types fuzzing#237
Open
abresas wants to merge 4 commits into
Open
Conversation
Two panics on valid API usage / untrusted input: - MerkleTree::verify_multi_proof panicked (stack.remove(0) on an empty vec) on malformed proofs that pass the up-front count checks, e.g. leaves=[], flags=[false], path=[h1, h2]. Proofs arrive over RPC, so this was a remote DoS. Malformed shapes now return false. - Receipt::generate_multi_proof_for_log_hashes panicked for any receipt with at least one log: join_prefix produced "log_hashes.[0]" while the tree was built with "log_hashes[0]", so the leaf lookup always failed and the expect() fired. Index segments now attach without a separator, consistent with index_prefix. No existing tree roots change: no current type produced dotted-index paths. Both have regression tests. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
12 libFuzzer targets (nightly-only, own workspace under types/fuzz) covering every encode/decode/parsing surface and the merkle tree: - merkle_build_prove / merkle_proof_soundness / merkle_verify: build+prove round-trips, tampered/garbage proof rejection for both single proofs and multiproofs, and no-panic on fully adversarial proof material - transaction_decode / transaction_roundtrip: decode_unsigned on raw bytes, and tagged + bare-legacy RLP encode/decode identity - signed_tx_serde / signed_tx_deserialize: JSON + bincode round-trips with signer recovery, and garbage-bytes robustness - receipt_serde: serde round-trips plus every log proof/multiproof verifying against the receipt root - timestamp_parse, pagination_cursor, calldata_serde, log_filter_serde CI runs a 15s smoke pass per target on nightly (fuzz.yml); longer exploratory runs are documented in fuzz/README.md. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
A floating nightly could break CI independent of repo changes. Pin to the version the fuzz suite was developed against; cargo invocations use the pinned default toolchain instead of +nightly. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
CallData asserted >= 4 bytes in new(), but serde deserialization never
enforced it and empty() violated it outright, so RPC/DB input could
produce values on which get_function_bytes()/get_body() panic.
Retype as { selector: [u8; 4], body: Bytes } so short calldata cannot
be constructed and the accessors are total. TryFrom<Bytes> is the
checked boundary for raw bytes (rejects < 4); serde goes through it.
The wire format is unchanged: hex string of selector ++ body for
human-readable formats, raw bytes otherwise.
Breaking: new() takes (selector, body); empty(), as_slice(), as_bytes()
are gone (to_bytes() returns the full blob). Nothing in the workspace
used them.
The calldata_serde fuzz target now exercises the accessors on every
value it can construct, including ones deserialized from garbage.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.