 6041798 | 2026-03-14 02:12:29 -0400 | [diff] [blame] | 53 | Currently the only convenient, formally supported build with fuzzing support enabled is via the oss-fuzz workflow. For languages where local fuzzing is practical, documentation is provided alongside the fuzzers. For example, C++ builds libFuzzer binaries directly, while Ruby exposes `make` targets that wrap Ruzzy. |
| Hasnain Lakhani | c51ab5f | 2025-08-25 10:24:14 -0700 | [diff] [blame] | 54 | |
| 55 | ## OSS-Fuzz Integration |
| 56 | |
| 57 | Our fuzzers run continuously on OSS-Fuzz. To view build status: |
| 58 | |
| 59 | 1. Visit the [OSS-Fuzz Status Dashboard](https://oss-fuzz-build-logs.storage.googleapis.com/index.html) |
| 60 | 2. Look for the "thrift" project |
| 61 | |
| 62 | The source code for the oss-fuzz build is [available upstream](https://github.com/google/oss-fuzz/tree/master/projects/thrift). |
| 63 | |
| 64 | We aim to improve the fuzzers through viewing the fuzz introspector reports, available [here](https://introspector.oss-fuzz.com/project-profile?project=thrift). |
| 65 | |
| 66 | *NB: The oss-fuzz integration will be significantly updated once all the language specific fuzzers are committed here. |
| 67 | |
| 68 | ## Contributing to the fuzzers |
| 69 | |
| 70 | To contribute to the fuzzing effort - please look at https://issues.apache.org/jira/browse/THRIFT-5855 for the latest status and planned work. Once the ticket is closed, |
| 71 | we would still appreciate contributions that: |
| 72 | |
| 73 | 1. Add new fuzzers for unsupported languages |
| 74 | 2. Improve existing fuzzers |
| 75 | 3. Add test cases to corpus |
| 76 | |
| 77 | If you do add or change a fuzzer, please remember to make corresponding changes to the oss-fuzz build script in case they are needed. |
| 78 | |
| Dmytro Shteflyuk | 6041798 | 2026-03-14 02:12:29 -0400 | [diff] [blame] | 79 | Please see CONTRIBUTING.md for general contribution guidelines. |