oss fuzz integration (#13473)

* Update api/types/fuzz_test.go
* do not fail if the file is missing
* missing go-118-fuzz-build fix

Co-authored-by: Zac Bergquist <[email protected]>

api/types/fuzz_test.go

@@ -0,0 +1,31 @@
+/*
+Copyright 2022 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package types
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func FuzzParseDuration(f *testing.F) {
+	f.Fuzz(func(t *testing.T, s string) {
+		require.NotPanics(t, func() {
+			parseDuration(s)
+		})
+	})
+}

api/utils/aws/fuzz_test.go

@@ -0,0 +1,47 @@
+/*
+Copyright 2022 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package aws
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func FuzzParseRDSEndpoint(f *testing.F) {
+	f.Fuzz(func(t *testing.T, endpoint string) {
+		require.NotPanics(t, func() {
+			ParseRDSEndpoint(endpoint)
+		})
+	})
+}
+
+func FuzzParseRedshiftEndpoint(f *testing.F) {
+	f.Fuzz(func(t *testing.T, endpoint string) {
+		require.NotPanics(t, func() {
+			ParseRedshiftEndpoint(endpoint)
+		})
+	})
+}
+
+func FuzzParseElastiCacheEndpoint(f *testing.F) {
+	f.Fuzz(func(t *testing.T, endpoint string) {
+		require.NotPanics(t, func() {
+			ParseElastiCacheEndpoint(endpoint)
+		})
+	})
+}

