Implement fuzzing of individual gitlab components and third party libraries that gitlab uses

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

There are many security issues which arose from the poor use of third party libraries (such as https://hackerone.com/reports/1543718).

When looking through the Gemfile there are quite a few that jump out as potential security risks:

# Pretty much all of these process user input:


# Markdown and HTML processing
gem 'html-pipeline', '~> 2.14.3', feature_category: :team_planning
gem 'deckar01-task_list', '2.3.4', feature_category: :team_planning
gem 'gitlab-markup', '~> 1.9.0', require: 'github/markup' # rubocop:todo Gemfile/MissingFeatureCategory
gem 'commonmarker', '~> 0.23.10', feature_category: :team_planning
gem 'kramdown', '~> 2.3.1' # rubocop:todo Gemfile/MissingFeatureCategory
gem 'RedCloth', '~> 4.3.3' # rubocop:todo Gemfile/MissingFeatureCategory
gem 'org-ruby', '~> 0.9.12' # rubocop:todo Gemfile/MissingFeatureCategory
gem 'creole', '~> 0.5.0' # rubocop:todo Gemfile/MissingFeatureCategory
gem 'wikicloth', '0.8.1' # rubocop:todo Gemfile/MissingFeatureCategory
gem 'asciidoctor', '~> 2.0.18' # rubocop:todo Gemfile/MissingFeatureCategory
gem 'asciidoctor-include-ext', '~> 0.4.0', require: false # rubocop:todo Gemfile/MissingFeatureCategory
gem 'asciidoctor-plantuml', '~> 0.0.16' # rubocop:todo Gemfile/MissingFeatureCategory
gem 'asciidoctor-kroki', '~> 0.10.0', require: false # rubocop:todo Gemfile/MissingFeatureCategory
gem 'rouge', '~> 4.3.0', feature_category: :shared
gem 'truncato', '~> 0.7.12' # rubocop:todo Gemfile/MissingFeatureCategory
gem 'nokogiri', '~> 1.16' # rubocop:todo Gemfile/MissingFeatureCategory
gem 'gitlab-glfm-markdown', '~> 0.0.19', feature_category: :team_planning

# This one parses attacker controlled time and date strings:

gem 'fugit', '~> 1.8.1' # rubocop:todo Gemfile/MissingFeatureCategory

# This one processes version numbers and is actually maintained by gitlab itself:

gem 'semver_dialects', '~> 3.0', feature_category: :software_composition_analysis

# These also process user input
gem 'email_reply_trimmer', '~> 0.1' # rubocop:todo Gemfile/MissingFeatureCategory
gem 'html2text' # rubocop:todo Gemfile/MissingFeatureCategory
gem 'toml-rb', '~> 2.2.0' # rubocop:todo Gemfile/MissingFeatureCategory
gem 'mail', '= 2.8.1' # rubocop:todo Gemfile/MissingFeatureCategory
gem 'valid_email', '~> 0.1' # rubocop:todo Gemfile/MissingFeatureCategory

gem 'parslet', '~> 1.8' # rubocop:todo Gemfile/MissingFeatureCategory

# Work with RPM packages
gem 'arr-pm', '~> 0.0.12' # rubocop:todo Gemfile/MissingFeatureCategory

there are also a lot of internal gitlab pipelines and features all of which parse user controlled data and of course those would need their own dedicated fuzzers.

One good option for such fuzzing is ruzzy (https://github.com/trailofbits/ruzzy) which was basically developed for the sole purpose of fuzzing ruby code.