Add simple fuzz test (#34)

* Add simple fuzz test

Signed-off-by: Jason Hall <[email protected]>

* Fix fuzz finding, add fuzz tests to GitHub Actions CI

---------

Signed-off-by: Jason Hall <[email protected]>

Author: imjasonh

.github/workflows/test.yaml

@@ -31,3 +31,6 @@ jobs:
         run: |
           GO111MODULE=off go get github.com/mattn/goveralls
           $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github
+
+      - name: Fuzz tests
+        run: make fuzz

Makefile

@@ -4,6 +4,12 @@ test:
 	curl -Ls https://raw.githubusercontent.com/package-url/purl-spec/master/test-suite-data.json -o testdata/test-suite-data.json
 	go test -v -cover ./...
 
+fuzz:
+	go test -fuzztime=1m -fuzz .
+
+clean:
+	find . -name "test-suite-data.json" | xargs rm -f
+
 lint:
 	go get -u golang.org/x/lint/golint
 	golint -set_exit_status

README.md

@@ -72,3 +72,19 @@ PASS
         github.com/package-url/packageurl-go    coverage: 90.7% of statements
 ok      github.com/package-url/packageurl-go    0.004s  coverage: 90.7% of statements
 ```
+
+## Fuzzing
+
+Fuzzing is done with standard [Go fuzzing](https://go.dev/doc/fuzz/), introduced in Go 1.18.
+
+Fuzz tests check for inputs that cause `FromString` to panic.
+
+Using `make fuzz` will run fuzz tests for one minute.
+
+To run fuzz tests longer:
+
+```
+go test -fuzztime=60m -fuzz .
+```
+
+Or omit `-fuzztime` entirely to run indefinitely.

fuzz_test.go

@@ -0,0 +1,36 @@
+/*
+Copyright (c) the purl authors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+*/
+
+package packageurl
+
+import (
+	"fmt"
+	"testing"
+)
+
+func FuzzFromString(f *testing.F) {
+	f.Fuzz(func(t *testing.T, s string) {
+		// Test that parsing doesn't panic.
+		_, _ = FromString(s)
+		fmt.Print(s)
+	})
+}

packageurl.go

@@ -257,6 +257,9 @@ func FromString(purl string) (PackageURL, error) {
 		qualifier := remainder[index+1:]
 		for _, item := range strings.Split(qualifier, "&") {
 			kv := strings.Split(item, "=")
+			if len(kv) != 2 {
+				return PackageURL{}, fmt.Errorf("wanted 2 kv segments, got %d", len(kv))
+			}
 			key := strings.ToLower(kv[0])
 			key, err := url.PathUnescape(key)
 			if err != nil {

testdata/fuzz/FuzzFromString/771e938e4458e983a736261a702e27c7a414fd660a15b63034f290b146d2f217

@@ -0,0 +1,2 @@
+go test fuzz v1
+string("0")

testdata/fuzz/FuzzFromString/d0a861fe9b7c443af2b649e08753442111b630dd29fcd570543db3f9351158aa

@@ -0,0 +1,2 @@
+go test fuzz v1
+string("?A")