fuzz/corpora/fuzz_mongo_read/1

@@ -0,0 +1 @@
+000�000000000000

fuzz/corpora/fuzz_parse_saml_in_response_to/saml_okta_response

@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?><saml2p:Response Destination="https://boson.tener.io:3080/v1/webapi/saml/acs" ID="id336368461455218662129342736" InResponseTo="_4f256462-6c2d-466d-afc0-6ee36602b6f2" IssueInstant="2022-04-25T08:55:18.710Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exk14fxcpjuKMcor30h8</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#id336368461455218662129342736"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>uBRfvYvl5C/LPCh36uAmRLHW76+aDP3ngChtIwP3/Fc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>M1VfkOOBH6r7niHhfGvf4OJ1HH5QJl83aD/b+mTDUUnXzHXgXlkb0BGQkSFn6ixojwCoXchpxCNzVLPN/tvfyY1dxP4MO8b+/07bGuVD2yTNlhN43/FFcDpmZ1ZDW8w2nPF1E5gy1lR8Wx2NgT3kQ2Ui1vRNX/KeX/P9NnABj4AjcshyHK2e49WLM/D4U84XOl7ODtzS7PTvtB0SGIwRE25G//8AsAv81eBfHL54Nz1HAqinMhxQtz32ZDXpKaAV6GypyBTvk6vo7Pkk4OiL6G9VIGC8Bd/gnavsc+Ickfuo7KTq8NDKTLB5WG34XKJqq6dGopSMrxr67oYjCEDZfw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX4zyofpMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
+A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
+MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi04MTMzNTQxHDAaBgkqhkiG9w0BCQEW
+DWluZm9Ab2t0YS5jb20wHhcNMjIwMTA3MDkwNTU4WhcNMzIwMTA3MDkwNjU4WjCBkjELMAkGA1UE
+BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
+BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtODEzMzU0MRwwGgYJ
+KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+xQz+tLD5cNlOBfdohHvqNWIfC13OCSnUAe20qA0K8y+jtZrpwjtjjLX8iRuCx8dYc/nd6zYOhhSq
+2sLmrRa09wUXXTgnLGcj50gePTaroYLyF4FNgQWLvPHJk0FGcx6JvD6L+V5RzYwH87Fhg8niP4LZ
+EBw3iZnsIJN9KOuLuQeXTW0PIlMFzpCwT9aUCHCoLepe5Ou8oi8XcOCmsOESHPchV2RC/xQDIqRP
+Lp1Sf7NNJ6mTmP2gOoLwsz95beOLrEI+PI/GgZBqM3OutWA0L9mAbJK9T5dPAvhnwCV+SK2HvicJ
+T8c6uJxuKmoWv1t3SyaN0cIbmw6vj9CIf4DTwQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCWGgLL
+f3tgUZRGjmR5iiKeOeaEWG/eaF1nfenVfSaWT9ckimcXyLCY/P7CXEBiioVrxjky07iceJpi4rVE
+RcVZ8SGXCa0NroESmIFlIHez6vRTrqUsfDmidxsSCwY02eaBq+9gK5iXV5WeXMKbn0yeGwF+3PkU
+RAH1HuypwMH0FJRLIdW36pw7FCrGrXpk3UC6mEumXC9FptjSK1FlW+ZckgDprePOoUpypEygr2UC
+XXOsqT0dwBUUttdOQMZHqIiXS5VPJ8zhYPHBGYI8WGk5FWVuXIXhgRm7LN/EyXIvCOFmDH0tVnQL
+V115UGOwvjOOxmOFbYBn865SHgMndFtr</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion ID="id33636846145688909913681942" IssueInstant="2022-04-25T08:55:18.710Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exk14fxcpjuKMcor30h8</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#id33636846145688909913681942"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>XwJSotSzU2qLdzu/WDk8dpQ/Cy1Id88932S/95+N+Ds=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>qyIvGi1+w93AdGUj0+T5RYAq+CAjLSScMTMc7dLTEze6qr3mP51W/bCoZz8E47lpsbLeh0EiATa6h2Uaj6/34rILfCt3aQRNjNicu0gBKhePyNraapdnoyeqJEV8UrAOOKFiH30e5AvQ1nRZqfgY7KMt6cZH5/eXjUS63lPJJn4yr9vLw9loCdHCoHlaseh2IHi7CickyyxSMTX+Y58zpBy2g/KwN3K4oZM4a10ZYWkZpzkZJXDRSUkEc/wTTO7IPPY7Zv7R7UC+zjf5Px1sYeKTkkIxlZViZmtqjYuhibnTmhroJx7wX/LtOPxCkwLHlQRDACBNbP/UtrudU1ZMxA==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX4zyofpMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
+A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
+MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi04MTMzNTQxHDAaBgkqhkiG9w0BCQEW
+DWluZm9Ab2t0YS5jb20wHhcNMjIwMTA3MDkwNTU4WhcNMzIwMTA3MDkwNjU4WjCBkjELMAkGA1UE
+BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
+BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtODEzMzU0MRwwGgYJ
+KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+xQz+tLD5cNlOBfdohHvqNWIfC13OCSnUAe20qA0K8y+jtZrpwjtjjLX8iRuCx8dYc/nd6zYOhhSq
+2sLmrRa09wUXXTgnLGcj50gePTaroYLyF4FNgQWLvPHJk0FGcx6JvD6L+V5RzYwH87Fhg8niP4LZ
+EBw3iZnsIJN9KOuLuQeXTW0PIlMFzpCwT9aUCHCoLepe5Ou8oi8XcOCmsOESHPchV2RC/xQDIqRP
+Lp1Sf7NNJ6mTmP2gOoLwsz95beOLrEI+PI/GgZBqM3OutWA0L9mAbJK9T5dPAvhnwCV+SK2HvicJ
+T8c6uJxuKmoWv1t3SyaN0cIbmw6vj9CIf4DTwQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCWGgLL
+f3tgUZRGjmR5iiKeOeaEWG/eaF1nfenVfSaWT9ckimcXyLCY/P7CXEBiioVrxjky07iceJpi4rVE
+RcVZ8SGXCa0NroESmIFlIHez6vRTrqUsfDmidxsSCwY02eaBq+9gK5iXV5WeXMKbn0yeGwF+3PkU
+RAH1HuypwMH0FJRLIdW36pw7FCrGrXpk3UC6mEumXC9FptjSK1FlW+ZckgDprePOoUpypEygr2UC
+XXOsqT0dwBUUttdOQMZHqIiXS5VPJ8zhYPHBGYI8WGk5FWVuXIXhgRm7LN/EyXIvCOFmDH0tVnQL
+V115UGOwvjOOxmOFbYBn865SHgMndFtr</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="_4f256462-6c2d-466d-afc0-6ee36602b6f2" NotOnOrAfter="2022-04-25T09:00:18.711Z" Recipient="https://boson.tener.io:3080/v1/webapi/saml/acs"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2022-04-25T08:50:18.711Z" NotOnOrAfter="2022-04-25T09:00:18.711Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:AudienceRestriction><saml2:Audience>https://boson.tener.io:3080/v1/webapi/saml/acs</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2022-04-25T08:03:11.779Z" SessionIndex="_4f256462-6c2d-466d-afc0-6ee36602b6f2" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[email protected]</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Everyone</saml2:AttributeValue><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">okta-admin</saml2:AttributeValue><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">okta-dev</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response>

