Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fuzzing for EdgeX REST/MQTT interfaces [ossf silver] #714

Open
3 of 5 tasks
bnevis-i opened this issue Oct 3, 2022 · 3 comments
Open
3 of 5 tasks

Fuzzing for EdgeX REST/MQTT interfaces [ossf silver] #714

bnevis-i opened this issue Oct 3, 2022 · 3 comments
Assignees
@vli11
Labels
enhancement New feature or request

Comments

@bnevis-i
Copy link
Contributor

bnevis-i commented Oct 3, 2022
edited by lenny-goodell
Loading

🚀 Feature Request

In order to find potential vulnerabilities in EdgeX's APIs, all EdgeX REST and MQTT incoming interfaces (provided by EdgeX components) should be fuzz tested, and fuzz tested should be integrated into our testing framework.

This task does not require fixing the bug, just fuzzing the interfaces, confirming fuzz failures (reproducible with a good explanation on why it is a bug), and file the issue.

OpenSSF Silver Badge requirement:
The project results MUST check all inputs from potentially untrusted sources to ensure they are valid (an allowlist), and reject invalid inputs, if there are any restrictions on the data at all. [input_validation]
Note that comparing input against a list of "bad formats" (aka a denylist) is normally not enough, because attackers can often work around a denylist. In particular, numbers are converted into internal formats and then checked if they are between their minimum and maximum (inclusive), and text strings are checked to ensure that they are valid text patterns (e.g., valid UTF-8, length, syntax, etc.). Some data may need to be "anything at all" (e.g., a file uploader), but these would typically be rare.

  • Core Data
  • Core Metadata
  • Core Command
  • Support Notifications
  • Support Scheduler
@bnevis-i bnevis-i added the enhancement New feature or request label Oct 3, 2022
@bnevis-i bnevis-i changed the title Fuzzing for EdgeX REST/MQTT interfaces Fuzzing for EdgeX REST/MQTT interfaces [ossf silver] Nov 7, 2022
@bnevis-i
Copy link
Contributor Author

While not integrated into TAF, fuzzing tests have been added to edgex-go in edgexfoundry/edgex-go#4569

@bnevis-i bnevis-i reopened this Aug 16, 2023
@lenny-goodell
Copy link
Member

@cloudxxx8 , @jumpingliu , This is the larger issue for adding the fuzzing testing. Valina got thru the core-data, core-command & support-notifications. core-metadata and support-scheduler are still TBD. I have added a checklist to the description above to reflect this.

Here is the PR for support-notifications for reference:
https://github.com/edgexfoundry/edgex-go/pull/4744/files

The swagger files need more details for proper fuzz testing.

Once these are complete, issues are submitted for true fuzz test failures. Most, if not all, are due to returning Internal Server Error when Bad request should be returned.

You can move this into Ice Box also if there are no plans to complete this "Test" phase.

@jumpingliu
Copy link
Contributor

@lenny-intel Thanks Lenny, right now our team doesn't have the bandwidth for this, so move to Ice Box for now

@github-project-automation github-project-automation bot moved this to New Issues in Technical WG Jul 30, 2024
@jumpingliu jumpingliu moved this from New Issues to Icebox in Technical WG Jul 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vli11 vli11

Labels
enhancement New feature or request
Projects
Technical WG
Status: Icebox
Milestone
No milestone
Development

No branches or pull requests
4 participants
@vli11 @bnevis-i @lenny-goodell @jumpingliu