Skip to content

Add fuzzing test for yaml.Marshal and yaml.Unmarshal #137

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rhysd wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Add fuzzing test for yaml.Marshal and yaml.Unmarshal #137

rhysd wants to merge 7 commits into from

Conversation

@rhysd
Copy link
Contributor

@rhysd rhysd commented Oct 4, 2025
edited
Loading

This PR adds a fuzzing test for go-yaml package using Go's standard fuzzing framework.

  • Add a minimal fuzz test case to validate yaml.Unmarshal and yaml.Marshal work without panics
  • Add make task to run fuzzing test in one command (make fuzz)
  • Add CI workflow which runs the fuzzing test for 10 minutes weekly (on every Saturday 6:00 AM). Since running fuzzing test takes a bit longer time, it is not suitable for running on every commit

Copilot AI review requested due to automatic review settings October 4, 2025 10:19
Copilot AI reviewed Oct 4, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds fuzzing test capabilities to the go-yaml package to validate that yaml.Marshal and yaml.Unmarshal functions work without panics using Go's standard fuzzing framework.

  • Implements a fuzzing test that seeds with existing YAML test data and validates round-trip marshal/unmarshal operations
  • Adds make target for easy fuzzing execution with configurable duration
  • Sets up weekly CI workflow to run fuzzing tests automatically

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
fuzz_test.go Implements the main fuzzing test function with seed corpus setup from existing test data
README.md Documents the new make fuzz command for running fuzzing tests
GNUmakefile Adds fuzz target with configurable time parameter for running fuzzing tests
.github/workflows/fuzz.yaml Creates CI workflow to run fuzzing tests weekly on Saturdays

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

.github/workflows/fuzz.yaml
- name: Upload failing inputs as artifact
uses: actions/upload-artifact@v4
with:
path: testdata/fuzz
Copy link

Copilot AI Oct 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The artifact upload path testdata/fuzz appears to be hardcoded and may not match where Go's fuzzing framework actually stores failing inputs. Go typically stores fuzz failures in testdata/fuzz/FuzzFunctionName/ directories. Consider using a wildcard pattern like testdata/fuzz/** or verify the correct path.

Suggested change
path: testdata/fuzz
path: testdata/fuzz/**

Copilot uses AI. Check for mistakes.
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 4, 2025
View reviewed changes
.github/workflows/fuzz.yaml Fixed
Comment on lines 9 to 24
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: stable
- name: Run fuzzing test for 10 minutes
run: make fuzz time=600s
- name: Upload failing inputs as artifact
uses: actions/upload-artifact@v4
with:
path: testdata/fuzz
if-no-files-found: ignore

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
Copy link
Contributor

@SVilgelm SVilgelm Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agree, you probably need to set write permission for artifacts

ccoVeille
ccoVeille reviewed Oct 4, 2025
View reviewed changes
@rhysd rhysd force-pushed the fuzz branch 2 times, most recently from 39ff61e to cfaf346 Compare October 4, 2025 16:59
@rhysd rhysd requested a review from ccoVeille October 4, 2025 17:04
SVilgelm
SVilgelm requested changes Nov 3, 2025
View reviewed changes
.github/workflows/fuzz.yaml Outdated
Comment on lines 7 to 8
permissions:
contents: read # for actions/checkout to fetch code
Copy link
Contributor

@SVilgelm SVilgelm Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please change it to read-all, because it is unclear what permissions are in use for other types

Suggested change
permissions:
contents: read # for actions/checkout to fetch code
permissions: read-all

.github/workflows/fuzz.yaml Outdated
fuzz:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
Copy link
Contributor

@SVilgelm SVilgelm Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we changed all other workflows to pin the actions to sha, could you please check the changes in main branch and update this one?

.github/workflows/fuzz.yaml Fixed
Comment on lines 9 to 24
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: stable
- name: Run fuzzing test for 10 minutes
run: make fuzz time=600s
- name: Upload failing inputs as artifact
uses: actions/upload-artifact@v4
with:
path: testdata/fuzz
if-no-files-found: ignore
Copy link
Contributor

@SVilgelm SVilgelm Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agree, you probably need to set write permission for artifacts

@rhysd
Copy link
Contributor Author

rhysd commented Nov 30, 2025

I apologize for the lack of response because I was working on other projects. I rebased this branch onto the latest main branch and addressed all comments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@SVilgelm SVilgelm SVilgelm requested changes

@ccoVeille ccoVeille ccoVeille approved these changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rhysd @SVilgelm @ccoVeille