Merge commit 'c992cb4e42cc223f67ede0e48d7ff3f4947af0c6' as 'test/compatibility/C/uWebSockets'

2020-01-04 15:41:03 -08:00
parent 0bc4c4c136 c992cb4e42
commit 40e344a958
68 changed files with 9564 additions and 0 deletions
--- a/test/compatibility/C/uWebSockets/fuzzing/README.md
+++ b/test/compatibility/C/uWebSockets/fuzzing/README.md
@ -0,0 +1,29 @@
+# Fuzz-testing of various parsers and mocked examples
+
+A secure web server must be capable of receiving mass amount of malicious input without misbehaving or performing illegal actions, such as stepping outside of a memory block or otherwise spilling the beans.
+
+### Continuous fuzzing under various sanitizers is done as part of the [Google OSS-Fuzz](https://github.com/google/oss-fuzz#oss-fuzz---continuous-fuzzing-for-open-source-software) project:
+* UndefinedBehaviorSanitizer
+* AddressSanitizer
+* MemorySanitizer
+
+### Currently the following parts are individually fuzzed:
+
+* WebSocket handshake generator
+* WebSocket message parser
+* WebSocket extensions parser & negotiator
+* WebSocket permessage-deflate compression/inflation helper
+* Http parser
+* Http method/url router
+
+### While entire (mocked) examples are fuzzed:
+
+* HelloWorld
+* EchoServer
+
+No defects or issues are left unfixed, covered up or otherwise neglected. In fact we **cannot** cover up security issues as OSS-Fuzz automatically and publicly reports security issues as they happen.
+
+Currently we are at ~80% total fuzz coverage and OSS-Fuzz is reporting **zero** issues whatsoever. The goal is to approach 90% total coverage.
+
+### Security awards
+Google have sent us thousands of USD for the integration with OSS-Fuzz - we continue working on bettering the testing with every new release.