fuzz/oss-fuzz-build.sh

@@ -0,0 +1,143 @@
+#!/bin/bash -eu
+
+TELEPORT_PREFIX="github.com/gravitational/teleport"
+
+prepare_teleport() {
+
+  go get github.com/AdamKorcz/go-118-fuzz-build/utils
+  go get -u all || true
+  go mod tidy
+  go get github.com/AdamKorcz/go-118-fuzz-build/utils
+
+  # Fix /root/go/pkg/mod/github.com/aws/aws-sdk-go-v2/internal/[email protected]/fuzz.go:13:21:
+  # not enough arguments in call to Parse
+  rm -f /root/go/pkg/mod/github.com/aws/aws-sdk-go-v2/internal/ini@*/fuzz.go
+
+}
+
+prepare_teleport_api() {
+
+  (cd api; go get github.com/AdamKorcz/go-118-fuzz-build/utils)
+
+}
+
+build_teleport_fuzzers() {
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/services \
+    FuzzParserEvalBoolPredicate fuzz_parser_eval_bool_predicate
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/auth \
+    FuzzParseSAMLInResponseTo fuzz_parse_saml_in_response_to
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/restrictedsession \
+    FuzzParseIPSpec fuzz_parse_ip_spec
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/services \
+    FuzzParseRefs fuzz_parse_refs
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/srv/db/redis \
+    FuzzParseRedisAddress fuzz_parse_redis_address
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/sshutils/x11 \
+    FuzzParseDisplay fuzz_parse_display
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/utils/parse \
+    FuzzNewExpression fuzz_new_expression
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/utils/parse \
+    FuzzNewMatcher fuzz_new_matcher
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/utils \
+    FuzzParseProxyJump fuzz_parse_proxy_jump
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/utils \
+    FuzzParseWebLinks fuzz_parse_web_links
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/utils \
+    FuzzReadYAML fuzz_read_yaml
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/client \
+    FuzzParseProxyHost fuzz_parse_proxy_host
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/srv/regular \
+    FuzzParseProxySubsys fuzz_parse_proxy_subsys
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/kube/proxy \
+    FuzzParseResourcePath fuzz_parse_resource_path
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/srv/db/mysql/protocol \
+    FuzzParsePacket fuzz_parse_mysql_packet
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/srv/db/mysql/protocol \
+    FuzzFetchMySQLVersion fuzz_fetch_mysql_version
+
+# compile_native_go_fuzzer $TELEPORT_PREFIX/lib/auth \
+#   FuzzParseAndVerifyIID fuzz_parse_and_verify_iid
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/client \
+    FuzzParseLabelSpec fuzz_parse_label_spec
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/srv/db/sqlserver/protocol \
+    FuzzMSSQLLogin fuzz_mssql_login
+
+# compile_native_go_fuzzer $TELEPORT_PREFIX/lib/srv/db/mongodb/protocol \
+#   FuzzMongoRead fuzz_mongo_read
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/services \
+    FuzzParserEvalBoolPredicate fuzz_parser_eval_bool_predicate
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/auth/webauthn \
+    FuzzParseCredentialCreationResponseBody fuzz_parse_credential_creation_response_body
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/auth/webauthn \
+    FuzzParseCredentialRequestResponseBody fuzz_parse_credential_request_response_body
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/web \
+    FuzzTdpMFACodecDecode fuzz_tdp_mfa_codec_decode
+
+}
+
+build_teleport_api_fuzzers() {
+
+  cd api
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/api/types \
+    FuzzParseDuration fuzz_parse_duration
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/api/utils/aws \
+    FuzzParseRDSEndpoint fuzz_parse_rds_endpoint
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/api/utils/aws \
+    FuzzParseRedshiftEndpoint fuzz_parse_redshift_endpoint
+
+  compile_native_go_fuzzer $TELEPORT_PREFIX/api/utils/aws \
+    FuzzParseElastiCacheEndpoint fuzz_parse_elasti_cache_endpoint
+
+  cd -
+
+}
+
+compile() {
+
+  prepare_teleport
+  prepare_teleport_api
+
+  build_teleport_fuzzers
+  build_teleport_api_fuzzers
+
+}
+
+copy_corpora() {
+
+  # generate corpus
+  for fuzzer_path in fuzz/corpora/fuzz_*
+  do
+    fuzzer_name=$OUT/$(basename "$fuzzer_path")
+    rm -f "$fuzzer_name"_seed_corpus.zip
+    zip --junk-paths "$fuzzer_name"_seed_corpus.zip $fuzzer_path/*
+  done
+
+}
+
+copy_corpora
+compile

