CPython uses OSS-Fuzz, Google's continuous fuzzing service for open-source projects, to find bugs and security vulnerabilities by feeding semi-random data to various APIs.
CPython has two OSS-Fuzz projects:
- cpython3:
The fuzz targets, seed corpora, and dictionaries can be found in the
:cpy-file:`Modules/_xxtestfuzz/` directory of CPython. This project
is maintained for existing fuzz targets; add new targets to
python3-libraries. - python3-libraries: The fuzz targets, seed corpora, and dictionaries can be found in the :github:`python/library-fuzzers` repository. Access to the repository is managed through the :gh-python-team:`fuzzers` team on GitHub.
OSS-Fuzz bug reports are private when filed, so access to crash details and
reproducer test cases is limited to those listed in the auto_ccs fields of
the OSS-Fuzz project configuration files. Those listed can log into
https://oss-fuzz.com/ with their Google account to view crash details,
reproducer test cases, and project statistics.
If you need access, contact the :gh-python-team:`fuzzers` team.
Completed issues, and issues that remain unresolved after 90 days, are publicly
visible in the OSS-Fuzz issue tracker.
Coverage and target statistics are available in the OSS-Fuzz Introspector project profiles for cpython3 and python3-libraries.
In addition, CIFuzz
runs the fuzz targets on GitHub Actions for PRs to the main branch changing
relevant files.
.. seealso:: The `libFuzzer <https://llvm.org/docs/LibFuzzer.html>`__ documentation for details about the fuzzing engine used by OSS-Fuzz.
Add new targets to the python3-libraries project. For more
information, see the documentation in the :github:`python/library-fuzzers`
repository.
If the new target covers a standard library module, update the relevant CIFuzz
path configuration so pull requests touching that module trigger fuzzing. See
the LIBRARY_FUZZER_PATHS set in :cpy-file:`Tools/build/compute-changes.py`.