OSS-Fuzz for CPython¶
CPython uses OSS-Fuzz, Google’s continuous fuzzing service for open source projects, to find bugs and security vulnerabilities by feeding semi-random data to various APIs.
CPython has two OSS-Fuzz projects:
cpython3: The fuzz targets, seed corpora, and dictionaries can be found in the Modules/_xxtestfuzz/ directory of CPython. This project is maintained for existing fuzz targets; new targets should be added to
python3-libraries.python3-libraries: The fuzz targets, seed corpora, and dictionaries can be found in the python/library-fuzzers repository. Access to the repository is managed through the
@python/fuzzersteam on GitHub.
OSS-Fuzz bug reports are private when filed, so access to crash details and
reproducer test cases is limited to those listed in the auto_ccs fields of
the OSS-Fuzz project configuration files. Those listed can log into
https://oss-fuzz.com/ with their Google account to view crash details,
reproducer test cases, and project statistics.
If you need access, contact the @python/fuzzers team.
Completed issues, and issues that remain unresolved after 90 days, are publicly
visible in the OSS-Fuzz issue tracker.
Coverage and target statistics are available in the OSS-Fuzz Introspector project profiles for cpython3 and python3-libraries.
In addition, CIFuzz
runs the fuzz targets on GitHub Actions for PRs to the main branch changing
relevant files.
See also
The libFuzzer documentation for details about the fuzzing engine used by OSS-Fuzz.
Adding new targets¶
New targets should be added to the python3-libraries project. For more
information, see the documentation in the python/library-fuzzers
repository.
If the new target covers a standard library module, update the relevant CIFuzz
path configuration so pull requests touching that module trigger fuzzing. See
the LIBRARY_FUZZER_PATHS set in Tools/build/compute-changes.py.