SFI: Fuzzing Test for AI Dev Gallery #576
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a dedicated fuzzing project to AI Dev Gallery to harden URI/deeplink and model URL parsing code paths using libFuzzer/.NET + OneFuzz configuration and seed corpora.
Changes:
- Added new
AIDevGallery.Fuzzproject to the solution for fuzzing targets. - Introduced fuzz targets for the app’s custom URI protocol handler and HuggingFace/GitHub URL parsing utilities.
- Added
OneFuzzConfig.jsonplus seed corpora files for URI/URL inputs.
Reviewed changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| AIDevGallery.sln | Adds the new fuzzing project to the solution and build configurations. |
| AIDevGallery.Fuzz/AIDevGallery.Fuzz.csproj | New fuzzing project referencing AIDevGallery.Utils and copying OneFuzz config to output. |
| AIDevGallery.Fuzz/FuzzTargets.cs | Implements fuzz targets for deeplink URI parsing + HuggingFace/GitHub URL parsing. |
| AIDevGallery.Fuzz/OneFuzzConfig.json | Defines OneFuzz jobs for each fuzz target and their dependencies. |
| AIDevGallery.Fuzz/SeedCorpus/uri/scenarios_valid_id | Seed input for scenario deep link parsing. |
| AIDevGallery.Fuzz/SeedCorpus/uri/models_single_id | Seed input for model deep link parsing. |
| AIDevGallery.Fuzz/SeedCorpus/uri/apis_valid_id | Seed input for API deep link parsing. |
| AIDevGallery.Fuzz/SeedCorpus/uri/addmodel_with_scenario | Seed input for addmodel deeplink with GUID scenario. |
| AIDevGallery.Fuzz/SeedCorpus/uri/addmodel_simple_path | Seed input for addmodel deeplink with simple path + scenario. |
| AIDevGallery.Fuzz/SeedCorpus/huggingface/tree_with_ref | Seed HuggingFace URL (tree, ref only). |
| AIDevGallery.Fuzz/SeedCorpus/huggingface/tree_with_path | Seed HuggingFace URL (tree, ref + nested path). |
| AIDevGallery.Fuzz/SeedCorpus/huggingface/resolve_file | Seed HuggingFace URL (resolve file). |
| AIDevGallery.Fuzz/SeedCorpus/huggingface/repo_root_only | Seed HuggingFace URL (repo root). |
| AIDevGallery.Fuzz/SeedCorpus/huggingface/model_id_only | Seed HuggingFace model id (no scheme). |
| AIDevGallery.Fuzz/SeedCorpus/huggingface/blob_file | Seed HuggingFace URL (blob file). |
| AIDevGallery.Fuzz/SeedCorpus/github/tree_with_ref | Seed GitHub URL (tree, ref only). |
| AIDevGallery.Fuzz/SeedCorpus/github/tree_with_path | Seed GitHub URL (tree, ref + nested path). |
| AIDevGallery.Fuzz/SeedCorpus/github/repo_root_only | Seed GitHub URL (repo root). |
| AIDevGallery.Fuzz/SeedCorpus/github/blob_file | Seed GitHub URL (blob file). |
Comment on lines
99
to
112
| // Critical: Test local path generation for path traversal | ||
| var localPath = hfUrl.GetLocalPath(@"C:\ModelCache"); | ||
|
|
||
| // Verify no path traversal occurred | ||
| if (!localPath.StartsWith(@"C:\ModelCache", StringComparison.OrdinalIgnoreCase)) | ||
| { | ||
| throw new InvalidOperationException($"Path traversal detected: {localPath}"); | ||
| } | ||
|
|
||
| // Check for path components that shouldn't be in a safe path | ||
| if (localPath.Contains("..")) | ||
| { | ||
| throw new InvalidOperationException($"Path contains '..': {localPath}"); | ||
| } |
There was a problem hiding this comment.
The traversal assertion is currently based on StartsWith("C:\ModelCache") and localPath.Contains(".."). This can both miss traversal after normalization and create false positives when ".." appears inside a normal segment (e.g., "repo..name"). Prefer comparing Path.GetFullPath(localPath) to a normalized cache root (including a trailing separator) and/or using Path.GetRelativePath to ensure the result doesn’t escape the cache root.
AIDevGallery.Fuzz/FuzzTargets.cs
Outdated
Comment on lines
63
to
69
| else if (host.Equals("scenarios", StringComparison.OrdinalIgnoreCase)) | ||
| { | ||
| // Test scenario ID extraction | ||
| if (pathComponents.Length > 0) | ||
| { | ||
| _ = pathComponents[0]; | ||
| } |
There was a problem hiding this comment.
These 'if' statements can be combined.
Suggested change
| else if (host.Equals("scenarios", StringComparison.OrdinalIgnoreCase)) | |
| { | |
| // Test scenario ID extraction | |
| if (pathComponents.Length > 0) | |
| { | |
| _ = pathComponents[0]; | |
| } | |
| else if (host.Equals("scenarios", StringComparison.OrdinalIgnoreCase) && | |
| pathComponents.Length > 0) | |
| { | |
| // Test scenario ID extraction | |
| _ = pathComponents[0]; |
haoliuu
force-pushed
the
haoliu/fuzz-testing
branch
from
010fcac to
2ce4a55
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implements Fuzzing Test for AI Dev Gallery. This PR introduces a new fuzzing project to the solution, focused on improving the robustness and security for the app. It adds a new .NET project for fuzz testing, defines fuzzing targets for protocol handlers and URL parsers, provides configuration for integration with OneFuzz, and includes seed corpora for effective fuzzing coverage.
Fuzzing infrastructure:
AIDevGallery.Fuzzto the solution, including its project file and solution integration, to support fuzz testing of critical components.FuzzTargets.cswith fuzz targets for following scenarios including checks for path traversal and malformed input handling:Fuzzing configuration and automation:
OneFuzzConfig.jsonto configure OneFuzz jobs for each fuzz target, specifying job dependencies and notification settings.Seed corpora for fuzzing:
SeedCorpus/for URIs, HuggingFace URLs, and GitHub URLs to ensure broad input coverage for fuzzing.These changes enable automated fuzz testing for key parsing logic, helping to proactively identify and mitigate security vulnerabilities and robustness issues in the application.