lib/auth/fuzz_test.go

@@ -0,0 +1,44 @@
+/*
+Copyright 2022 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"encoding/base64"
+	"testing"
+
+	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/require"
+)
+
+func FuzzParseSAMLInResponseTo(f *testing.F) {
+	// Disable Go App Engine logging
+	logrus.SetLevel(logrus.PanicLevel)
+
+	f.Fuzz(func(t *testing.T, response string) {
+		require.NotPanics(t, func() {
+			ParseSAMLInResponseTo(base64.StdEncoding.EncodeToString([]byte(response)))
+		})
+	})
+}
+
+func FuzzParseAndVerifyIID(f *testing.F) {
+	f.Fuzz(func(t *testing.T, iidBytes []byte) {
+		require.NotPanics(t, func() {
+			parseAndVerifyIID(iidBytes)
+		})
+	})
+}

lib/auth/webauthn/fuzz_test.go

@@ -0,0 +1,44 @@
+/*
+Copyright 2022 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package webauthn
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/duo-labs/webauthn/protocol"
+)
+
+func FuzzParseCredentialCreationResponseBody(f *testing.F) {
+	f.Fuzz(func(t *testing.T, body []byte) {
+
+		require.NotPanics(t, func() {
+			protocol.ParseCredentialCreationResponseBody(bytes.NewReader(body))
+		})
+	})
+}
+
+func FuzzParseCredentialRequestResponseBody(f *testing.F) {
+	f.Fuzz(func(t *testing.T, body []byte) {
+
+		require.NotPanics(t, func() {
+			protocol.ParseCredentialRequestResponseBody(bytes.NewReader(body))
+		})
+	})
+}

lib/client/fuzz_test.go

@@ -0,0 +1,47 @@
+/*
+Copyright 2022 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package client
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func FuzzParseProxyHost(f *testing.F) {
+	f.Fuzz(func(t *testing.T, proxyHost string) {
+		require.NotPanics(t, func() {
+			ParseProxyHost(proxyHost)
+		})
+	})
+}
+
+func FuzzParseLabelSpec(f *testing.F) {
+	f.Fuzz(func(t *testing.T, spec string) {
+		require.NotPanics(t, func() {
+			ParseLabelSpec(spec)
+		})
+	})
+}
+
+func FuzzParseSearchKeywords(f *testing.F) {
+	f.Fuzz(func(t *testing.T, spec string, customDelimiter rune) {
+		require.NotPanics(t, func() {
+			ParseSearchKeywords(spec, customDelimiter)
+		})
+	})
+}